This chapter describes installation and management of the HyTrust DataControl Policy Agent on Windows platforms.
For basic architecture and operational aspects common to both Windows and Linux, see Encryption Within Virtual Machines Using the Policy Agent.
First you need to install one or more KeyControl nodes as described in KeyControl Clustering and Upgrades. At this point you can then install any number of Windows servers, up to your license limit. You'll then need to log on as a Cloud Administrator and set up one or more Cloud VM Sets into which you will place your Windows VMs.
There are three methods of registration and administration after Policy Agent installation:
hcl command line. For details, see Automated Registration of New Agents.The command-line method is the same in Windows and Linux and may be preferable for UNIX-based administrators. Windows administrators may prefer to use the GUI.
If you are using the command line, you will need to generate a certificate for each VM on which you're installing the Policy Agent. Note that a certificate ties a VM to a Cloud VM Set. You then register the VM.
HyTrust DataControl supports the following Windows platforms:
If you are intending to use the HyTrust GUI, you need to install version 4 of the Microsoft .NET framework for Windows 2008R2 and Windows 7. Windows 2012 already supports the .NET framework. You can find details here: http://www.microsoft.com/en-us/download/details.aspx?id=17851
If you are only going to use the command-line-based tools, you can skip installation of the .NET framework. Whether using the GUI or not, you can still install the HyTrust software without having .NET installed.
Administrator privileges are required to install, upgrade or uninstall the software. If you attempt one of these operations as a regular user, you will be prompted to enter the administrator password before continuing. If User Account Control (UAC) is turned off, then install/upgrade/uninstall will prevent a non-administrator from completing the task.
All of the hcl operations must be run as an administrator. Any attempts
to run any hcl commands without administrator privilege will terminate
with the message:
hcl must be run as Administrator
To run a program/command as the Administrator, right click on it and select Run as administrator.
Before we describe the installation process, we want to say a few words about mapping drive letters to drives. HyTrust does not require that drives are formatted but we do require that each drive have an associated drive letter.
The Windows disk manager should be used to add drive letters. To start the disk manager, either run diskmgmt.msc from the command shell or locate and start the Server Manager as shown below:
Once loaded, you will see the following screen. Select Storage, on the left side, and then select Disk Management(Local). Note that VHD drives are not supported in those cases where they are stored on an NTFS filesystem as files.
In this example we have two new disks, referenced on the screen as shown below. Note that in subsequent usage (after formatting) you may just see the disks as online and available.
Select MBR for partitioning. Note that GPT is supported for drives beyond the boot C: drive, but the C: drive must be an MBR disk. After pressing OK, the two disks will be displayed as follows (Disk 1 and Disk 2):
You can now create volumes of the appropriate type and format as necessary. If you're adding a new disk you don't need to format it. HyTrust will format the disk for you.
| Note: | For GPT, we only support a single partition per disk. Attempts to encrypt GPT disks containing multiple partitions will be rejected. |
The Windows Disk Manager is a little harder to locate on Windows 7. Click on the Start button and then choose Control Panel. Click on the System and Security link. In the System and Security window, click on the Administrative Tools heading located near the bottom of the window. From the Administrative Tools window, double-click the Computer Management icon. When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
An easier alternative is to click Start, type run and then type diskmgmt.msc, and then click OK.
Windows 2012 is a special case. The Windows 2012 Server Manager does not allow you to initialize new disks using the MBR partition style. However, there are 2 alternate mechanisms that can be used.
From PowerShell, run the Initialize-Disk cmdlet. This command allows you to specify the style. For example:
Initialize-Disk 1 -PartitionStyle MBR
This command will initialize Disk 1 as MBR. The disk will now be available for encryption.
The following sections describe how to install, upgrade and uninstall the Policy Agent on Windows.
As described above, if you are intending to use the HyTrust GUI, you need to install version 4 of the Microsoft .NET framework. Note that this is not required if you are running Window 2012, which has the .NET framework built in. You can find details here: http://www.microsoft.com/en-us/download/details.aspx?id=17851
If you are only going to use the command-line-based tools, you can skip installation of the .NET framework. Whether using the GUI or not, you can still install the HyTrust software without having .NET installed.
