Part 2: HyTrust DataControl Policy Agent Installation and Encryption–CentOS 7

Written by Sashi Ranjan

July 28, 2021

Please review the Linux Root, Swap, and System Device Encryption and Linux Policy Agent Installation topics in the HyTrust DataControl administration guide which covers the pre-requisites and process in further detail.

The following is a list of the commands executed to install the policy agent, register it with the KeyControl cluster and encrypt the root and swap devices of a CentOS 7 VM: –

$ wget –no-check-certificate https://<KeyControl IP>/download/linux

Once the file is downloaded run

$ sh linux

When prompted to enter the location for installing HyTrust Agent, accept the default which is /opt/hcs.

To test if the installation succeeded, type hcl status at the command prompt.

$hcl status

Type Hcl Status

The above output shows that the policy agent is currently “Not registered” since it hasn’t yet been registered with the KeyControlcluster. The output also shows that AES-NI has been detected and is enabled on the host hardware. This Intel CPU instruction set is utilisedtoreduce the performance overhead of encryption.

Run the following command to prepare the drives for encryption:

$htdrv prepare

This will download all the required packages and install them.

required packages

Next run the following to install the driver software:

$ rpm -ivh /opt/hcs/drivers/htcrypt-4.3.2-15373.noarch.rpm

install the driver

The policy agent is now ready to be registered with the KeyControlcluster. To do this run the following and enter the username and password when prompted. The username will be “secroot”.

When prompted enter the Cloud VMSet name (this is case sensitive). Also select a KeyControlMappingby entering the corresponding numberlisted.

 $ hcl register -a <KeyControl VM IP>


Now if we type hcl status, it shows the policy agent status as Connected.


Next edit the file /opt/hcs/bin/params.conf

Change the following values:

prompt_for_confirmation = “no”

do_not_reboot = “no”

primary_interface = “ens192”

If using a static IP, please set use_dhcp to “no” and enter a valid IP address, default gateway, netmask, DNS server and DNS domain.

Next run the following command to setup the Linux boot GRUB loader:

$ htroot setup -c /opt/hcs/bin/params.conf

$ hcl status

This will display the current status along with the name of the disks and partitions. Now we are ready to encrypt the disks.

Run the following command to encrypt the listed disks:

$ htroot encrypt centos_centos7-swap,centos_centos7-root –yes

listed disks

This will trigger an automatic reboot of the VM and begin the encryption.

Run the following command to check the progress of the encryption:

$ hcl status

After the encryption succeeds it will show up on the console as shown below:

the console

The HyTrustKeyControl web GUI will also display the devices as active/attached:


While encrypting the status is shown as Active/Encrypt. Post the completion of encryption the status changes to Active/Attached.


Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles