Encryption With Windows Virtual Machines
Contents
- Introduction
- Installation
- Installation Prerequisites
- Installing the DataControl Agent Software on Windows
- Uninstalling the DataControl Agent Software on Windows
- Upgrading the DataControl Agent on Windows
- GUI-based VM Management
- Registration with the KeyControl Cluster
- Encrypting New and Existing Devices
- Removing a Device from HyTrust Control
- Command Line Based VM Management
- Creation of Certificates
- Registration Of The VM
- Checking The VM Post Registration
- Encrypting a New Disk
- Encrypting An Existing Device
- Removing and Decrypting Devices
- Expanding An Encrypted Device
- Dynamic Rekey Management
- Revoking VM Permissions
Introduction
This chapter describes installation and management of the HyTrust DataControl agent on Windows platforms. We assume that you have read the introductory chapter on VM Encryption which covers the architectural aspects as well as operations that are common to both Windows and Linux.
The following set of steps will be taken to install the DataControl agent on Windows:
First you need to install one or more KeyControl appliances. You can find details here. At this point you can then install any number of Windows servers up to your license limit. You'll then need to log on as a cloud administrator and set up a Cloud VM Set into which you will place your Windows VM.
There are two methods of administration after agent installation:
- Through a Windows GUI application.
- Through the command line.
The command line method is very similar to Linux and may be preferable for UNIX-based administrators. Windows administrators may prefer to use the GUI. We do recommend in both cases that registration and authentication be performed using the GUI to avoid having to create and copy certificates between the KeyControl and the VMs.
If you are using the command line, you will need to generate a certificate for each VM on which you're installing the DataControl agent. Note that a certificate ties a VM to a Cloud VM Set. You then register the VM.
Platforms supported
We currently support the following Windows platforms:
- Windows 2012 Server R2 with service pack 1.
- Windows 2008 Server R2 64-bit. We have tested with both the standard and enterprise editions and should work with and without service pack 1.
- Windows 7 64-bit with service pack 1.
If you are intending to use the HyTrust GUI, you need to install version 4 of the Microsoft .NET framework. You can find details here:
http://www.microsoft.com/en-us/download/details.aspx?id=17851
If you are only going to use the command-line-based tools, you can skip installation of the .NET framework. Whether using the GUI or not, you can still install the HyTrust software without having .NET installed.
A note on Administrator Privileges
Administrator privileges are required to install, upgrade or uninstall the software. If you attempt one of these operations as a regular user, you will be prompted to enter the administrator password before continuing. If User Account Control (UAC) is turned off, then install/upgrade/uninstall will prevent a non-administrator from completing the task.
All of the hcl operations must be run as an administrator. Any attempts to run any hcl commands without administrator privilege will terminate with the message:
hcl must be run as Administrator
To run a program/command as the Administrator, simply locate it, right click on it and then select Run as administrator as shown below when running the GUI on Windows 7:
Setting Up A Device For Encryption
Before we describe the installation process, we want to say a few words about mapping drive letters to drives. HyTrust does not require that drives are formatted but we do require an associated drive letter.
The Windows disk manager should be used to add drive letters. To start the disk manager, either run diskmgmt.msc from the command shell or locate and start the Server Manager as shown below:
Once loaded, you will see the following screen. Select Storage down the left hand side and then select Disk Management(Local). Note that VHD drives are not supported in those cases where they are stored on an NTFS filesystem as a file.
In this example we have two new disks, referenced on the screen as shown below. Note that in subsequent usage (after formatting) you may just see the disks as online and available.
Select MBR for partitioning. GPT is not supported at this time, After pressing OK, the two disks will be displayed as follows (Disk 1 and Disk 2):
You can now create volumes of the appropriate type and format as necessary. If you're adding a new disk you don't need to format it. HyTrust will format the disk for you.
You can find more information about Windows disk management here:
http://technet.microsoft.com/en-us/library/cc754936.aspx
Note that you may encounter issues adding drive letters. If this is the case, you may need a reboot.
The Windows Disk Manager is a little harder to locate on Windows 7. Click on the Start button and then choose Control Panel. Click on the System and Security link. In the System and Security window, click on the Administrative Tools heading located near the bottom of the window. And from the Administrative Tools window, double-click the Computer Management icon. When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
As easier alternative is to click Start, type run and then type diskmgmt.msc, and then click OK.