From the WebGUI, click the Cloud icon and then click the Actions button. Click Download Policy Agent.
| Note: | On Windows, the Policy Agent can only be installed on a system drive, not a data drive. |
When you download the Policy Agent, a Zip file containing the client software downloads to the host computer you are using. (For Linux, see Downloading the Linux DataControl Policy Agent.)
Make sure that the Disk Defragmenter service on each client computer is enabled before installing the Policy Agent software. This is needed for compatibility with boot drive encryption. The user account used for installing the software should have the SeRestorePrivilege and the SeTakeOwnershipPrivilege for the Bootloader installation to succeed. Additionally, the SeSecurityPrivilege is required for successful installation on Windows 2008R2. For details on boot drive encryption, see Encrypting Windows Boot Drives.
The next step is to locate the HyTrust package (usually in your default downloads folder) and double click the filename to start the install process. This will unzip the file and give you access to the Windows package. Alternatively, you can run an unzip program to extract the files. Note that this process can also be scripted as a silent installation, as described in Silent Scripted Installation on Windows.
The first screen that appears is a simple "Welcome" screen, as follows:
First, you choose a destination for the software, remembering that it must be installed on drive C::
Next, you need to agree to the license terms:
Next, you verify the components to be installed and the space required. Note that if you are installing the HyTrust Bootloader, you must check the HT Bootloader box, shown below, to enable it. If you do not anticipate ever encrypting your boot drive, be sure that you uncheck the box, as shown below. Note that the default state is to have this box checked, opting to install the Bootloader.
If you do want to install the Bootloader, follow the instructions in Encrypting Windows Boot Drives.
If you choose to install without the Bootloader, and have unchecked the box, then click Install to proceed with the installation.
It will only take a few seconds after which you are prompted to reboot. Click Reboot now, and then click Finish.
Once the reboot is complete, the Policy Agent is ready to use. You can now continue on to configure encrypted devices.
To uninstall the HyTrust software, select Uninstall from the HyTrust menu (from Start > All Programs > HyTrust). If you wish to preserve data you should run hcl decrypt on your volumes or use the GUI, located at Start > All Programs > HyTrust). Note that on some operating systems, you should navigate to Program Files\hcs\bin\hclgui.exe.
First of all, a short welcome screen is presented. After selecting Next, click Uninstall to start the process of removing the software.
The following screen will be displayed. You need to confirm that if you continue with the uninstall, all data on all volumes will be lost. Click Yes to continue.
Once the software has been uninstalled, you will see the following message. After the uninstall you should reboot Windows to clean up any driver state.
Note that any errors encountered during the install/uninstall process will be logged to C:\hcs-install.log. If errors are encountered, a popup will highlight that fact and mention the path to the logfile.
| Note: | You should now reboot Windows to complete the uninstall. |
Upgrading the HyTrust software is very similar to the process of installing the software for the first time. First of all, you can check the current version of the software by looking at the top of the GUI as follows:
or via the command line as follows:
C:\>hcl version 3.4 (b9949)
The next step is to run the installation package. After the first few screens, which are similar to first install, you will see the following screen appear to inform you that an upgrade will take place. Note that any outstanding encryption or decryption operations must complete before you run the upgrade. Once they are completed, close the applications and then run the upgrade.
At this point, click Yes and the upgrade will continue. Once complete, you should reboot Windows. Once reboot is complete, your drives will be back online.
Be sure that your Agent version is not higher than the version of your KeyControl node. Upgrading an Agent to a version higher than your KeyControl is not supported. Registration of an Agent version higher than the KeyControl version will not work.
In the following sections, we describe the operations that can be performed on the VM including registration, authentication, encrypting devices, and obtaining and understanding status messages. The instructions for creating a new certificate appear just above. To review, you click the Cloud icon, select a VM Set, and then click the Actions button, and then click Create New Certificate.
Note: VM management is almost the same for Linux computers. For details, see VM Management on Linux computers.
Most operations can be performed through the HyTrust GUI. This can be found from Start > All Programs > HyTrust).
When the GUI starts for the first time, you will see a screen similar to the following screenshot:
Which drives show depends upon on your configuration.
