Encrypting Linux System Devices
The following procedure can be used for any Linux system device (such as /root, swap, or /home)/root, swap, and /home devices at the same
time, but you can also encrypt any system device separately at any time.
During this procedure, the VM will need to be rebooted to start the encryption process. If you have enabled Online Encryption for this VM, the VM will come back online immediately and the Policy Agent will encrypt the system devices as a background process. In this case, users can continue to access the data while it is being encrypted.
If Online Encryption is not enabled, the VM will remain inaccessible for normal operations until the encryption process completes.
For more information about Online Encryption, see
Important: Do not encrypt a data drive with the htroot command. If you do so, DataControl will treat the data drive as a system device, which means that the data drive cannot be detached, it will appear in KeyControl as a "root" device, and it must be rebooted when you want to encrypt, decrypt, or rekey it. To encrypt a data drive, see
Before You Begin
-
Because issues during root device encryption can hang the VM, it is critical to make sure everything is properly configured before you start.
- If there is a KEK associated with the Cloud VM Set to which this VM belongs, make sure that the hardware security module (HSM) in which the KEK is stored is accessible to KeyControl. During the encryption process, the VM must be rebooted. If the KEK is unavailable when the VM attempts to reboot, the reboot will fail until KeyControl can access the KEK in the HSM. For details,
Tip: Depending on the size of the disk, the encryption process can take a long time to run. If the encryption process is interrupted, you need to manually issue the htroot cleanup command and then reissue the htroot setup or htroot encrypt command to resume the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during encryption.
Procedure
- Log into the VM as
root. -
Enter the
htroot statuscommand to verify whether the Entrust Bootloader has already been installed on this VM.# htroot status HyTrust Bootloader setup is not done. You can complete Bootloader setup using "htroot setup" Root device "/dev/sda2" is not encrypted swap device "/dev/sda3" is not encrypted
-
If
htroot statusreports that the Bootloader setup is not done, enter thehtroot setupcommand. Ifhtroot setupreports that the Bootloader set up is complete, go to the next step.# htroot setup Debug console can be used to monitor the progress of root device encryption The following packages are required for debug console: dropbear Do you want to enable debug console? (y/N) yNote: The Entrust Debug Console allows
sshaccess to the server while the encryption process is running so you can check the status of the encryption process. After encryption is complete, the Debug Console provides limited access to the encrypted VM. If the encrypted VM fails to boot because it cannot retrieve the appropriate keys from KeyControl, you can use the Debug Console to restore communication with KeyControl. We highly recommend you enable this console. For more information, seeChecking connection to software repositories (yum check-update) Connection to software repositories seems to be working fine The following packages are required for root encryption: cryptsetup dropbear Attempt to install required packages? (y/N) y Package dropbear can be found in the EPEL repository. More information on EPEL can be found at https://fedoraproject.org/wiki/EPEL NOTE: If you wish to configure EPEL using a private mirror (e.g. using Red Hat Satellite) then please exit htroot and configure the repository before re-running. Attempt to install EPEL release? (y/N) y Installing EPEL from CentOS Extras repo............................... ok Installing cryptsetup................................................. ok Installing dropbear................................................... ok Uploaded keyfile /usr/lib/dracut/modules.d/91hcs/root/.ssh/id_rsa to KeyControl You can download the key from KeyControl using WebGUI Alternatively, copy the keyfile /usr/lib/dracut/modules.d/91hcs/root/.ssh/id_rsa to another machine This file will be used to access debug console using ssh example: # ssh -i id_rsa root@server.ip.addr Press Enter to continue... Current Boot device setup -------------------------------------------------------------------------------- Boot partition device path /dev/sda1 Boot partition device uuid c01c3240-664b-412a-8440-dd0fa132eae5 -------------------------------------------------------------------------------- Is this information correct? (y/N) y Following network interfaces are available -------------------------------------------------------------------------------- ens160 00:50:56:a2:64:84 192.168.15.239 -------------------------------------------------------------------------------- Preferred Network Interface is (ens160), which is used while authenticating with KeyControl Select the primary network interface (ens160): With encrypted root device, KeyControl needs to be contacted during boot to get the encryption keys. IP address can be obtained using DHCP or can be statically configured now Use DHCP during boot? (y/N) y Re-structuring HyTrust specific directories Updating initrd HyTrust Bootloader setup completed successfully Run "htroot encrypt" to encrypt Linux root devices # htroot status HyTrust Bootloader setup is complete Root device "/dev/sda2" is not encrypted swap device "/dev/sda3" is not encrypted -