Windows 2012 is a special case. The Windows 2012 Server Manager does not allow you to initialize new disks using the MBR partition style. However, there are 2 alternate mechanisms that can be used.
- From Powershell, run the Initialize-Disk cmdlet. This command allows you to specify the style. For instance:
Initialize-Disk 1 -PartitionStyle MBRThis command will initial Disk 1 as MBR. The disk will now be available for encryption.
- From the Server Manager GUI, select Computer Management from the Tools drop-down menu. This will allow you to select the Disk Management tool on the left hand tree view under Storage. When you select Disk Management, you will be presented with the tool that was available in previous windows releases. This tool will allow you to select the MBR partitioning style.
Installation
The following sections describe how to install, upgrade and uninstall the DataControl agent on Windows.
Installation Prerequisites
As described above, if you are intending to use the HyTrust GUI, you need to install version 4 of the Microsoft .NET framework. You can find details here:
http://www.microsoft.com/en-us/download/details.aspx?id=17851
If you are only going to use the command-line-based tools, you can skip installation of the .NET framework. Whether using the GUI or not, you can still install the HyTrust software without having .NET installed.
Installing the DataControl agent on Windows
First you should download the DataControl agent software. Select the CLOUD tab and you will see the DOWNLOAD HYTRUST DATACONTROL button as shown below:
The next step is to locate the HyTrust package and double click to start the install process:
The first screen that appears is a simple "Welcome" screen as follows:
Next, you need to agree to the license terms:
Then choose a destination for the software:
You can elect to choose a shortcut for the HyTrust software:
Click Install to proceed with the installation. It will only take a few seconds after which you will see the following screen:
You can now continue on to configure encrypted devices.
Uninstalling the DataControl Agent on Windows
To uninstall the HyTrust software, select Uninstall from the HyTrust menu (from Start > All Programs > HyTrust). Note that if you wish to preserve data you should run hcl decrypt on your volumes or use the GUI.
First of all, a short welcome screen is presented:
After selecting Next, click Uninstall to start the process of removing the software.
The following screen will be displayed. You need to confirm that if you continue with the uninstall, all data on all volumes will be lost. Click Yes to continue.
Once the software has been uninstalled, you will see the following message. After the uninstall you should reboot Windows to clean up any driver state.
Once the software has been uninstalled, you will see a final message:
Note that any errors encountered during the install/uninstall process will be logged to C:\hcs-install.log. If errors are encountered, a popup will highlight that fact and mention the path to the logfile.
NOTE: You should now reboot Windows.
Upgrading the DataControl Agent on Windows
Upgrading the HyTrust software is very similar to the process of installing the software for the first time. First of all, you can check the current version of the software by looking at the top of the GUI as follows:
or via the command line as follows:
C:\>hcl version 2.5 (b56715676)
The next step is to run the installation package. After the first few screens, which are similar to first install, you will see the following screen appear to inform you that an upgrade will take place. Note that you must terminate any applications that are currently using encrypted devices prior to performing the upgrade. If applications are still running, click No, terminate the applications and then repeat the upgrade process again.
At this point, click Yes and the upgrade will continue. Once complete, you should reboot Windows. Once reboot is complete, your drives will be back online.
GUI-based VM Management
Most operations can be performed through the HyTrust GUI. This can be found from Start > All Programs and under HyTrust as follows:
When the GUI starts for the first time, you will see a screen similar to the following screen shot:
What drives show depends upon on your configuration.
Registration with the KeyControl Cluster
When starting the GUI for the first time, you will see a screenshot similar to the one shown above. To register with the KeyControl cluster, click the Register button. This will bring up the following screen:
Before describing the fields to fill in, let's look at the list of Cloud VM Sets that we have:
We are going to register with this KeyControl and we want to place the VM in the "Azure" Cloud VM Set. The parameters that need to be entered in the GUI are:
- KeyControl Name/IP - the hostname or IP address one of the KeyControl appliances.
- Sec KeyControl Name/IP - if you have a second appliance in a KeyControl cluster, enter the hostname or IP address here. You can leave this blank if you only have one KeyControl.
- Username - this is the Cloud Admin username under which you are registering the VM.
- Password - the password for the Cloud Admin (that you would normally enter to log in to the KeyControl GUI).