When starting the GUI for the first time, you will see a screenshot similar to the one shown above. To register with the KeyControl cluster, click the Register button. This will bring up the following screen:
Before describing the fields to fill in, let's look at the list of Cloud VM Sets that we have:
We are going to register with this KeyControl and we want to place the VM in the "Headquarters" Cloud VM Set. The parameters that need to be entered in the GUI are:
Click Register and the following actions will happen: generating a certificate, downloading the certificate and registering the VM. You do not need to go to the GUI to authenticate the VM since you have already supplied your credentials. Once complete you will see the following which shows that the VM is now connected to the KeyControl cluster:
And if you look at the KeyControl GUI, you will see the VM in the Headquarters Cloud VM Set. Note that the VM named exchange-server appears in the Headquarters VM Set.
Before adding a device, we recommend that you re-read Setting Up A Device For Encryption, which covers device management in Windows. Before HyTrust can encrypt drives or encapsulate drives containing an NTFS filesystem, we must first have a drive letter that we can reference.
| Note: | If Windows disks are sparse, we will only encrypt allocated blocks ensuring that only the allocated blocks are encrypted and the sparseness remains. This is not currently available for Windows C: drives. |
Once drive letters are assigned, right click on one of the displayed devices and you will see two options:
If you select Add and Format, you will need to acknowledge that all data will be overwritten:
Once you select Yes we will add the device (equivalent of hcl add on the command line) and format the encrypted device with NTFS. You will now see the following change in the GUI:
and the device will now be visible on the KeyControl GUI. There is 1 disk now formatted. If you then choose to encrypt, you will see the results for Drive E:, in the Encrypted Disk, column, below, along with the encryption cipher used.
Noting that the F: drive is listed in the GUI, let's assume that we already have a NTFS filesystem on it and that we wish to encapsulate the drive (keep the NTFS filesystem / files and encrypt it). In this case, we need to select Add and Encrypt the device as shown below:
You will see the following warning:
After selecting Yes, the drive will then be encrypted. This could take a long time depending on the size of the drive and the performance of the CPU/storage subsystem. However, the operation will be performed in the background so you can still use the drive. Once you confirm that you wish to encrypt you will see the following:
The popup window informs you that the process of encrypting the disk has started. In the main window you can see that the encryption process is 50.10% complete.
We will cover encryption and how you control it in Encrypting New and Existing Devices.
To remove a disk from HyTrust control, right click on the device and you will see the following three options:
If you select Remove, we will remove the disk and you will no longer be able to access the data, so be warned. If you wish to continue accessing data after removal, select Decrypt and Remove. Note that you will see the following warning. As with Add and Encrypt you can continue to access the disk while it is being decrypted.
In the following sections, we describe the operations that can be performed on the VM including registration, authentication, encrypting devices and obtaining and understanding status messages.
Once you have created a Cloud VM Set and wish to add a VM, you first need to create a certificate. To do this, point your browser at the KeyControl, log on, select the Cloud tab and then select the Cloud VM Set. For example, in the screenshot below, we have selected the Headquarters Cloud VM Set.
From here, we click the Actions button, and then click Create new certificate, as shown below:
You will then see the Create New Certificate dialog box:
Type in the (optional) password for the certificate. You will be prompted to re-type this password when you register the VM. You can also specify the length of time for which the certificate is valid. By default this is 365 days. At this point you need to click the Create button. The certificate will then be downloaded and should be copied to the VM. Note that you can generate multiple certificates from this screen before returning, by repeated clicks of the Actions button and Create new certificate. Be aware that certificates can only be used once.
Besides the registration that you do on installation, you have access the command-line interface for registration and VM encryption services. The hcl command is your gateway to VM encryption services. To register a VM select Start and then type command and Enter as shown below:
On Windows 7, if you are not logged on as an Administrator, you can run the command shell as Administrator by right-clicking on the command icon as shown below. Note that Windows 8, 8.1 and 10 give direct access to the command-line window.
To display the list of options available, type hcl and press Enter.
Run the following command to register the VM with the KeyControl. Note that you must first copy the certificate to the VM from which you will register, and make sure that you switch to the directory where you placed the certificate. Note that Windows also supports command line completion so you can enter the first character of the certificate and hit <Tab> to complete the filename.
