HTROOT(1) User Manuals HTROOT(1)
NAME
htroot - Encrypted root disk and swap using HyTrust DataControl
SYNOPSIS
htroot [OPTIONS]
DESCRIPTION
The htroot command is used to manage encrypted root disk and swap using
HyTrust's DataControl.
OPTIONS
The options are as follows:
status
Display information about encryption status of the root disk and
swap.
encrypt
Prepare root disk and swap device for encryption. This command
makes necessary modifications to grub, fstab, HyTrust configura-
tion. It also installs required packages from external reposito-
ries, if required. The user is prompted before packages are
installed.
The encrypt command also rebuilds initrd with additional bina-
ries and configuration files required to encrypt the root disk.
Root disk encryption on Linux requires a separate /boot parti-
tion. If the VM does not have a separate /boot, encrypt fails.
htroot encrypt is an interactive process. In the preparation
phase, the user is prompted to make various choices. For example
the user is asked to choose appropriate network configuration,
he / she can choose to encrypt the swap device along with root
device.
At the end of the preparation phase, htroot prompts the user to
reboot the system. During subsequent boot the selected devices
are encrypted. The progress of encryption can be seen on the VM
console.
In addition to the VM console, the administrator can setup a
"debug console" in the preparation phase. The encrypt command
prompts the user to enable the debug console and download ssh
identity file. During the subsequent boot the administrator can
connect to debug console with this identity file, like
# ssh -i <identity file> root@vm
The debug console provides various options in addition to show-
ing the encryption progress, for example network restart,
authentication with KeyControl etc.
decrypt
Prepare the VM for decryption of root and swap device. At the
end of this command the user is prompted to reboot the system.
update
This command allows the user to update the grub configuration
files and initrd for a previously root encrypted system. Note
that even if the root device is decrypted later, the HyTrust
changes to boot loader remain with the system, unless they are
explicitly removed with cleanup command or the HyTrust agent
software is uninstalled.
The update command is useful after a system kernel upgrade or
HyTrust software upgrade.
cleanup [-f]
The HyTrust changes to boot loader (grub), fstab, initrd can be
removed with this command. If the root device is still encrypted
then cleanup fails with a message that the administrator needs
to decrypt the root device first.
If HyTrust agent has not made any changes to boot loader then
cleanup returns immediately reporting that cleanup is not
needed. However the administrator can force a cleanup with -f
option.
version
Display the version of the DataControl agent software.
-h | -?
This command displays all the options available through the
htroot command.
FILES
/opt/hcs
The default location of the HyTrust DataControl configuration
files.
/var/log/htroot.log
The HyTrust DataControl htroot log file. If errors are detected,
you will be requested to provide this file to HyTrust support
staff.
BUGS
See the HyTrust Release Notes for information about bugs and caveats in
the software.
AUTHOR
HyTrust Inc.
SEE ALSO
hcl(1)
NAME
hcl - Encrypt disks, filesystems and files using HyTrust DataControl
SYNOPSIS
hcl [OPTIONS]
DESCRIPTION
The hcl command is used to manage encrypted disks, filesystems and
files using HyTrust's DataControl.
OPTIONS
The options are as follows:
status
Display the list of KeyControl cluster nodes that this VM can
communicate with, the status of the connection and with the list
of encrypted folders/disks and available disks.
status [-g] (Linux only)
Display partition information about the available disks showing
the partition type and the existence of any disk GUID.
list [registered|available|all]
Used to list the various devices on the system. If no argument
is given, then it print a list of the registered devices using
the following format
device mapped-device status
The command can also filter the display by passing the "regis-
tered", "available", or "all" arguments. In this case, it will
output in CSV format
device,mapped-device,status,guid
Windows clients will produce the following output
disk,partition,drive,status,guid
ciphers
Show default and available ciphers.
add [-F fstype | "none"] [-n] [-c cipher] [-m mapped_device] [-p parent
disk] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o] [-y] [-x] diskname
When a new disk needs to be added for encryption, the add com-
mand should be called which registers the device with the Key-
Control cluster which then creates a unique encryption key for
the device. On Linux only the device name should to be specified
(for example "sdb1" as opposed to /dev/sdb1). On Windows the
disk must already have a drive letter which is then used as the
diskname argument.
