Associating an Access Control Policy with a Disk

You can enable access controls on any Windows or Linux data disk that has been encrypted by KeyControl. Access controls are not supported on Windows boot disks, Linux root or swap disks, or unencrypted data disks.

Before You Begin 

  • Make sure the disk meets the requirements described in Access Control Policies.
  • Make sure you know what Access Control Policy you want to associate with the disk. For Windows, you can use any Windows Access Control Policy for any disk. For Linux, if one Access Control Policy has been applied to another disk on this VM, you must use the same Access Control Policy for this disk.

  • If this is a Linux disk:

    • Make sure access controls have been enabled on the VM as described in Enabling Access Controls on a Linux VM.
    • Make sure password-based SSH login is enabled for the Linux VM. If it is not, the process will fail and the Access Control Policy will not be associated with the disk.
    • If this is the first time you are associating an Access Control Policy with the disk, make sure that any currently-active users accessing that disk know that they will lose access as soon as the Policy Agent validates the Access Control Policy. The first time an Access Control Policy is successfully associated with a disk, all Allowed users must log out and log back in before they can continue to access the files and data blocks on the disk.

Procedure 

  1. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
  2. In the top menu bar, click Workloads.
  3. Click the VMs tab.

  4. Click the Expand button (>) at the end of the row associated with the VM whose disks you want to protect.

    KeyControl displays the details for the VM along with a VM-specific Actions button that allows you to manage the selected VM without affecting other VMs registered with KeyControl.

  5. In the Details area, click the Encrypted Disks tab.

  6. In the list of disks, click on the data disk that you want to associate with an Access Control Policy and select Actions > Add Policy to Disk from the VM-specific Actions button.

    Tip: If the Add Policy to Disk option is not available for a Linux disk, make sure access controls have been enabled on the VM as described in Enabling Access Controls on a Linux VM.

  7. In the Available Policies dialog box, select the policy that you want to use and click Add Policy.

    At the selected VM's next heartbeat, the Entrust KeyControl Policy Agent attempts to associate the Access Control Policy with the selected disk. At this time, the Policy Agent verifies the permissions specified in the associated policy rules. If all permission entries are valid, the association is successful and access controls are enabled for that disk. The Policy Agent records the successful application of the policy in the Audit Log.

    Important: If any of the permissions list entries are invalid, the Policy Agent issues an alert and does not apply the Access Control Policy. If this is an update to an existing policy, what happens next depends on the type of disk. For Linux disks, the Policy Agent continues to use the previous version of the policy. For Windows disks, the Policy Agent continues to use the previous policy settings until the VM reboots. If the permissions list contains invalid entries when the Windows VM reboots, the Policy Agent disables all access controls for the disk.

What to Do Next 

If you want to force an update so that the Access Control Policy is applied before the next scheduled heartbeat, you can log into the VMs as an administrator and use the hcl heartbeat command.

Note: For a Linux disk, the heartbeat command may take a few minutes to complete the first time an Access Control Policy is associated with the disk. If you use this command, make sure you wait for it to complete because interrupting the policy association process may cause issues on the VM.