C:>hcl register -h hq-4 -d "Windows 2008" 192.168.140.130 ad85837b-9862-11e1-afd5-000c29de5d41_120507163538.cert Enter Import Password: Enter certificate passphrase Enter passphrase (min 16 characters): OneTimePass16chrs Registered as hq-4 with KeyControl 192.168.140.130 Please login to the KeyControl to complete the authentication of this node
-h and -d arguments are optional. The name of the VM (the -h argument) is user chosen and can be anything. In this case, we just chose the name hq-4. It will appear in the webGUI next to this VM. If the argument is omitted, the hostname will be used by default. The IP address references the KeyControl and the certificate filename is the last parameter. The -d argument (description) is optional but will be displayed in the webGUI and is useful to further identify your VM.
In the above example, ad85....cert file was the certificate file that we got from the Create New Certificate step.
The Import Password is the password used to encrypt the certificate while generating it.
The Passphrase is the one-time password used to authenticate the VM with the KeyControl. This must be a minimum of 16 characters.
Once you have issued the hcl register command go back to the KeyControl and you should see an entry for the VM_name of hq-4 in the Unauthenticated VMs list under the Cloud icon.
A simpler form of registration is available by which you do not need to manually create a certificate and copy it to the VM. You can quickly register and authenticate a VM by providing your KeyControl credentials and selecting the Cloud VM Set. For example, in this case pass the -a option to hcl:
# hcl register -a -h "Headquarters" -d "My Headquarters VM" 192.168.140.151 Please provide the KeyControl login details username: hytrust password: ******** Available Cloud VM Sets --------------------------------------------------- Microsoft_Azure Amazon_AWS ENKI --------------------------------------------------- Please specify Cloud VM Set to which this VM should be added: ENKI Certificate passphrase might be required Certificate successfully unpacked Registered as Headquarters with KeyControl node(s) 192.168.140.151 Completing authentication for Headquarters on KeyControl node(s) 192.168.140.151 Authentication complete, machine ready to use
Here, we invoke hcl register as before, but pass the -a option. First, hcl prompts for your username and password. It authenticates against KeyControl and then lists the available Cloud VM Sets. All you need to do now is to select the Cloud VM Set in which to place the VM. A certificate is created, copied to the VM and registration/authentication takes place.
In the example here, we are registering with a cluster of one KeyControl node.
Certificates are valid for 365 days by default but the actual expiration date can be specified when certificates are created. For more information, see Certificate Handling.
Switch to the webGUI and click on the VM and you will see the VM details (such as OS, IP address) as shown below. You can edit the Description, Heartbeat, Grace Period, Reauthenticate on..., and Rekey Interval parameters.
Description of the fields shown for each VM are shown inVM Fields Shown in the WebGUI.
If a VM is already registered and you attempt to register again, you will see the following warning:
C:\>hcl register -p rootroot -o HyTrust -h win-2008 -d "My Windows VM" 192.168.140.151 *cert Already registered Use -c to register as clone (clone certificate will be required) If you wish to start afresh by destroying all existing configuration information and data on encrypted volumes, run 'hcl destroy' and remove this VM from the KeyControl
You will only likely see this if you forget the passphrase and the VM is still sitting on the Unauthenticated VMs list. Remove the VM and repeat the registration phase once more.
You can also use the hcl register -a command with variables that enable automation of the registration process. Details of the hcl register -a parameters are below:
The command:
# register -a [-c] [-h myname] [-d description] [-n KC_Mapping] [-u KC_user [-s KC_password]] [-z cvmset] KC_hostname[:port],KC_hostname2[:port2],...
where:
-u is the username for KeyControl-s is the password for KeyControl-z is the cvmset to add VM to-n is the name of cluster mappingEach option overrides the input. For example, if username is specified but password is not, then it prompts for password. This permits interactivity where you choose to have it.
