Re-Authenticating a VM with an Encrypted Root Device or Boot Disk

Because encryption keys are never stored locally, a VM with an encrypted boot partition requires access to KeyControl when booting or the attempt will fail. If KeyControl is not available when the system is booted, the VM repeatedly attempts to contact KeyControl for 30 seconds. If contact cannot be established after that time, the VM presents a console menu with a number of options.

This procedure describes how to re-authenticate a Linux VM with an encrypted root device or a Windows VM with an encrypted boot disk using the console menu on the VM. If you want to re-authenticate a regular VM, see Re-Authenticating a Standard VM.

Note: The following procedure only works with root or boot-encrypted VMs because they continually try to reach KeyControl until they are authenticated. Regular VMs stop trying to contact KeyControl after a small number of attempts.

Procedure 

  1. Access the VM through your hypervisor.

    If you are unable to view the console directly, for example in environments such as Amazon Web Services (AWS), you can access the console using an SSH client. This requires the id_rsa key file generated during the Policy Agent installation. Copy the id_rsa file to the server and then reboot.

    Tip: If you need another copy of the id_rsa key file, you can download it from the KeyControl webGUI by selecting the VM on the Cloud > VMs tab and then selecting Actions > Download Bootloader SSH Key.

  2. The Policy Agent should automatically display the console when it has failed to authenticate with KeyControl for at least 30 seconds. From this console menu, select Authenticate for Linux or Reauthenticate for Windows.
  3. When prompted, enter a one time passphrase of exactly 16 alphanumeric characters that you can use to validate the reauthentication request in the KeyControl webGUI.

  4. Reauthenticate the VM using the KeyControl webGUI.

    1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
    2. In the top menu bar, click Cloud.
    3. Select the VM in the table and then select Actions > Authenticate.
    4. Enter the one-time passphrase at the prompt.
  5. Return to the VM and make sure that it can now communicate with KeyControl and the boot process succeeds.

  6. If reauthenticating the VM from the console does not work, you can try to rescue the authentication from the KeyControl webGUI. Rescue authentication can only be used on encrypted boot drives and it should only be used after you have tried reauthenticating from the console menu on the VM.

    To use rescue authentication, make sure the VM is selected in the webGUI then select Actions > Rescue Authentication. At the VM's next heartbeat, KeyControl authenticates the VM.