- VM Name - the symbolic name of the VM. This will appear in the KeyControl GUI. For example, see the screenshot below. Here we have a Windows VM with a VM Name of windows-exchange-server.
- Description - an optional description which will be shown in the KeyControl GUI when displaying more information about the VM.
- Cloud VM Set - the Cloud VM Set into which we will place this VM. As noted above, we are going to place it in the Azure Cloud VM Set.
Here is the GUI screenshot with all fields filled in:
Click Register and we will go through the process of generating a certificate, downloading the certificate and registering the VM. You do not need to go to the GUI to authenticate the VM since you have already supplied your credentials. Once complete you will see the following which shows that the VM is now connected to the KeyControl cluster:
And if you look at the KeyControl GUI, you will see the VM in the Azure Cloud VM Set. Note the VM name and description.
Encrypting New and Existing Devices
Before adding a device, we recommend that you read this section, which covers device management in Windows. Before HyTrust can encrypt drives or encapsulate drives containing an NTFS filesystem, we must first have a drive letter that we can reference.
Once drive letters are assigned, right click on one of the displayed devices and you will see two options:
If you select Add and Format, you will will need to acknowledge that all data will be overwritten:
Once you select Yes we will add the device (equivalent of hcl add on the command line) and format the encrypted device with NTFS. You will now see the following change in the GUI:
and the device will now be visible on the KeyControl GUI:
Now for the F: drive is listed in the GUI, let's assume that we already have a NTFS filesystem on it and that we wish to encapsulate the drive (keep the NTFS filesystem / files and encrypt it). In this case, we need to select Add/Encrypt the device as shown below:
You will see the following warning:
After selecting Yes, the drive will then be encrypted. This could take a long time depending on the size of the drive and the performance of the process/storage subsystem. However, the operation will be performed in the background so you can still use the drive. Once you confirm that you wish to encrypt you will see the following:
The popup window informs you that the process of encrypting the disk has started. In the main window you can see that the encryption process is 73.85% complete. We will cover encryption and how you control it in this section Encrypting An Existing Device.
Removing a Device from HyTrust Control
To remove a disk from HyTrust control, right click on the device and you will see the following three options:
If you select Remove, we will remove the disk and you will no longer be able to access the data, so be warned. If you wish to continue accessing data after removal, select Decrypt and Remove. Note that you will see the following warning. As with Add and Encrypt you can continue to access the disk while it is being decrypted.
Command-Line-Based VM Management
In the following sections, we describe the operations that can be performed on the VM including registration, authentication, encrypting devices and obtaining and understanding status messages.
Creation of Certificates
Once you have created a Cloud VM Set and wish to add a VM, you first need to create a certificate. To do this, point your browser at the KeyControl, log on, select the Cloud tab and then select the Cloud VM Set. For example, in the screenshot below, we have selected the Local Windows VMs Cloud VM Set:
From here click the CREATE NEW CERTIFICATE button and you will see the following screen:
Type in the (optional) passphrase for the certificate. You will be prompted to re-type this passphrase when you register the VM. You can also specify the length of time for which the certificate is valid. By default this is 365 days. At this point you need to click the Create button. The certificate will then be downloaded and should be copied to the VM. Then click Done to return to the previous screen. Note that you can generate multiple certificates in this screen before returning, by repeated clicks of Create. Note that certificates can only be used once.
Registration Of The VM
The hcl command is your gateway to VM encryption services. To register a VM select Start and the type command and enter as shown below:
On Windows 7, if you are not logged on as an Administrator, you can run the command shell as Administrator by right-clicking on the command icon as shown below:
To display the list of options available, simply type hcl and press enter. A full manual page is available here.
Run the following command to register the VM with the KeyControl. Note that you must first copy the certificate to the VM from which you will register, and make sure that you switch to the directory where you placed the certificate. Note that Windows also supports command line completion so you can enter the first character of the certificate and hit <Tab> to complete the filename.
C:>hcl register -h win2008 -d "Windows 2008" 192.168.140.130 ad85837b-9862-11e1-afd5-000c29de5d41_120507163538.bin Enter Import Password: Enter certificate passphrase Enter passphrase (min 16 characters): OneTimePass16chrs Registered as win7-server with KeyControl 192.168.140.130 Please login to the KeyControl to complete the authentication of this node
-h and -d arguments are optional. The name of the VM (the -h argument) is user chosen and can be anything. In this case, we just chose the name win2008. It will appear in the webGUI next to this VM. If the argument is omitted, the hostname will be used by default. The IP address references the KeyControl and the certificate filename is the last parameter. The -d argument is optional but will be displayed in the webGUI and is useful to further identify your VM.