Here is a fully automated example, using the password Password123! for the standard secroot account:
# hcl register -a -h Headquarters -u secroot -s 'Password123!' -z headquarters -n hqmap 192.168.154.156 Certificate passphrase might be required Certificate successfully unpacked Registered as Ubuntu-15.04 with KeyControl node(s) 192.168.154.156 Completing authentication for Headquarters on KeyControl node(s) 192.168.154.156 Authentication complete, machine ready to use Getting KeyControl Mapping information KeyControl Mapping server description hqmap, ip 192.168.154.156, port 443 Updated KeyControl list with KeyControl nodes 192.168.154.156:443
Here is an example with an interactive password:
# hcl register -a -h Headquarters -u secroot -z headquarters -n hqmap 192.168.154.156 password: <user enters password> Certificate passphrase might be required Certificate successfully unpacked Registered as Ubuntu-15.04 with KeyControl node(s) 192.168.154.156 Completing authentication for Headquarters on KeyControl node(s) 192.168.154.156 Authentication complete, machine ready to use Getting KeyControl Mapping information KeyControl Mapping server description hqmap, ip 192.168.154.156, port 443 Updated KeyControl list with KeyControl nodes 192.168.154.156:443S
The status of the VM can be checked at any time using the hcl status command. For example, following
a successful registration, run the command as follows:
C:\>hcl status Summary --------------------------------------------------- KeyControl: 192.168.140.151:443 KeyControl list: 192.168.140.151:443 Status: Connected Last heartbeat: Sat Sep 07 14:18:21 2014 (successful) Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- E: 1 1 none Available N/A F: 2 1 none Available N/A
The status is shown as Connected. The list of devices detected that are available for use is also shown.
Empty drives must be given drive letters prior to being managed by HyTrust. For example, consider the following system for which two drives are available:
Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- E: 1 1 none Available N/A F: 2 1 none Available N/A
The Windows disk manager should be used to add drive letters. If no drive letters are associated with the drives, HyTrust cannot use them. For information on using the Disk Manager to add drive letters, see Setting Up A Device For Encryption. Please note that for new drives, you do not need to format them. We just require that you have the right volume type that meets your storage needs and that you have a drive letter attached.
After you have added drive letters and run hcl status, you will see the associated drive letters:
Summary --------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Connected Last heartbeat: Sat Jan 26 16:00:36 2014 (successful) Device details --------------------------------------------------- Drive Disk Part Cipher Status Handlers --------------------------------------------------- E: 1 1 none Available DEFAULT,DEFAULT F: 2 1 none Available DEFAULT,DEFAULT
We can now add/attach the drives as follows. Please note that this operation is destructive. It will add the drive and format it.
To encrypt an existing filesystem/disk, see Attach and Detach Handler Scripts. In this example, the E: disk will use the default cipher of AES-XTS-512 and the F: disk will also use AES-XTS-512. For details on the encryption ciphers, seeKey Management Capabilities. Note that root drive encryption on Windows uses AES-XTS-512 by default. For details on encrypting root drives on Windows, see Encrypting Windows Boot Drives.
C:\>hcl add e:
Added device \Device\Harddisk2\Partition1
partition is already raw, just unmounting E
formatting...
The type of the file system is RAW.
The new file system is NTFS.
QuickFormatting 5118M
Creating file system structures.
Format complete.
5.0 GB total disk space.
5.0 GB are available.
Encrypted device E: has been added.
C:\>hcl add -c AES-XTS-512 f:
Added device \Device\Harddisk2\Partition1
partition is already raw, just unmounting G
formatting...
The type of the file system is RAW.
The new file system is NTFS.
QuickFormatting 2046M
Creating file system structures.
Format complete.
2.0 GB total disk space.
2.0 GB are available.
Encrypted device F: has been added.
You can now view the attached disks as follows:
C:\>hcl status Summary --------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Connected Last heartbeat: Sat Jan 26 16:02:57 2014 (successful) Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- E: 1 1 AES-XTS-512 Attached BA7883AE-3562-44F1-9D86-87D80323CC01 F: 2 1 AES-XTS-512 Attached N/A
At this point the encrypted disks are formatted and ready to use.
If you add a device that already contains an NTFS filesystem, we will detect that and print the following message:
C:\>hcl add f: The partition you've selected to add already contains an NTFS file system. This operation will destroy the contents of the disk. If you wish to preserve them, run hcl encrypt F instead. Do you want to proceed (y/n)
If you do not wish to overwrite and have the contents of the disk encrypted, you should not use hcl add and use hcl encrypt instead.
Once added, you can now use your disks as normal. For example, in the screenshot below, both E: and F: have been formatted and any existing files copied into E: Note that by default, Explorer won't show the string Encrypted. That is the label we chose when adding a drive letter, and is not generated by HyTrust. Also note that the drive's contents do not show, because the drive is encrypted.
You can view the HyTrust-managed devices in the webGUI by selecting the Windows VM and selecting Disks in the file browser. For the two disks under management above, here is the view in the webGUI:
The windows client also supports attach and detach handler scripts, located at c:\Program Files\hcs\handlers. These run at the same times as the Linux client scripts. The attach handlers will be called immediately after a successful attach. Detach handling scripts will be called immediately before detaching disks.