By default, the disk will be formatted unless the disk has been
moved from another VM and has a HyTrust GUID on the disk. If
space is available a HyTrust GUID and private region will be
added to a new device by default. On Windows, NTFS is the only
filesystem supported. On Linux, the disk will be formatted with
ext3 by default unless a different filesystem is specified using
the -F option. If you wish to encrypt a disk on which a filesys-
tem already exists use "hcl encrypt" in place of "hcl add". This
will preserve and encrypt the contents of the disk, rather than
the destructive "hcl add". If you pass "none" as the -F option,
the Linux disk will not be formatted.
Windows will retain the same drive letter and label after for-
matting. For Linux, a clear text path will be created. In the
case of adding /dev/sdb1, the clear text path will be /dev/map-
per/clear_sdb1 unless the -m option is specified in which case
you can supply your own device path.
Check ciphers option for default cipher and ciphers available
with the -c option.
By default keys do not expire. If you choose an expiration date,
by default the key will switch to NO_USE in which case the key
cannot be used. You can also specify that the key be shredded in
which case it will be destroyed at expiration. In the "NO USE"
case, the key can be made active again through the webGUI.
By default we will prevent you from accessing whole disks. You
should always used partitioned disks since we can easily iden-
tify them (through on-disk GUIDs) and find the associated keys.
You can overide this by passing the -o option.
Snapshot of an encrypted LVM volume can be added with the -p
option. Specify the name of the registered parent volume, as
shown in the output of "hcl status".
The -y option makes the command non-interactive.
The -x option will cause hcl to check for the existance of a
pagefile on the designated drive and will abort of one is found.
This option is only available on Windows.
WARNING: Note that if the snapshot was taken before registering
the parent volume, then it will not have encrypted data.
rm [-y] <diskname | -a>
To remove a disk from HyTrust control, use the rm option. This
will issue an implicit detach command before removing the disk
from HyTrust's configuration. You can remove all disks by speci-
fying the -a option. The rm option unregisters the device from
the KeyControl cluster configuration which then destroys the
encryption key.
The -y option makes the command non-interactive.
WARNING: removing a disk will result in any data encrypted on
that disk being lost. If you want to retain the data, see
decrypt option
set property=value <diskname | -a>
Properties can be one of:
1. mntpt=<path> If set, this property is supplied to the attach
handler, a script which is run at the time of attaching a
device. The default attach handler uses this value as the mount-
point of the device.
2. mntopts="<string>" If set, this property is supplied to the
attach handler. The default attach handler uses this value as a
command line argument to the mount command. An example could be
"-o rw,data=journal,commit=20".
3. auto_attach=ENABLED|DISABLED. Enables or disables auto
attach. Enabling this property means that the disk will be
attempted to be attached as soon as the system is booted, or
whenever the KeyControl cluster is reachable. Defaults to
ENABLED if not supplied.
4. attach_handler=DEFAULT|<path>. Sets the attach handler, which
is a script run just after the attach operation is successful.
Attach handlers are called with 2-4 arguments: e.g.
default.attach <path of clear text device> <path of encrypted
device> [<mountpoint>] [<mount options>] The default attach han-
dler fscks and mounts the device if the mntpt property is set.
The handler can be customized by modifying a copy of the default
handler located in /opt/hcs/handlers/default.attach. Customized
attach handlers can be used for preparing and starting applica-
tions associated with this device.
5. detach_handler=DEFAULT|<path>. Sets the detach handler, which
is run just before the device is detached. Detach handlers are
called with 2 arguments: e.g. default.detach <path of clear
text device> <path of encrypted device>. The default detach han-
dler attempts to kill -9 all processes using the mount point, if
any, associated with this device, unmounts the filesystem. Just
like the attach handler, a customized detach handler can be used
to shutdown applications and carry out cleanup activities and
unmount the filesystem before the device is detached. Note that
a detach handler must succeed.
attach [-l [-p passphrase] ] <diskname | -a>
The attach operation fetches the key associated with the
encrypted device from the KeyControl cluster, "unlocks" it,
makes the clear text data available via the clear text device
node, and runs the attach handler, which typically mounts the
device. By default, devices have the auto_attach property set to
ENABLED, so the attach operation is done automatically at boot
time.