In the above, ad85....bin file was the certificate file that we got from the CREATE NEW CERTIFICATE step.
The Import Password is the password used to encrypt the certificate while generating it.
The Passphrase is the one-time password used to authenticate the VM with the KeyControl. This must be a minimum of 16 characters.
You can perform this in one step as follows:
C:\hcl register -h VM_name -d Description -p CertPass -o OneTimePass16chrs kps1:443,kps2:443,kps3:443 /path/to/cert.bin
In the example here, we are registering with a cluster of three KeyControl appliances.
Certificates are valid for 365 days by default but the actual expiration date can be specified when certificates are created. We discuss certificate handling further in the section Certificate Handling.
Once you have issued the hcl register command go back to the KeyControl and you should see an entry labelled win2008 in the Unauthenticated Nodes list under the Cloud Administration tab.
Click on the padlock icon and enter the same passphrase as during VM registration (OneTimePass16chrs). Note that if you entered a description during registration from the VM (-d option) it will appear on this screen. You can change this here.
Once you have entered the correct passphrase and clicked Apply, you should now see the VM move into its rightful place under the Local Windows VMs group.
Click on the VM (highlight the link or expand the file tree) and you will see the VM details (such as OS, IP address) as shown below. Clicking on the EDIT VM button will allow you edit the Heartbeat, Grace Period and description.
Now, to explain the fields shown for each VM:
- Description - This is a user-defined description of the VM. It can be set by editing the VM properties.
- IP Address - The VM's IP address as seen by the KeyControl. If some VMs are behind a NAT gateway, then they will all show the same IP address: that of the gateway.
- Cloud VM Set - The Cloud VM Set to which this VM belongs.
- Heartbeat - The interval (in seconds) at which the VM pings the KeyControl. Any actions such as device revocation or revocation of the VM itself will be performed the next time that the VM heartbeats the KeyControl.
- Grace Period - If the KeyControl does not hear from the VM within the grace period (in seconds), the VM is forced to go through authentication once more. Access to all encrypted devices will be revoked at this point so be sure to set the grace period to a value that is acceptable. To avoid simple problems such as networking disconnects which could easily be hit for several heartbeat attempts, the Grace Period should be at least 10 times the Heartbeat value.
- Status - this will be Online if the VM can be reached and Unreachable if the VM is not accessible. This could occur if the VM is not reachable due to network errors or if the VM is shut down.
- OS - Operating system level information about the VM.
- HCS VM Agent Version - The HyTrust software version that the client is running.
The VM AUTHENTICATION SETTINGS show the circumstances in which the VM will be forced to re-authenticated. The parameters are:
- Change of IP addr - if the IP address is changed, re-authentication is needed.
- Change of H/W signature - currently, we use the MAC address of the first Ethernet card as the hardware signature. If this value changes, re-authentication is needed. Typically, when a VM is copied, the hypervisor changes the MAC address of the new copy so be warned.
- Reboot - this option is disabled by default. However, one could force re-authentication every time that the VM boots. This is similar to having a boot-time password to enable to VM to come up completely.
If a VM is already registered and you attempt to register again, you will see the following warning:
C:\>hcl register -p rootroot -o HyTrust -h win-2008 -d "My Windows VM" 192.168.140.151 *bin Already registered Use -c to register as clone (clone certificate will be required) If you wish to start afresh by destroying all existing configuration information and data on encrypted volumes, run 'hcl destroy' and remove this VM from the KeyControl
You will only likely see this if you forget the passphrase and the VM is still sitting on the Unauthenticated VMs list. Remove the VM and repeat the registration phase once more.
Checking The VM Post Registration
The status of the VM can be checked at any time using the hcl status command. For example, following a successful registration, run the command as follows:
C:\> hcl status Summary ------------------------------------------------------------------------------- KeyControl: 192.168.140.151:443 KeyControl list: 192.168.140.151:443 Status: Connected Last heartbeat: Sat Sep 07 14:18:21 2014 (successful) Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- E: 1 1 none Available N/A F: 2 1 none Available N/A
The status is shown as Connected. The list of devices detected that are available for use is also shown.
