Example: Adding and Encrypting a Linux Disk with XFS

Encrypting an Existing XFS Disk

In following example we create an XFS filesystem and then use hcl encrypt to register that filesystem with KeyControl. The example that follows shows how to do this in a single step using hcl add.

# mkfs -t xfs /dev/sdc1
meta-data=/dev/sdc1              isize=256    agcount=4, agsize=62436 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0        finobt=0
data     =                       bsize=4096   blocks=249744, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=853, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

# mount | grep sdc1
/dev/sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

# cp /etc/* /mnt
# find  /mnt -type f -exec md5sum {} \; | md5sum
      5cf56f73de26edf599cb3a8c5887ebe0  -

# umount /mnt

# hcl encrypt /dev/sdc1
All the data on /dev/sdc1 will be encrypted
The cleartext data will be available on /dev/mapper/clear_sdc1
This operation may take long time
Do you want to proceed? (y/n) y

total device size 998976 KB

Processing: 100%  Time left: 00:00:00                          
rekey finished

Completed encryption of /dev/sdc1 successfully
# mount /dev/mapper/clear_sdc1 /mnt

# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

#  find  /mnt -type f -exec md5sum {} \; | md5sum
       5cf56f73de26edf599cb3a8c5887ebe0  -

Adding a New Disk with XFS

In following example we use hcl add to create an XFS filesytem on the disk and then register the disk with KeyControl. .

# hcl  add -F xfs /dev/sdc1
/dev/sdc1 (/dev/sdc1) appears to contain an existing filesystem (ext3)
Do you want to proceed? (y/n) y

WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y

In case of error remove the disk using "hcl rm" and run "hcl add" again

Encrypted device sdc1 (/dev/sdc1) attached; decrypted contents visible at /dev/mapper/clear_sdc1

Creating file system xfs on /dev/mapper/clear_sdc1
--------------------------------------------------------------------------------
meta-data=/dev/mapper/clear_sdc1 isize=256    agcount=4, agsize=62436 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0        finobt=0
data     =                       bsize=4096   blocks=249744, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=853, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
-----------------------------------------------------------------------

# mount /dev/mapper/clear_sdc1 /mnt

# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs 
(rw,relatime,seclabel,attr2,inode64,noquota)