Prerequisites and Restrictions

In addition to encrypting regular data partitions, you can also encrypt your Linux system devices, such as /root, swap, /home, /var, and /opt. This ensures that clear-text data never leaves the VM on its way to storage and prevents virtualization and storage admins from being able to view the data. You can encrypt these devices at any time and in any order.

At power on, the system will first go to POST, and then hand off the boot process to a destination on the OS volume. Because of this, /boot must remain un-encrypted to facilitate early startup activities, including obtaining the key to decrypt the rest of the system. We recommend that you do not store any highly secure data on the boot partition.

Tip: We recommend you use a server with AES-NI support, which will improve encryption time dramatically. For more information, see Encryption Key Sizes and Algorithms.

Prerequisites

• The VM must have a static IP address or you must have the Reauthentication on IP Change property set to No for the VM. During the encryption process, the VM needs to be rebooted. If you are using a dynamic IP address and the Reauthentication on IP Change property is set to Yes, the system could hang during the encryption cycle because the VM cannot authenticate itself with KeyControl and the encryption process cannot complete.

  Tip: If you encrypt the root drive and then authentication fails for any reason, you can re-authenticate the VM as described in Re-Authenticating a VM with an Encrypted Root Device or Boot Disk.

• Entrust requires a separate boot partition in which the Policy Agent can be installed. How you create this partition depends on the version of Linux running on the server.
• If you want to use Online Encryption so that users can continue to access the root and swap drives while they are being encrypted, you must enable Online Encryption on the VM before you encrypt it. For details, see Linux Online Encryption Prerequisites and Considerations.
• If the VM is associated with a Cloud VM Set that is controlled by a Key Encryption Key (KEK), the HSM must be available before you can encrypt the root drive on the VM. For more information, see KEKs with Cloud VM Sets.

Note: Linux initializes mdadm devices late in the VM boot cycle. If you encrypt the root drive and there are any mdadm devices registered with the Policy Agent, you may receive alerts during the boot process warning you that the mdadm device is missing and its name has been changed to GONE In KeyControl. After the mdadm device is initialized, another alert is generated telling you that the mdadm device has been renamed from GONE back to its original name. You can safely ignore both of these alerts.

For your convenience, we provide instructions for creating a boot partition on Ubuntu, RHEL 7, and RHEL 8. We also provide instructions for Linux VMs running in Amazon Web Services (AWS) and Microsoft Azure. For more information, see one of the following:

• Creating a Boot Partition on Ubuntu
• Creating a Boot Partition on RHEL 7 and 8
• Creating a Boot Partition on the AWS Root Volume
• Creating a Boot Partition on a New AWS Volume
• Creating a Boot Partition in Microsoft Azure

For other versions of Linux, see your Linux documentation.

To verify that you have completed all prerequisites, see Verifying the Current VM Configuration.