Encrypting a New Disk
Empty drives must be given drive letters prior to being managed by HyTrust. For example, consider the following system for which two drives are available:
Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- E: 1 1 none Available N/A F: 2 1 none Available N/A
The Windows disk manager should be used to add drive letters. If no drive letters are associated with the drives, HyTrust cannot use them. Please refer to this section for information on using the Disk Manager to add drive letters. Please note that for new drives, you do not need to format them. We just require that you have the right volume type that meets your storage needs and that you have a drive letter attached.
After you have added drive letters and run hcl status, you will see the associated drive letters:
Summary ------------------------------------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Connected Last heartbeat: Sat Jan 26 16:00:36 2014 (successful) Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status Handlers ------------------------------------------------------------------------------- E: 1 1 none Available DEFAULT,DEFAULT F: 2 1 none Available DEFAULT,DEFAULT
We can now add/attach the drives as follows. Please note that this operation is destructive. It will add the drive and format it. If you wish to encrypt an existing filesystem/disk, please click here. In this example, the E: disk will use the default cipher of AES-256 while the F: disk will use AES-128.
C:\> hcl add e:
Added device \Device\Harddisk2\Partition1
partition is already raw, just unmounting E
formatting...
The type of the file system is RAW.
The new file system is NTFS.
QuickFormatting 5118M
Creating file system structures.
Format complete.
5.0 GB total disk space.
5.0 GB are available.
Encrypted device E: has been added.
C:\> hcl add -c AES-128 f:
Added device \Device\Harddisk2\Partition1
partition is already raw, just unmounting G
formatting...
The type of the file system is RAW.
The new file system is NTFS.
QuickFormatting 2046M
Creating file system structures.
Format complete.
2.0 GB total disk space.
2.0 GB are available.
Encrypted device F: has been added.
You can now view the attached disks as follows:
C:\> hcl status Summary ------------------------------------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Connected Last heartbeat: Sat Jan 26 16:02:57 2014 (successful) Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- E: 1 1 AES-256 Attached BA7883AE-3562-44F1-9D86-87D80323CC01 F: 2 1 AES-256 Attached N/A
At this point the encrypted disks are formatted and ready to use.
If you add a device that already contains an NTFS filesystem, we will detect that and print the following message:
C:\>hcl add f: The partition you've selected to add already contains an NTFS file system. This operation will destroy the contents of the disk. If you wish to preserve them, run hcl encrypt F instead. Do you want to proceed (y/n)
If you do not wish to overwrite and have the contents of the disk encrypted, you should not use hcl add and use hcl encrypt instead.
Once added, you can now use your disks as normal. For example, in the screenshot below, both E: and F: have been formatted and files copied into E: - note that by default, Explorer won't show the string "Encrypted." That is the label we chose when adding a drive letter.
You can view the HyTrust-managed devices in the webGUI by selecting the Windows VM and selecting Disks in the file browser. For the two disks under management above, here is the view in the webGUI:
Encrypting An Existing Device
If you have a disk that already contains data that you want to be encrypted, you can run the hcl encrypt command. All encryption, whether encrypting a new disk or removing and decrypting an existing disk, makes use of dynamic rekey. In the case of adding/encrypting a disk, we do the conversion in the background allowing you access the disk while the encryption process is taking place. This allows you to have no downtime for your applications and data.
To demonstrate how rekey works, let's first look at the contents of the unencrypted G::
C:\>dir g:
Volume in drive G is New Volume
Volume Serial Number is 44A1-E6A7
Directory of G:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
7 File(s) 5,624,418 bytes
0 Dir(s) 2,098,798,592 bytes free
and now let's start the encryption process:
C:\>hcl encrypt g: All the data on g: will be encrypted. This operation may take a long time. Do you want to proceed? (y/n) y registering drive G:, guid FF2A17F2-D7DE-404B-B977-018ADC611BCC Encrypted device G: has been added. .....