However, there may be cases when it is not desirable for the
encrypted device to be automatically attached and exposed
throughout the uptime of the machine. In such cases, the
auto_attach property of the device should be set to DISABLED,
and attach/detach should be invoked manually.
If a disk becomes detached, for example if the VM reboots and
the KeyControl cluster is unreachable, you can manually attach
a disk. If keys are cached, the -l option allows the user to
supply the passphrase which will decrypt the key(s) and allow
access to the disk.
If you specify -l option but do not specify the -p option you
will be prompted for the passphrase.
detach <diskname | -a>
The detach command can be used to detach a disk. All disks can
be detached by using the -a option. When a disk is detached, the
filesystem will be unmounted and access to data will not be
available until the disk is attached again.
The detach operation runs the detach handler associated with the
device, which typically unmounts the filesystem, removes the
clear text device node. The key is no longer present on the VM
(unless it has been cached using the hcl cache, in which case it
is stored encrypted by a passphrase), encrypted data is no
longer accessible until a subsequent attach operation fetches
the key from the KeyControl cluster.
cache [-n duration in days] [-p passphrase] <diskname | -a>
Encryption keys are generally fetched from the KeyControl clus-
ter when a disk is added or post boot/authentication. If you
have an unstable network connection between the VM and the Key-
Control cluster or you are using the DataControl agent on a VM
that is not always connected to the network, you can cache the
keys on the VM. They will be encrypted on disk using the sup-
plied passphrase. Keys are only cached for the specified number
of days. If you wish to cache keys for all disks, use the -a
option. If you do not specify the -p option you will be
prompted for the passphrase.
cache -l
The -l option displays information about disks for which keys
have been cached and the duration for which the cached keys are
valid.
cache -r <diskname | -a>
The -r option allows you to remove cached keys for the specified
disk or for all disks if the -a option is passed.
encrypt [-s] [-c cipher] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o]
[-y] [-x] diskname
If the disk that you wish to encrypt already has a filesys-
tem/data on it that you wish to preserve, you should use the
encrypt option. This can take a fair amount of time depending on
the size of the device and the processor / storage you have in
place.
If the operation is interrupted, you can complete encrypt oper-
ation by running it again. The encryption will continue from
where it was interrupted.
Note that if you have migrated a disk from another VM and the
disk has a HyTrust GUID, you should use the hcl add command to
add the disk. As part of encrypt a HyTrust GUID and private
region will be added if space is available.
The disk is registered with the KeyControl cluster, which allo-
cates it a unique encryption key, just like in the 'add' opera-
tion.
By default keys do not expire. If you choose an expiration date,
by default the key will switch to NO_USE in which case the key
cannot be used. You can also specify that the key be shredded in
which case it will be destroyed at expiration. In the "NO USE"
case, the key can be made active again through the webGUI.
Check ciphers option for default cipher and ciphers available
with the -c option.
The -y option makes the command non-interactive.
The -x option will cause hcl to check for the existance of a
pagefile on the designated drive and will abort of one is found.
This option is only available on Windows.
By default we will prevent you from accessing whole disks. You
should always used partitioned disks since we can easily iden-
tify them (through on-disk GUIDs) and find the associated keys.
You can overide this by passing the -o option.
For Linux only, if you pass the -s option, we will skip free
file system blocks which can increase the speed of the operation
dramatically. It uses system provided utilities to find out the
file system free and allocated blocks on a device. The current
release supports ext2/ext3/ext4 file systems.
decrypt [-s] [-y] diskname
If you wish to remove a disk from HyTrust control but want to
retain the filesystem / data on it, you can use the decrypt
option. This will decrypt the disk and remove it from HyTrust
control.
