Enabling Linux Online Encryption with the CLI

To enable Online Encryption for Linux disks, you need to install the HTCrypt Driver on the VM hosting those disks. During this process, the VM may need to be rebooted if the Linux kernel on the VM needs to be updated in order to install the required packages.

You only need to perform this procedure once for each Linux VM. After the HTCrypt Driver has been installed, the Policy Agent will automatically use it every time it encrypts, decrypts, or rekeys a disk on that VM.

Note: You cannot use Online Encryption if there is an Access Control Policy associated with the VM. If you enable the HTCrypt Driver and apply an Access Control Policy to the disk, online encryption will fail.

The following procedure describes how to install the HTCrypt Driver for the first time using the CLI. You can also install the driver using the KeyControl webGUI as described in Enabling Linux Online Encryption with the webGUI. If your Linux kernel version has changed, see Updating the HTCrypt Kernel Dependencies.

Before You Begin 

Make sure the VM meets the requirements described in Linux Encryption Prerequisites and Linux Online Encryption Prerequisites and Considerations.

Procedure 

1. Log into the VM as root.

2. If you want to verify that the HTCrypt Driver is not already installed, use the hcl status command. For example:

   # hcl status
   
   Summary
   --------------------------------------------------------------------------------
   KeyControl: 10.238.66.235:443
   KeyControl list: 10.238.66.235:443
   Status: Connected
   Last heartbeat: Wed Mar 21 12:48:19 2018 (successful)
   AES_NI: enabled
   Certificate Expiration: Sep 11 22:16:13 2020 GMT
   HTCRYPT: Not Installed

   If the HTCRYPT status is enabled, the HTCrypt Driver has already been installed on this VM.

3. To make sure the proper dependencies are installed, enter the htdrv prepare command. For example:

   # htdrv prepare
   Preparing system for HyTrust encryption driver installation
   Loaded plugins: fastestmirror, langpacks
   Loading mirror speeds from cached hostfile
    * base: mirrors.sonic.net
    * epel: mirror.beyondhosting.net
   ...
   DKMS: install completed.

   The script goes through the dependency list, installing or updating the required packages as needed. If it cannot install the required packages for the current kernel, it updates the kernel and prompts you to reboot the VM. Rebooting is not necessary unless you are prompted to do so by the script.

4. If prompted, reboot the VM and then enter the htdrv prepare command again to install the required packages on the updated kernel.

   Note: If the Linux kernel version changes on this VM after you install the HTCrypt Driver, you need to update the kernel-devel and kernel-headers dependencies to match the new version. For details, see Updating the HTCrypt Kernel Dependencies.

5. Install the HTCrypt Driver RPM by entering the command rpm -ivh /opt/hcs/drivers/htcrypt-5.2-buildnum.noarch.rpm, where buildnum is the build number that you are installing. For example:

   # rpm -ivh htcrypt-5.2-12345M.noarch.rpm 
   Preparing...                          ################################# [100%]
   Updating / installing...
      1:htcrypt-5.2-12345M               ################################# [100%]
   Loading new htcrypt-5.2 DKMS files...
   Building for 3.10.0-693.17.1.el7.x86_64
   Building initial module for 3.10.0-693.17.1.el7.x86_64
   Done.
   
   htcrypt:
   Running module version sanity check.
    - Original module
      - No original module exists within this kernel
    - Installation
      - Installing to /lib/modules/3.10.0-693.17.1.el7.x86_64/extra/
   
   depmod....
   
   Backing up initramfs-3.10.0-693.17.1.el7.x86_64.img to /boot/initramfs-3.10.0-693.17.1.el7.x86_64.img.old-dkms
   Making new initramfs-3.10.0-693.17.1.el7.x86_64.img
   (If next boot fails, revert to initramfs-3.10.0-693.17.1.el7.x86_64.img.old-dkms image)
   dracut...................
   
   DKMS: install completed.
   
   

6. To verify that the installation succeeded, enter the hcl status command. For example:

   # hcl status
   
   Summary
   --------------------------------------------------------------------------------
   KeyControl: 10.238.66.235:443
   KeyControl list: 10.238.66.235:443
   Status: Connected
   Last heartbeat: Wed Mar 21 12:48:19 2019 (successful)
   AES_NI: enabled
   Certificate Expiration: Sep 11 22:16:13 2020 GMT
   HTCRYPT: enabled

   At this point, the HTCrypt Driver is installed but is not yet running on any disks that are currently attached.

7. If the root or swap disk is encrypted on this VM, you need to reboot the VM to complete the installation process.

   If only data disks are encrypted on the VM, you can either reboot the VM or detach and then reattach all attached data disks to start the HTCrypt Driver on those disks. To detach and reattach the disks, use the hcl detach -a and hcl attach -a commands. For example:

   # hcl detach -a
   Encrypted device sdi7 detached; encrypted contents no longer visible
   Encrypted device sdi1 detached; encrypted contents no longer visible
   # hcl attach -a
   Encrypted device sdi7 (/dev/sdi7) attached; encrypted contents visible at /dev/mapper/clear_sdi7
   Encrypted device sdi1 (/dev/sdi1) attached; encrypted contents visible at /dev/mapper/clear_sdi1

What to Do Next 

If your system is setup with UEFI boot, see Configuring UEFI Secure Boot.