You can view the progress of the rekey operation by running hcl rekey as follows:
C:>\ hcl rekey status g: device: \Device\Harddisk3\Partition1 drive: G state: in progress begin: 65536 end: 2144403456 current: 725794816 sector offset (from 0): 1417568 total sectors: 4188160 total size: 2144337920 pct done: 33.85% elapsed time (seconds): 27
...and even though the drive is only partially encrypted, we can still view the contents:
C:\>dir g:
Volume in drive G is New Volume
Volume Serial Number is 44A1-E6A7
Directory of G:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
7 File(s) 5,624,418 bytes
0 Dir(s) 2,098,798,592 bytes free
Removing and Decrypting Devices
Disks can be detached (taken offline) or removed from HyTrust control. To take a disk offline simply do the following:
C:\>hcl detach E: Encrypted drive E: detached; decrypted contents no longer visible
This will remove access to the clear text data. You can bring the disk back online by running:
C:\>hcl attach E: Encrypted device \Device\Harddisk1\Partition1 attached; decrypted contents visible at E:
To remove a disk completely from HyTrust control, simple issue the following command:
C:\>hcl rm E: WARNING: Removal of devices will cause any data stored on them to be permanently lost. Do you want to proceed? (y/n)? y Removed device \Device\Harddisk2\Partition1
If you wish to remove a device but decrypt the contents first so the filesystem/files will still be accessible after HyTrust relinquishes access, you should simply run the following:
C:\>hcl decrypt E: All the data on E: will be decrypted. This operation may take a long time. Do you want to proceed (y/n)
As with add/encrypting a disk, decryption involves a rekey from cipher text to clear text and is performed in the background. You can view the decryption progress as follows:
C:\>hcl rekey status G: device: \Device\Harddisk3\Partition1 drive: G state: in progress begin: 65536 end: 2144403456 current: 535085056 sector offset (from 0): 1045088 total sectors: 4188160 total size: 2144337920 pct done: 24.95% elapsed time (seconds): 15
And of course, you can still access the files while the decryption is in progress.
Once completed, you will see that the drive moves back to being Available.
Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- C: 0 2 none Avail-Sys N/A E: 1 1 AES-256 Attached A8E25AE9-7A75-471A-A1AA-7CAE1550B35C F: 2 1 none Available 583EB883-52D3-4B05-A482-FF113B5359DD G: 3 1 none Available FF2A17F2-D7DE-404B-B977-018ADC611BCC
You can also confirm this by checking for rekey status. Once complete you will see the following message:
C:\>hcl rekey status G: Could not find g: in hcl config Device g: does not exist
Expanding An Encrypted Device
When a filesystem becomes close to full, to add more space, the device needs to be first extended which is easily done in a virtual machine. You then need to expand the NTFS filesystem within that device. Thus MUST be performed through HyTrust interfaces. Consider the following filesystem:
C:\>dir f:
Volume in drive F is Encrypted F:
Volume Serial Number is C2E3-6984
Directory of F:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 580,043 HCS_Evaluating-HCS-VM-Encryption.pages
10/25/2012 01:48 PM 310,203 HCS_Evaluating-HCS-VM-Encryption.pdf
10/25/2012 01:48 PM 1,479,834 HCS_Evaluating-HyTrust.pages
10/25/2012 01:48 PM 979,387 HCS_Evaluating-HyTrust.pdf
10/25/2012 01:48 PM 975,640 HCS_Evaluation.pages
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
10/25/2012 01:48 PM 129,289 HyTrust-PCI-DSS-mapping.pdf
10/25/2012 01:48 PM 670,050 HyTrustSecurity_DataSheet_1.8.pdf
10/25/2012 01:48 PM 673,911 HyTrustSecurity_DataSheet_2.0.pdf
15 File(s) 11,422,775 bytes
0 Dir(s) 1,567,735,808 bytes free
There is approximately 1.5GB of space in this device. We are going to expand it to 2GB. Shut down the VM and expand the disk. Once the system is up and running again, you can simple call hcl extend as follows:
C:\>hcl extend f: extending partition for f: extending filesystem for f: the new filesystem is 2146369536 bytes long
And now the extra space is available and any data written beyond the end of the original device will be encrypted.