If the operation is interrupted, you can complete decrypt oper-
ation by running it again. The decryption will continue from
where it was interrupted.
The disk is deregistered with the KeyControl cluster, which
deletes the encryption key, just like in the 'rm' operation.
The -y option makes the command non-interactive.
For Linux only, if you pass the -s option, we will skip free
file system blocks which can increase the speed of the operation
dramatically. It uses system provided utilities to find out the
file system free and allocated blocks on a device. The current
release supports ext2/ext3/ext4 file systems.
resize [-y] diskname
If you wish to resize an active disk which might contain
filesystem / data on it, you can use the resize option. This
will resize the crypto mapping for this disk. The resize command
will match the mapping to the size of underlying device.
Note that this is a Linux only command.
The -y option makes the command non-interactive.
For example, if you have ext2/ext3/ext4 file system on device
myvg-myvol (LVM volume), you can use the following sequence of
operations to extend the volume and file system online.
# lvextend -L<new size> /dev/myvg/myvol
# hcl resize myvg-myvol
# resize2fs /dev/mapper/clear_myvg-myvol
extend drive (Windows Only)
The extend option is used to extend the size of an encrypted
partition. The vmdk on which the disk resides must first be
extended using the tools available to the hypervisor. Then, the
extend command can be used to entend the disk to the full size
of the vmdk. Any hidden metadata partitiions are taken in to
account. This command does not apply to boot disks.
rekey [-u] [-s] diskname
n The rekey option can be used to rekey the disk. This operation
involves creating a new key, decrypting the disk with the old
key and encrypting it with the new key. You do not need to do
anything through the webGUI for this operation. Note that this
operation can take a long time depending on the amount of data
and CPU/storage speed.
If the operation is interrupted, you can reverse the rekey by
specifying the -u option. Alternatively if you run "hcl rekey"
again, it will continue from where it was interrupted.
Please note that the disk is detached and the contents are
unavailable during a rekey operation.
If you pass the -s option, we will skip free file system blocks
which can increase the speed of the operation dramatically. It
uses system provided utilities to find out the file system free
and allocated blocks on a device. The current release supports
ext2/ext3/ext4 file systems.
register [-c] [-h myname] [-d description] [-p certificate_password]
[-o one_time_passphrase] kc_hostname[:port],kc_hostname2[:port2],...
/path/to/cert.bin
The register command is used to register the VM with a KeyCon-
trol cluster.
The -c option indicates the presence of a clone certificate so
should only be specified if you are cloning a VM.
The -h option allows you to give a symbolic name to the VM which
will be visible in the webGUI as well as through the APIs.
The -d option allows you to specify an optional description for
the VM.
If you chose a passphrase for the certificate you can enter the
passphrase using the -p option. If you omit this option and you
typed a passphrase when the certificate was generated, you will
be prompted to type the passphrase.
If you do not specify the -o otion you will be prompted for the
one time passphrase. This passphrase will be entered in the
webGUI when you authenticate the VM.
The kc_hostname list option is a comma separate list of KeyCon-
trol cluster servers. If you have a two node cluster you should
enter both IP addresses. If you have a three node cluster, enter
all three IP addresses. Note that if you add or remove any
nodes, you should run the updatekc command to replace this list.
The final option is a pathname to the certificate.
register -a [-c] [-h myname] [-d description] [-n KC_Mapping]
[-u KC_user [-s KC_password]] [-e certificate expiration]
[-z cvmset] kc_hostname[:port],kc_hostname2[:port2],..."
A simpler form of registration is available by which you do not
need to manually create a certificate and copy it to the VM. You
can quickly register and authenticate a VM by providing your
KeyControl credentials, selecting the Cloud VM Set and KeyCon-
trol Mapping.
The -c option can be used to register the VM as clone of the
original VM.
The -h option allows you to give a symbolic name to the VM which
will be visible in the webGUI as well as through the APIs.
The -d option allows you to specify an optional description for
the VM.