You can create a handler script for each disk that is encrypted. The format of the name will be
DRIVE_LETTER.attach.cmd and DRIVE_LETTER.detach.cmd
Individual disk handler scripts are not required. If not specified, then the default script will be called instead. Those are named default.attach.cmd and default.detach.cmd.
Each script invocation will be passed 4 parameters:
Therefore, if there are 4 disks in the system, the script can determine when all of the disks have been attached or detached by checking these 2 parameters. If parameter 3 (plus 1 since it is offset from 0) is equal to parameter 4, then the script can assume that all of the disks in the system have been handled.
If the total number of disks passed in is 0, then it indicates that an hcl attach or detach has been run from the command line and only a single disk is being operated on at that time. The same is true of calls from the revoke/restore operation in the KeyControl GUI.
If you have a disk that already contains data that you want to be encrypted, you can run the hcl encrypt command. All encryption, whether encrypting a new disk or removing and decrypting an existing disk, makes use of dynamic rekey. In the case of encrypting a disk, we do the conversion in the background, thus allowing you access the disk while the encryption process is taking place. This allows you to have no downtime for your applications and data.
| Note: | If Windows disks are sparse, we will only encrypt allocated blocks ensuring that only the allocated blocks are encrypted and the sparseness remains. This is not currently available for Windows C: drives. |
To demonstrate how rekey works, let's first look at the contents of the unencrypted G::
C:\>dir g:
Volume in drive G is New Volume
Volume Serial Number is 44A1-E6A7
Directory of G:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
7 File(s) 5,624,418 bytes
0 Dir(s) 2,098,798,592 bytes free
and now let's start the encryption process:
C:\>hcl encrypt g: All the data on G: will be encrypted. This operation may take a long time. Do you want to proceed? (y/n) y registering drive G:, guid FF2A17F2-D7DE-404B-B977-018ADC611BCC Encrypted device G: has been added.
You can view the progress of the rekey operation by running hcl rekey as follows:
C:>\hcl rekey status g: device: \Device\Harddisk3\Partition1 drive: G state: in progress begin: 65536 end: 2144403456 current: 725794816 sector offset (from 0): 1417568 total sectors: 4188160 total size: 2144337920 pct done: 33.85% elapsed time (seconds): 27
...and even though the drive is only partially encrypted, we can still view the contents:
C:\>dir g:
Volume in drive G is New Volume
Serial Number is 44A1-E6A7
Directory of G:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
7 File(s) 5,624,418 bytes
0 Dir(s) 2,098,798,592 bytes free
The drive letters of encrypted volumes must not be changed without informing the KeyControl server of the modified configuration. hcl mv can be used to change the letter associated with the drive while the encrypted drive is attached, as shown below:
c:\>hcl mv source: destination:
For example, to remap the currently attached drive E: to drive F: the command hcl mv E: F: can be used. The drive will be temporarily unmapped, causing it to disappear in Windows Explorer. Then the configuration will be modified and sent to the KeyControl, where it will display the new drive letter. Finally, the drive will be reattached with the new drive letter, making the storage once again available.
| Note: | This command will not operate on the Windows boot partition. The source drive must be a currently attached encrypted drive. The destination drive must not be in use for this command to succeed. |
Disks can be detached (taken offline) or removed from HyTrust control. To take a disk offline simply do the following:
C:\>hcl detach E: Encrypted drive E: detached; decrypted contents no longer visible
This will remove access to the clear-text data. You can bring the disk back online by running:
C:\>hcl attach E: Encrypted device \Device\Harddisk1\Partition1 attached; decrypted contents visible at E:
To remove a disk completely from HyTrust control, simple issue the following command:
C:\>hcl rm E: WARNING: Removal of devices will cause any data stored on them to be permanently lost. Do you want to proceed? (y/n)? y Removed device \Device\Harddisk2\Partition1
If you wish to remove a device but decrypt the contents first so the filesystem/files will still be accessible after HyTrust relinquishes access, run the following:
C:\>hcl decrypt E: All the data on E: will be decrypted. This operation may take a long time. Do you want to proceed (y/n)
As with add/encrypting a disk, decryption involves a rekey from ciphertext to clear-text and is performed in the background. You can view the decryption progress as follows:
C:\>hcl rekey status E: device: \Device\Harddisk3\Partition1 drive: E state: in progress begin: 65536 end: 2144403456 current: 535085056 sector offset (from 0): 1045088 total sectors: 4188160 total size: 2144337920 pct done: 24.95% elapsed time (seconds): 15
| Note: | You can still access the files while the decryption is in progress. |
Once completed, you will see that the drive moves back to being Available.
Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- C: 0 2 none Avail-Sys N/A E: 1 1 AES-256 Attached A8E25AE9-7A75-471A-A1AA-7CAE1550B35C F: 2 1 none Available 583EB883-52D3-4B05-A482-FF113B5359DD G: 3 1 none Available FF2A17F2-D7DE-404B-B977-018ADC611BCC
You can also confirm this by checking for rekey status. Once complete you will see the following message:
C:\>hcl rekey status G: Could not find g: in hcl config Device g: does not exist
When a filesystem becomes close to full, to add more space, the device needs to be first extended which is easily done in a virtual machine. You then need to expand the NTFS filesystem within that device. This MUST be performed through HyTrust interfaces. Consider the following filesystem:
C:\>dir f:
Volume in drive F is Encrypted F:
Volume Serial Number is C2E3-6984
Directory of F:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 580,043 HCS_Evaluating-HCS-VM-Encryption.pages
10/25/2012 01:48 PM 310,203 HCS_Evaluating-HCS-VM-Encryption.pdf
10/25/2012 01:48 PM 1,479,834 HCS_Evaluating-HyTrust.pages
10/25/2012 01:48 PM 979,387 HCS_Evaluating-HyTrust.pdf
10/25/2012 01:48 PM 975,640 HCS_Evaluation.pages
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
10/25/2012 01:48 PM 129,289 HyTrust-PCI-DSS-mapping.pdf
10/25/2012 01:48 PM 670,050 HyTrustSecurity_DataSheet_1.8.pdf
10/25/2012 01:48 PM 673,911 HyTrustSecurity_DataSheet_2.0.pdf
15 File(s) 11,422,775 bytes
0 Dir(s) 1,567,735,808 bytes free
There is approximately 1.5GB of space in this device. We are going to expand it to 2GB. Shut down the VM and expand the disk using hcl extend. Be aware that we support only NTFS for hcl extend. Note that during this operation, the drive is detached and reattached, which may cause disruption to any application running on the drive. When you are ready, call hcl extend as follows:
C:\>hcl extend f: extending partition for f: extending filesystem for f:the new filesystem is 2146369536 bytes long
And now the extra space is available and any data written beyond the end of the original device will be encrypted.
C:\>dir f:
Volume in drive F is Encrypted F:
Volume Serial Number is C869-A617
Directory of F:\
10/25/2012 01:48 PM 346,454 HCS_BreachWhitepaper_v1.5.pdf
10/25/2012 01:48 PM 303,179 HCS_CSP_Whitepaper.pdf
10/25/2012 01:48 PM 2,278,559 HCS_Encryption_Use_Cases.pdf
10/25/2012 01:48 PM 580,043 HCS_Evaluating-HCS-VM-Encryption.pages
10/25/2012 01:48 PM 310,203 HCS_Evaluating-HCS-VM-Encryption.pdf
10/25/2012 01:48 PM 1,479,834 HCS_Evaluating-HyTrust.pages
10/25/2012 01:48 PM 979,387 HCS_Evaluating-HyTrust.pdf
10/25/2012 01:48 PM 975,640 HCS_Evaluation.pages
10/25/2012 01:48 PM 883,773 HCS_HIPAA_Compliance.pdf
10/25/2012 01:48 PM 1,006,858 HCS_PCI_Compliance.pdf
10/25/2012 01:48 PM 310,103 HCS_Shack-P1.pdf
10/25/2012 01:48 PM 495,492 HCS_Shack-P2.pdf
10/25/2012 01:48 PM 129,289 HyTrust-PCI-DSS-mapping.pdf
10/25/2012 01:48 PM 670,050 HyTrustSecurity_DataSheet_1.8.pdf
10/25/2012 01:48 PM 673,911 HyTrustSecurity_DataSheet_2.0.pdf
15 File(s) 11,422,775 bytes
0 Dir(s) 2,104,590,336 bytes free
Notice the difference in device size between the two runs of dir.
