Linux Online Encryption Prerequisites and Considerations

By default, when you encrypt, rekey, or decrypt a Linux block device, the filesystem on that block device must be unmounted during the entire procedure and the data is inaccessible until the procedure is finished. With Online Encryption:

  • During the initial encryption phase, the filesystem only needs to be unmounted briefly when the Entrust DataControl Policy Agent changes the device to attach the clear text version it creates during the encryption process. After the device has been reattached on the clear text version, the encryption process continues while the disk remains online and the data remains accessible.
  • During any subsequent rekeys, the device remains online and the data remains accessible during the entire rekey process.

  • During the decryption process, the data is decrypted dynamically and the device remains online and the data remains accessible during the decryption process. If you are decrypting a Linux system device (such as /root, swap, or /home), the device remains accessible after the decryption procedure is complete. If you are decrypting a Linux data drive, however, the data drive is automatically unmounted after the decryption is complete.

    Note: The only exception to this is if a VM reboots while a Linux system device is being decrypted. In this case, when the VM finishes rebooting, the decryption process resumes in offline mode and the system device and its data will be inaccessible until decryption is complete. If the VM remains online during the entire decryption process, the data will be available the entire time.

Prerequisites

In order to enable Online Encryption, you need to install the HTCrypt Driver on each Linux VM whose disks you want to encrypt.

The HTCrypt Driver is a Dynamic Kernel Module Support (DKMS)-based package that requires the following:

  • The VM must be running RHEL or CentOS 7.0 or later, or Ubuntu 20.04 or later.
  • If the OS is RHEL or CentOS, the linux Kernel version must be 3.10.0-123 or later.

  • If the OS is Ubuntu, the linux kernel must be 5.4 or later.

  • The following Linux packages must be installed:

    • dkms version 1.95 or later.
    • gcc
    • kernel-headers (RHEL and CentOS)
    • kernel-devel (RHEL and CentOS)
    • linux-headers<kernel-version> (Ubuntu)

    For CentOS, the kernel-headers and kernel-devel packages can be installed through yum or from the CentOS Vault Repository at http://vault.centos.org.

    Important: The version of the Linux kernel must be the same as the version of the kernel-headers and kernel-devel packages. If you update the Linux kernel, you must also update the version of these packages. For details, see Updating the HTCrypt Kernel Dependencies.

    The Entrust DataControl Policy Agent includes a script that makes sure the required packages are installed and that they are all using the same version. You can run this script manually if you want to enable online encryption through the CLI, or you can let the Policy Agent take care of installing the required packages by enabling online encryption through the KeyControl webGUI. For details, see Enabling Linux Online Encryption with the CLI or Enabling Linux Online Encryption with the webGUI.

Considerations

  • When you install the HTCrypt Driver for the first time on a VM, you will need to detach and then reattach all currently-attached block devices. If the root drive is already encrypted on the VM, the VM will need to be rebooted before Online Encryption is fully enabled for the VM.
  • When you enter the hcl encrypt, hcl rekey, or hcl decrypt commands, the commands will return immediately and the encryption or decryption process will start running in the background. You can use the hcl status command to monitor the progress of these commands.

  • Online Encryption does not support encrypting, rekeying, or decrypting only the allocated blocks on the VM. Therefore you cannot use the -s option with the hcl encrypt, hcl rekey, or hcl decrypt commands when Online Encryption is enabled.

  • You cannot use Online Encryption if there is an Access Control Policy associated with the VM. If you enable the HTCrypt Driver and apply an Access Control Policy to the disk, online encryption will fail.

  • If you are using Online Encryption on a VM and you want to encrypt a Linux system device (such as /root, swap, or /home), keep in mind that:

    • The VM will need to be rebooted before the Policy Agent can begin the encryption process. There will be no delay in the reboot process however. The VM will come back up and be available to users again before the Policy Agent starts encrypting it. After that intial reboot, the VM will remain available throughout the encryption process.
    • If you decrypt the system device, the VM will remain accessible to users during the entire process as long as the VM does not reboot. If the VM reboots, the VM will remain offline until the Policy Agent finishes decrypting the system device. Once the system device has been decrypted, you will need to reboot the VM before you perform any other administration functions, such as upgrading the kernel or re-encrypting the system device.
  • After Online Encryption has been enabled, you can rekey all devices on the VM as a background process with no disruption to data disk access and minimal disruption to system device access.