The -n option allows you to specify a KeyControl Mapping for the
VM. If the KeyControl has Mappings for this Cloud Admin and
this option is omitted, the list of Mappings will be displayed
interactively. If you choose to associate the VM with a Map-
ping, then the KeyControl list will be automatically kept up to
date.
The -z option allows you to specify the name of the Cloud VM Set
to which the VM should be registered. If this option is omitted
you will be prompted to choose the Cloud VM Set from the list of
available Cloud VM Sets.
The certificate expiration date can be specified with -e option.
The date should be specified in MM/DD/YYYY format, for example
12/25/2016. If expiration date is not specified then, by
default, the certificate is valid for one year from the date of
creation.
You will be prompted to provide the KeyControl credentials to
complete the registration. It is also possible to provide user-
name and password via the -u and -s options. If the password
option is omitted then it will still be prompted for.
The kc_hostname list option is a comma separate list of KeyCon-
trol cluster servers. If you have a two node cluster you should
enter both IP addresses. If you have a three node cluster, enter
all three IP addresses. Note that if you add or remove any
nodes, you should run the updatekc command to replace this list.
rename newname
The registered name of the VM, with KC, can be changed using
this option. If there is no VM with name newname in the con-
taining VMSET, then the registered name of the VM is change to
newname.
updatekc kc_hostname[:port],kc_hostname2[:port2],...
When a change is made to the list of KeyControl nodes in the
cluster, the updatekc command should be invoked to inform the
DataControl agent of the change. The Key Control list passed as
an argument is a comma separated list of IP addresses, for exam-
ple 192.168.140.151:443,192.168.140.152:443 The port number is
optional and will default to 443.
updatekc -a
The Cloud Admin can maintain multiple KeyControl mappings on the
KeyControl. Each of this mapping is a list of KeyControl nodes,
as visible to the VM. You can associate the VM with one of
those mappings. If you choose to associate the VM with a map-
ping, then the list of KeyControl nodes will be fetched from the
KeyControl and maintained upto date automatically.
The Cloud Admin credentials will be required to use this com-
mand.
updatecert [-p certificate_password] /path/to/cert.bin
Certificates are valid for one year by default unless you
changed the expiration date when the certificate was created. To
keep access to data you should create a new certificate prior to
expiration and call updatecert command to add the new certifi-
cate. If the certificate was passphrase protected you can supply
the passphrase using the -p option otherwise you will be
prompted to enter it on the command line.
updatecert -a [-u username -p password] [-e certificate expiration]
A simpler form of updatecert is available by which you do not
need to manually login to KeyControl. You can quickly update the
VM certificate by providing your KeyControl credentials. You
can also provide the KeyControl credentials, i.e. admin user
name and password, as command line parameters.
The certificate expiration date can be specified with -e option.
The date should be specified in MM/DD/YYYY format, for example
12/25/2016. If expiration date is not specified then, by
default, the certificate is valid for one year from the date of
creation.
auth [-o one_time_passphrase]
This call is needed if a VM fails to contact to the KeyControl
cluster within grace period seconds or if the hardware ID
changes. In the latter case, this will occur if you change the
IP address or a network card.
auth -a [-u KC_user [-s KC_password]]
A simpler form of re-authentication is available by which you do
not need to manually login to KeyControl. You can quickly
authenticate a VM by providing your KeyControl credentials.
You will be prompted to provide the KeyControl credentials to
complete the authentication. It is also possible to provide
username and password via the -u and -s options. If the password
option is omitted then it will still be prompted for.
updateconfig
This command updates HyTrust config file on a VM when devices
have been removed or added. This does not need to called for any
devices that have been removed or added when VM is offline as
they will be recognized at boot; rather, only devices removed or
added when VM is online and that need to be recognized as such
prior to next reboot will require this update.
keyid <-c keyid_to_create [-s] [-a cipher] [-d description]
[-e days_to_expire] [-o "NO USE"|"SHRED"]>
<-r keyid_to_remove [-f]>
<-u keyid_to_update [-d description]>
<-l>
KeyIDs are handles for encryption keys that are shared between
VMs in the same Cloud VM Set. They can be used to encrypt and
decrypt files which can be either passed securely between these
VMs or placed on external storage for backup. For example, you
can encrypt an archive from a VM that has the DataControl agent
installed and move that encrypted image safely to cloud storage.
