The following procedure can be used for any Linux root and swap drives, including those that reside in Microsoft Azure or Amazon Web Services.
Before You Begin
Because issues during root drive encryption can hang the VM, it is critical to make sure everything is properly configured before you start. For details, see Linux Encryption Prerequisites and Verifying the Current VM Configuration .
Procedure
Enter the command htroot encrypt and follow the prompts. For example:
# htroot encrypt
Debug console can be used to monitor the progress of root device encryption
The following packages are required for debug console:
dropbear
Do you want to enable debug console? (y/N) y
| Note: | The debug console sets up ssh access to the server while the encryption process is running. We recommend you enable this console. For more information, see Using the Linux Root Encryption Debugger. |
The following packages are required for root encryption:
busybox
dropbear
Attempt to install required packages? (y/N) y
Updating aptitude repository
Checking necessary packages
Installation successful
Current Root device/ Boot device setup
--------------------------------------------------------------------------------
Root device sub1504--vg-root
Root device path /dev/mapper/sub1504--vg-root
Boot partition device path /dev/sda1
Boot partition device uuid afb1fa83-9902-4e15-8dd3-5a497a3584f8
swap device sub1504--vg-swap_1
swap device path /dev/mapper/sub1504--vg-swap_1
--------------------------------------------------------------------------------
Is this information correct? (y/N) y
Do you want to encrypt swap? (y/N) y
| Note: | If you are going to encrypt the swap, you must do it now. You cannot encrypt the swap after the boot device has already been encrypted. |
Following network interfaces are available
--------------------------------------------------------------------------------
eth0 00:0c:29:e4:a5:e9 192.168.13.200
--------------------------------------------------------------------------------
Preferred Network Interface is (eth0), which is used while authenticating with KeyControl Do you want to select (eth0) as the primary interface? (y/N) y
This machine seems to be using DHCP to setup the primary network
With encrypted root device, KeyControl needs to be contacted during
boot to get the encryption keys. IP address can be obtained using
DHCP or can be statically configured now
Use DHCP during boot? (y/N) y
Setting up system for root device encryption.
This operation may take a long time
Do you want to proceed? (y/N) y
Re-structuring HyTrust specific directories
Please copy the keyfile /etc/initramfs-tools/root/.ssh/id_rsa to another machine
This file will be used to access debug console using ssh
example: # ssh -i id_rsa root@server.ip.addr
Have you copied the key file? (y/N) y
| Note: | htroot generates the id_rsa key file if you responded yes to the debug console prompt at the beginning of the command. For more information, see Using the Linux Root Encryption Debugger. |
Updating initramfs Changing /etc/fstab to mount file system / from /dev/mapper/clear_htroot Changing /etc/fstab to mount the swap from /dev/mapper/clear_htswap The system has been updated to encrypt the root device during nextboot; please reboot the system now Do you want to reboot the system now? (y/N) y Broadcast message from root@13 (/dev/pts/0) at 17:20 ... The system is going down for reboot NOW! Connection to be closed by remote host.
After you have responded to the prompts, confirm that htroot can reboot the server to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required encryption keys and then starts the encryption process. The time required to encrypt the drive depends on the size of the root disk and the type of storage you have.
You can see the encryption progress on the VM console through vSphere, Azure, or AWS. In addition, if you selected y when asked if you wanted to enable the debug console, you can view the progress through the debug console as described in Using the Linux Root Encryption Debugger.
After the encryption process completes, you can log in as normal. To verify that the encryption was successful, log in as an Administrator and enter the hcl status command. You should see the root and swap devices listed under Registered Devices.
For example, if this is the hcl status command output before the encryption:
#hcl status Summary --------------------------------------------------- KeyControl: 10.238.32.74:443 KeyControl list: 10.238.32.74:443 Status: Connected Registered Devices --------------------------------------------------- Disk Name Clear Cipher Status --------------------------------------------------- Available Devices --------------------------------------------------- Disk Name Device Node Size (in MB) --------------------------------------------------- Other Devices --------------------------------------------------- Disk Name Device Node Status --------------------------------------------------- sda3 /dev/sda3 Mounted (swap) sda2 /dev/sda2 Mounted (/boot) sda1 /dev/sda1 Mounted (/)
After encryption, the boot drive (sda3) and the swap drive (sda2) should move from Other Devices to the Registered Devices section:
Registered Devices --------------------------------------------------- sda3 /dev/mapper/clear_htswap AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT sda2 /dev/mapper/clear_htroot AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
| Warning: | The hcl status command shows the clear text path to the root and swap drives (/dev/mapper/clear_htroot and /dev/mapper/clear_htswap). You should only connect to the drives using these clear text paths. Accessing the encrypted drives through the direct paths (/dev/sda3 and /dev/sda2) could cause data corruption. |