Linux Encryption Prerequisites

The following prerequisites apply to all types of Linux encryption, including data drive encryption and root, swap, or system device encryption in online or offline mode. If you want to enable Online Encryption for the VM, additional prerequisites are described in Linux Online Encryption Prerequisites and Considerations.

• Make sure the Linux version you are using is supported. For details, see Supported Platforms.
• If you intend to use this VM with a BoundaryControl-enabled Cloud VM Set, you must install a VMware-supported version of VMware Tools on the VM. For all other VMs, installing VMware Tools is recommended but not required. In all cases, we recommend that you keep the version of VMware Tools up to date.

• If an entry for the Linux device you intend to encrypt already exists in the Filesystem Table (/etc/fstab), you need to remove that entry until the encryption process is complete and the HyTrust-created clear text path to the device is available. If you reboot the device after encryption with the /etc/fstab entry still pointing to the original device path, the system may hang because the encrypted version of the device will fail the filesystem check. For details, see Automatically Mounting Linux Filesystems.

• We recommend that you partition the disk before it is encrypted. When DataControl encrypts a disk it writes a private region at the start of the disk that contains information that allows DataControl to identify which keys are associated with which partition.

  For example, let's say you have 2 non-partitioned disks, /dev/sdb and /dev/sdc, where /dev/sdc is encrypted by DataControl. If you remove /dev/sdb and reboot the VM, /dev/sdc will be renamed /dev/sdb and the association between the keys and the disk will become invalid. At that point access to the encrypted data will be lost.

  Now let's say you have the same set up as before but you partition disk /dev/sdc and then you encrypt the /dev/sdc1 partition. DataControl adds a UUID (Universally Unique Identifier) in the private area at the start of the /dev/sdc disk that associates the /dev/sdc1 partition with its encryption keys. When you remove /dev/sdb and reboot the VM, the encrypted partition /dev/sdc1 will be renamed /dev/sdb1, but the UUID does not change. In this case, DataControl can use the UUID to match the encryption keys to the partition and the data remains accessible even after the partition name has changed.

  Important: If you want to resize a partition after you have encrypted it with DataControl, there are additional steps you need to take. For more information, see Disk Size Management in Linux.

• Make sure the Linux VM has access to the following Linux packages and their dependencies:

  Encryption Type	Required Packages
  All Linux encryption (data drives and system devices)	device-mapper OpenSSL Python 2.7 or Python 3
  Linux root, swap, or system device encryption Note: If the server to be encrypted has external internet access, any missing package will be installed when you encrypt the root, swap, or system device. If the server is not connected to the internet, these packages must be fully installed before root/swap encryption begins or the encryption request will fail.	busybox cryptsetup or cryptsetup-luks dracut (RHEL and CentOS) or initramfs-tools (Ubuntu) dracut-network dropbear EPEL-release hashalot OpenSUSE
  Linux online encryption (data drives and system devices)	dkms gcc kernel-devel kernel-headers

• Beginning with Version 5.1, we now support disk encryption for disks formatted with btrfs. If the root file system or system mount (for example, /var, /usr, /etc) is btrfs and there are multiple disks for storage, only the first disk can be encrypted. The first disk will have an entry in /etc/fstab.

  Important: We recommend that you create btrfs on a MBR or GPT partition, and not on a RAW device. RAW devices are vulnerable to device name change, which will render the encrypted device unusable.