The only required option is -c in which case you specify a name
for the keyID. Generally speaking you will want to add a
description for your key (using the -d option).
Check ciphers option for default cipher and ciphers available
with the -a option. To ensure default cipher compatibility with
openssl currently installed on VM, use -s option.
By default keys do not expire. If you choose an expiration date,
by default the key will switch to NO_USE in which case the key
cannot be used. You can also specify that the key be shredded in
which case it will be destroyed at expiration. In the "NO USE"
case, the key can be made active again through the webGUI.
If you wish to remove a keyID, use the -r option and give the
name of the keyID. Currently, the only keyID property that can
be updated using the -u option is the description. The -l
option will show keyIDs that are available for the Cloud VM Set
to which a VM is registered. These are also displayed in the
GUI under each Cloud VM Set.
encryptfile [-k keyid] filename [encryptedfile]
A file can be encrypted using the encryptfile option. The -k
option is used to specify the keyID which was previously created
using the keyid command. You specify the filename of the file to
be encrypted. By default, the contents will be written to stdout
although an encrypted file can be chosen by specifying the
encryptedfile option.
decryptfile encryptedfile [filename]
When a file is encrypted using the encryptfile command, informa-
tion about the keyID is stored in the encrypted file. From the
same VM or any other VM in the same Cloud VM Set, you can
decrypt the file using the decryptfile command. Simply pass the
encryptedfile as an argument. By default, the decrypted contents
will be written to stdout although an decrypted file can be cho-
sen by specifying the filename option.
fsid <-c fsid_to_create [-s] [-a cipher] [-d description]
[-e days_to_expire] [-o "NO USE"|"SHRED"]>
<-r fsid_to_remove [-f]>
<-u fsid_to_update [-d description]>
<-l>
FsIDs are handles for encrypted folders that are shared between
VMs in the same Cloud VM Set. They can be used to encrypt and
decrypt folders which can be either passed securely between
these VMs or placed on external storage for backup. For example,
you can encrypt an archive from a VM that has the DataControl
agent installed and move that encrypted folder safely to cloud
storage.
The only required option is -c in which case you specify a name
for the FsID. Generally speaking you will want to add a descrip-
tion for your fsid (using the -d option).
Check ciphers option for default cipher and ciphers available
with the -a option. To ensure default cipher compatibility with
openssl currently installed on VM, use -s option.
By default the fsid is associated with the Cloud VM on which it
is created. However you can share it with all the VMs in the
Cloud VMset, by changing the sharing option from WebGUI or
through APIs and hicli.
By default fsids do not expire. If you choose a number of days
by which the fsid will expire, by default the fsid will switch
to NO_USE in which case the fsid cannot be used. You can also
specify that the fsid be shredded in which case it will be
destroyed at expiration. In the "NO USE" case, the fsid can be
made active again through the webGUI.
If you wish to remove an FsID, use the -r option and give the
name of the FsID. Currently, the only FsID property that can be
updated using the -u option is the description. The -l option
will show fsIDs that are available for this Cloud VM, either
directly or shared from othe VMs. These are also displayed in
the GUI under each Cloud VM Set.
addfs <fsid> folder_name (Linux only)
The addfs operation registers a folder as an ecryptfs mount
point. The fsid specified here should have been previously cre-
ated using "fsid" command. A link is established to the fsid, so
that it can not be removed while this encrypted folder exists.
The folder should be an empty directory to start with. A folder
is always associated with an fsid. This information is displayed
in hcl status.
In case of NFS deployments , the same fsid should be used to
register the nfs mount point in all the clients.
rmfs folder_name
The rmfs operation deregisters a folder from the KeyControl
cluster. The corresponding link to the fsid associated with
folder is also deleted.
setfs property=value folder_name
Properties can be one of:
1. mntopts="<string>" If set, this property is supplied to the
folder mount. These mount options are used in addition to
default mount options. The mount command uses this string as
additional command line argument.