C:\>dir f:
Volume in drive F is Encrypted F:
Volume Serial Number is C869-A617
Directory of F:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 580,043 HCS_Evaluating-HCS-VM-Encryption.pages
10/25/2012 01:48 PM 310,203 HCS_Evaluating-HCS-VM-Encryption.pdf
10/25/2012 01:48 PM 1,479,834 HCS_Evaluating-HyTrust.pages
10/25/2012 01:48 PM 979,387 HCS_Evaluating-HyTrust.pdf
10/25/2012 01:48 PM 975,640 HCS_Evaluation.pages
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
10/25/2012 01:48 PM 129,289 HyTrust-PCI-DSS-mapping.pdf
10/25/2012 01:48 PM 670,050 HyTrustSecurity_DataSheet_1.8.pdf
10/25/2012 01:48 PM 673,911 HyTrustSecurity_DataSheet_2.0.pdf
15 File(s) 11,422,775 bytes
0 Dir(s) 2,104,590,336 bytes free
Notice the difference in device size between the two runs of dir.
Dynamic Rekey Management
We have discussed how dynamic rekey is used to both encrypt and decrypt disks without taking applications or data offline. While this is used for adding/removing encrypted disks, dynamic rekey can also be performed on existing disks. For example, consider the following:
Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- C: 0 2 none Avail-Sys N/A E: 1 1 none Available 365DED95-9354-4D6F-A3BD-0319432FD723 G: 2 1 AES-256 Attached EDCDD166-B740-4296-8218-26BDE0ED1BFB F: 3 1 AES-256 Attached 8DFA86D3-32F9-4B8C-9D81-0888A7DBF87C
The F: drive is already attached and encrypted. If you wish to rotate encryption keys, for example decrypt the disk with the current key and encrypt with a newly allocated key, we can do so using dynamic rekey. In the current release, this is only available through the command line.
To start a rekey, simply run the hcl command as follows:
C:\>hcl rekey f:
You can check the status as follows:
C:\>hcl rekey status f: device: \Device\Harddisk3\Partition1 drive: F state: in progress begin: 65536 end: 3218145280 current: 2793684992 sector offset (from 0): 5456416 total sectors: 6285312 total size: 3218079744 pct done: 86.81% elapsed time (seconds): 90
The percentage of the rekey operation being performed will also be shown in the GUI as follows:
Upon completion, the GUI will display the disk as attached. If you run hcl rekey status you will see that rekey is 100.00% done.
Rekey operations can be paused. You may wish to pause a rekey if you get a spike in I/O activity. Although rekey will be throttled in the event of higher I/O activity, it may still cause a performance bottleneck. Simply call hcl rekey pause f: to pause the rekey and hcl rekey resume f: to start it again. If paused, you will see the following in the GUI:
Revoking VM Permissions
You can revoke access to all devices for a VM and prevent further access between this VM and the KeyControl until it is re-authenticated. Within the file browser, select one of the Cloud VM Sets and click the X next to the VM. The particular VM will immediately be moved back to the Unauthenticated list.
One can also revoke VM access by selecting the VM from the file browser and clicking the REVOKE VIRTUAL MACHINE PERMISSIONS button.
On the VM, hcl status still shows that everything is fine (Connected).
C:\> hcl status Summary ------------------------------------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Connected Last heartbeat: Sat Jan 26 16:02:57 2014 (successful)
However, after the next heartbeat (10 seconds), the status changes as follows:
C:\> hcl status Summary ------------------------------------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Reauth needed (Virtual Machine not authenticated) Last heartbeat: Sat Jan 26 16:02:57 2014 (successful) Device details ------------------------------------------------------------------------------- Drive Disk Part Cipher Status GUID ------------------------------------------------------------------------------- E: 1 1 AES-256 Detached BA7883AE-3562-44F1-9D86-87D80323CC01 F: 2 1 AES-256 Detached N/A
Filesystems on E: and F: have been force-unmounted and the devices have been detached. The VM needs to be re-authenticated again before the encrypted devices can be accessed. This is achieved as follows through the GUI:
Just click Authenticate and enter your password.
Or you can re-authenticate through the command line as follows:
C:\> hcl auth Enter passphrase (min 16 characters): onetimepassword16chrs Sent an authentication request to KeyControl 192.168.140.128 Please log on to the KeyControl to complete the authentication of this node
Return to the webGUI on the KeyControl, navigate to the and click the lock icon next to the VM, and give the same passphrase (onetimepassword16chrs) ... and it will go back to its usual place in the Cloud VM Set.
After the VM has been moved to the Unauthenticated VMs list, if you now delete the node (using the X icon) it will be permanently deleted from the KeyControl. No re-authentication is possible, all keys are destroyed, and thus all storage using those keys is effectively useless. A new certificate must be created if the node is to be brought back to the fold.