Verifying the Current VM Configuration

This procedure describes how to verify that the VM is ready for root and swap drive encryption. Because issues during root drive encryption can hang the VM, it is critical to make sure everything is properly configured before you start.

1. If the VM uses a dynamic IP address and you cannot change it to use a static IP address, make sure the Reauthentication on IP Change property is set to No. To do so:

   1. Log into the KeyControl Vault for VM Encryption webGUI using an account with Cloud Admin privileges.
   2. In the top menu bar, click Workloads.
   3. Click the VMs tab and select the VM you want to work with from the list.
   4. Click the Expand button (>) at the end of the row to access the details for the specific VM.
   5. Look at the value for Reauthentication on IP Change. If it is set to Yes, click the word Yes, select No in the field, then click Save.
2. Make sure you have a separate boot partition. To do so:
   1. Log into the VM as root.

   2. Enter the command hcl status. For example:

      # hcl status
      Summary
      --------------------------------------------------------------------------------
      KeyControl: 192.168.200.175:443
      KeyControl list: 192.168.200.175:443
      Status: Connected
      Last heartbeat: Fri Jul 27 11:31:57 2018 (pass)
      AES_NI: enabled
      Certificate Expiration: Sep 11 22:16:13 2020 GMT
      HTCRYPT: Not Installed
      
      Registered Devices
      --------------------------------------------------------------------------------
      Disk Name          Cipher       Status                   Clear
      --------------------------------------------------------------------------------
      
      
      Available Devices
      --------------------------------------------------------------------------------
      Disk Name            Device Node                      Size (in MB)
      --------------------------------------------------------------------------------
      
      Other Devices
      --------------------------------------------------------------------------------
      Disk Name            Device Node                      Status
      --------------------------------------------------------------------------------
      sda3                 /dev/sda3                        Mounted (swap)
      sda1                 /dev/sda1                        Mounted (/boot)
      sda2                 /dev/sda2                        Mounted (/)  

      You can see that the VM is registered with the KeyControl server (the Status shows Connected), there are the root (/) and swap devices that we want to encrypt and you can see that there is a separate boot disk. The root and swap disks are listed under Other Devices since they are in use.

What to Do Next 

Encrypt the boot disk as described in Encrypting Linux System Devices.