Examples of mntopts: "-o ecryptfs_passthrough", this option
allows for non-ecryptfs files to be read and written from within
an ecryptfs mount. Multiple options can be combined, for ex.
"-o ro,ecryptfs_passthrough"
2. auto_mount=ENABLED|DISABLED. Enables or disables auto mount.
Enabling this property means that the folder will be attempted
to be mounted as soon as the system is booted, or whenever the
KeyControl cluster is reachable. Defaults to ENABLED if not sup-
plied. If KeyControl activates a previously revoked fsid, the
DataControl agent tries to mount the folder, if it is auto_mount
enabled.
mount folder_name
The mount operation mounts the ecryptfs folder. The mount oper-
ation fetches the key associated with the encrypted folder from
the KeyControl cluster, mounts it using ecryptfs, makes the
clear text data available. By default, folders are mounted
automatically at boot time.
unmount folder_name
The unmount operation unmounts the ecryptfs folder.
identify folder_name
Show encrypted folder's identification details, like FSID, Cloud
VMset.
template <-i ipaddr | -m macaddr> [-u username -p password]
days_to_expire
This command prepares a VM for automatic deployment of its
clone. The VM on which we run this command is called the master
or template VM. The IP address or the MAC address can be speci-
fied with -i or -m option respectively. The IP address or the
MAC address is pre-determined address for the clone VM.
The sequence of operations in which this command is used is,
1. Prepare a master VM, install DataControl agent software
2. Register the master VM with KeyControl
3. Encrypt required data devices, root device, swap etc.
4. Reserve IP address or MAC address for the clone VM
5. Run hcl template command on master VM
6. Take clone of the master VM, using hypervisor tools
7. When the clone VM boots it will be automatically deployed
8. The clone VM will be automatically re-registered with a new
name on the KeyControl
You can provide the KeyControl credentials, i.e. admin user name
and password, as command line parameters.
Running hcl template command on master VM has two effects, the
KeyControl shall recognise a VM with provided IP or MAC address
and same certificate as a legitimate clone and will provide lim-
ited access. And hcl template command will download a token
which is later used to automatically register the clone VM.
You need to specify the validity of clone access token with
"days_to_expire".
template remove <-i ipaddr | -m macaddr> [-u username -p password]
Remove previously added IP address or MAC address as legitimate
clone of this VM
template list
Show a list of all the IP addresses and MAC addresses which have
been added as legitimate clone VMs of this VM.
unregister [-y] [-a] [-u username -p password]
You can unregister a properly authenticated VM from the KC.
After unregister you need to explicitly cleanup the VM with hcl
destroy.
The -y option makes the command non-interactive.
If the VM is registered but not currently authenticated with the
KeyControl, then you can use -a option. This allows you to
unregister the VM by providing your KeyControl credentials. You
can also provide the KeyControl credentials, i.e. admin user
name and password, as command line parameters.
destroy [-y]
The destroy command removes all HyTrust configuration about all
disks and folders. This has the effect of uninstalling and
installing the product and should be used with extreme caution.
The -y option makes the command non-interactive.
aesni-check
The aesni-check command checks the CPU features to see if AES-NI
crypto acceleration is available to the virtual machine on which
it is running.
version
Display the version of the DataControl Policy Agent software.
-h | -?
This command displays all the options available through the hcl
command.
FILES
On Linux:
/opt/hcs
The default location of the HyTrust DataControl configuration
files.
/var/log/hcl.log
The HyTrust DataControl log file. If errors are detected, you
will be requested to provide this file to HyTrust support staff.
On Windows:
C:\Program Files\hcs\hcl.log
The HyTrust DataControl log file. If errors are detected, you
will be requested to provide this file to HyTrust support staff.
BUGS
See the HyTrust Release Notes for information about bugs and caveats in
the software.
AUTHOR
HyTrust Inc.
SEE ALSO
htroot(1)
Linux AUGUST 2016 HCL(1)