HyTrust requires a separate boot partition in which the HyTrust DataControl Policy Agent can be installed. How you do this depends on the version of Linux running on the server. For your convenience, the following sections explain how to set up a separate boot partition on CentOS 7.
Assume that the current Linux is installed on device /dev/sda
and the GRUB stage1 bootloader is also installed on /dev/sda
. This is a typical Linux installation. Assuming you add a new device named /dev/sdb
to hold the new boot partition, you should create a partition on it using fdisk
or sfdisk
. For example:
# sfdisk -f -uS -D /dev/sdb << EOF 2048,,83,* EOF # partprobe
Find out the space required by the /boot
subtree:
# du -sh /boot
The new boot partition should have at least have two times this space. As a rule of thumb, the space provided should be twice the space used by /boot
, plus 100MB. Format the new partition with ext4
or ext3
. For example:
# mkfs.ext4 /dev/sdb1
Copy the files from the /boot
directory to the new boot partition:
# mkdir -p /tmp/sdb1 # mount /dev/sdb1 /tmp/sdb1 # cp -a /boot/* /tmp/sdb1
Find the UUID of the new boot partition:
# blkid /dev/sdb1 # umount /tmp/sdb1
Add an entry to /etc/fstab
to mount the new boot partition, as follows:
UUID=<uuid> /boot ext4 rw 0 0
Mount the /boot
partition.
# mount /boot
Re-install GRUB on the current boot device (GRUB files go to /boot
which you mounted in the previous step). For example:
# grub2-install /dev/sda
Note that GRUB is being installed on /dev/sda
but the boot directory comes from /dev/sdb1
. Update your GRUB configuration to take this change into account:
# grub2-mkconfig -o /boot/grub2/grub.cfg
Your system is ready now, so reboot and confirm that all is well.
What to Do Next
Verify the configuration as described in Verifying the Current VM Configuration and then encrypt the boot disk as described in Encrypting Linux Root and Swap Drives.