Enter the
htroot encryptcommand and select which system devices you want to encrypt. You can encrypt the devices at any time and in any order. Similarly, once the devices have been encrypted, they can be rekeyed or decrypted at any time and in any order.Important: Do not encrypt a data drive with the
htrootcommand. If you do so,DataControl will treat the data drive as a system device, which means that the data drive cannot be detached, it will appear in KeyControl as a "root" device, and it must be rebooted when you want to encrypt, decrypt, or rekey it.The following example shows how to encrypt the
root,swap, and/homedevices at the same time.# htroot encrypt Setting up system for root device encryption. -------------------------------------------------------------------------------- Do you want to encrypt root device "sda2 (/dev/sda2)"? (y/N) y Changing /etc/fstab to mount file system / from /dev/mapper/clear_htroot Setting up system for swap device encryption. -------------------------------------------------------------------------------- Do you want to encrypt swap device "sda3 (/dev/sda3)"? (y/N) y Changing /etc/fstab to mount the swap from /dev/mapper/clear_B081FD59-A74A-4F85-8D1BAA42212F3607 Do you want to encrypt any other file systems, like /var, /usr ? -------------------------------------------------------------------------------- Please provide comma (,) separated list of mount points: /home Do you want to encrypt block device "sdb1 (/dev/sdb1, /home)"? (y/N) y Changing /etc/fstab to mount file system /home from /dev/mapper/clear_EE57B642-2A00-49C8-9AC1- 31D300DB6D07 Updating initrd The system has been updated to encrypt the Linux root device/s during next boot; please reboot the system now Do you want to reboot the system now? (y/N) yConfirm the server reboot to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required encryption keys and then starts the encryption process. The time required to encrypt the devices depends on their size and the type of storage you have.
- If you have enabled Online Encryption for this VM, the VM reboots immediately and the Policy Agent encrypts the devices as a background process. In this case, you can check the encryption status at any time using the
hcl statuscommand. - If Online Encryption is not enabled, the VM remains offline until the encryption process completes. In this case, you can see the encryption progress on the VM console through vSphere, Azure, or AWS. In addition, if you selected
ywhen asked if you wanted to enable the Entrust Debug Console, you can view the progress through the Debug Console as described in
When it is finished, you can verify that the encryption succeeded using the
htroot statuscommand. For example:# htroot status HyTrust boot loader setup is complete Root device "/dev/sda2" is encrypted swap device "/dev/sda3" is encrypted system device "/dev/sdb1 (/home)" is encrypted
- If you have enabled Online Encryption for this VM, the VM reboots immediately and the Policy Agent encrypts the devices as a background process. In this case, you can check the encryption status at any time using the
-
After the encryption process completes, you can log in as normal. If you log in as
rootand enter thehcl statuscommand, you will see that the system devices you encrypted are listed under Registered Devices. For example:# hcl status Summary -------------------------------------------------------------------------------- KeyControl: sdkc:443 KeyControl list: sdkc:443 Status: Connected Last heartbeat: Wed Jul 4 12:24:22 2018 (successful) AES_NI: enabled Certificate Expiration: Jul 4 06:22:12 2019 GMT HTCRYPT: Not Installed Registered Devices -------------------------------------------------------------------------------- Disk Name Cipher Status Clear -------------------------------------------------------------------------------- sbd1 AES-XTS-512 Attached /dev/mapper/clear_EE57B642-2A00-49C8-9AC1-31D300DB6D07 (/home) '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT sda3 AES-XTS-512 Attached /dev/mapper/clear_B081FD59-A74A-4F85-8D1B-AA42212F3607 (/swap) '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT sda2 AES-XTS-512 Attached /dev/mapper/clear_htroot '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
Warning: The
hcl statuscommand shows the clear text path to the encrypted system devices. (The clear text path is highlighted in the example above). You should only connect to the devices using these clear text paths. Accessing the encrypted devices through the direct paths such as/dev/sda3or/dev/sda2could cause data corruption.
