Open topic with navigation

Troubleshooting Boot Issues

Because encryption keys are never stored locally, a VM with an encrypted boot partition requires access to KeyControl when booting or the attempt will fail. If KeyControl is not available when the system is booted, the VM repeatedly attempts to contact KeyControl for 30 seconds. If contact cannot be established after that time, the VM presents a console menu that with a number of options.

If you are unable to view the console directly, for example in environments such as Amazon Web Services (AWS), you can access the console using an SSH client. This requires the id_rsa key file generated during the Policy Agent installation. Copy the id_rsa file to the server an then reboot.

Tip: If you need another copy of the id_rsa key file, you can download it from the KeyControl webGUI by selecting the VM on the Cloud > VMs tab and then selecting Actions > Download Bootloader SSH Key.

The console menu options are determined by the environment — some options are available on all platforms while others are not available on platforms like AWS. The full list of options is:

  1. Reauthenticate — If the credentials of the VM become stale, then it must be re-authenticated with KeyControl in much the same way as a running VM would have to. The most likely reason for this is that the grace period has expired. Another possibility is that the VM's IP address is configured via DHCP, which means it may have changed. We recommend static IPs for boot drives, or disabling the IP address check feature in KeyControl. Key retrieval will proceed after re-authentication is successful.
  2. Update network settings— This takes you back to the network settings screen so that you can update the settings.
  3. Update Certificate — This allows you to update the VM certificate, if it has expired.
  4. Drop to shell — Provides a simple recovery shell. Use the command exit to leave the recovery shell. We strongly recommend that you only use this option when instructed to do so by HyTrust Support.
  5. Update NTP settings — This allows you to update the NTP server address.
  6. Clone — This allows you lto clone a VM with an encrypted boot drive. This is similar to hcl register -c while cloning a non-boot-encrypted VM.
  7. Restart network — This option instructs the VM to re-attempt to contact KeyControl and try to retrieve the encryption key again. If no selection is made in this menu after 30 seconds, then this option will be taken automatically.
  8. Boot Windows with clearkey — This option instructs the Bootloader to boot without an encryption key, and is done automatically if we detect that the boot partition is not encrypted.
  9. Boot Windows with encryption key — This option instructs the Bootloader to boot Eindows assuming that the encryption key has already been fetched.
  10. Poweroff — Power down the computer.

The screenshot below shows what a failure to retrieve keys and accompanying "Restart Network" looks like:

Windows Failure To Contact KeyControl

Open topic with navigation