We have discussed how dynamic rekey is used to both encrypt and decrypt disks without taking applications or data offline. While this is used for adding/removing encrypted disks, dynamic rekey can also be performed on existing disks. For example, consider the following:
Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- C: 0 2 none Avail-Sys N/A E: 1 1 none Available 365DED95-9354-4D6F-A3BD-0319432FD723 G: 2 1 AES-256 Attached EDCDD166-B740-4296-8218-26BDE0ED1BFB F: 3 1 AES-256 Attached 8DFA86D3-32F9-4B8C-9D81-0888A7DBF87C
The F: drive is already attached and encrypted. If you wish to rotate encryption keys, for example decrypt the disk with the current key and encrypt with a newly allocated key, we perform dynamic rekey.
To start a rekey, simply run the hcl command as follows:
C:\>hcl rekey f:
You can check the status as follows:
C:\>hcl rekey status f: device: \Device\Harddisk3\Partition1 drive: F state: in progress begin: 65536 end: 3218145280 current: 2793684992 sector offset (from 0): 5456416 total sectors: 6285312 total sizhe: 3218079744 pct done: 86.81% elapsed time (seconds): 90
The percentage of the rekey operation being performed will also be shown in the GUI as follows:
This screen shot shows 50.10% complete in the Status column. Upon completion, the GUI will display the disk as attached. If you run hcl rekey statusyou will see that rekey is 100.00% done.
Remember that your VM's configuration parameters include Rekey Interval. You can set up automatic rekey at an interval that you choose from Days/Weeks/Months/Years. See VM Parameters.
Rekey operations can be paused. You may wish to pause a rekey if you get a spike in I/O activity. Although rekey will be throttled in the event of higher I/O activity, it may still cause a performance bottleneck. Simply call hcl rekey pause f: to pause the rekey and hcl rekey resume f: to start it again. If paused, you will see the following in the GUI:
Note the PS under Status. You can also pause, resume, and abort ongoing rekey operations by right-clicking the disk being rekeyed and making a choice from the WebGUI drop-down menu:
To revoke access to a VM, click the Cloud navigation icon, then select the VM that you want to change. If you want to revoke the entire VM, click the Actions button and then click Revoke VM Authentication. You are asked confirm your choice before the VM’s authentication is revoked. The particular VM will immediately be moved to the 'Unauthenticated' list.
On the VM, hcl status still shows that everything is fine (Connected).
C:\>hcl status
Summary
---------------------------------------------------
KeyControl: 192.168.140.152:443
KeyControl list: 192.168.140.152:443
Status: Connected
Last heartbeat: Sat Jan 26 16:02:57 2014 (successful)
However, after the next heartbeat (5 minutes), the status changes as follows:
C:\>hcl status Summary --------------------------------------------------- KeyControl: 192.168.140.152:443 KeyControl list: 192.168.140.152:443 Status: Reauth needed (Virtual Machine not authenticated) Last heartbeat: Sat Jan 26 16:02:57 2014 (successful) Device details --------------------------------------------------- Drive Disk Part Cipher Status GUID --------------------------------------------------- E: 1 1 AES-256 Detached BA7883AE-3562-44F1-9D86-87D80323CC01 F: 2 1 AES-256 Detached N/A
Filesystems on E: and F: have been force-unmounted and the devices have been detached. The VM needs to be re-authenticated again before the encrypted devices can be accessed. This is achieved as follows through the GUI:
Click Authenticate and enter your password.
Or you can re-authenticate through the command line as follows:
C:\>hcl auth Enter passphrase (min 16 characters): onetimepassword16chrs Sent an authentication request to KeyControl 192.168.140.128 Please log on to the KeyControl to complete the authentication of this node
Return to the webGUI on the KeyControl cluster, navigate to the node, click the Actions button, and then click Reauth VM. Enter your one-time password in the VM Authentication dialog box, click Authenticate, and the VM is reauthorized. Below is the prompt in the webGUI:
After the VM has been moved to the Unauthenticated VMs list, if you now delete the node it will be permanently deleted from the KeyControl. No re-authentication is possible, all keys are destroyed, and thus all storage using those keys is effectively useless.