Please review the Linux Root, Swap, and System Device Encryption and Linux Policy Agent Installation topics in the HyTrust DataControl administration guide which covers the pre-requisites and process in further detail.
The following is a list of the commands executed to install the policy agent, register it with the KeyControl cluster and encrypt the root and swap devices of a CentOS 7 VM: –
$ wget –no-check-certificate https://<KeyControl IP>/download/linux
Once the file is downloaded run
$ sh linux
When prompted to enter the location for installing HyTrust Agent, accept the default which is /opt/hcs.
To test if the installation succeeded, type hcl status at the command prompt.
The above output shows that the policy agent is currently “Not registered” since it hasn’t yet been registered with the KeyControlcluster. The output also shows that AES-NI has been detected and is enabled on the host hardware. This Intel CPU instruction set is utilisedtoreduce the performance overhead of encryption.
Run the following command to prepare the drives for encryption:
This will download all the required packages and install them.
Next run the following to install the driver software:
$ rpm -ivh /opt/hcs/drivers/htcrypt-4.3.2-15373.noarch.rpm
The policy agent is now ready to be registered with the KeyControlcluster. To do this run the following and enter the username and password when prompted. The username will be “secroot”.
When prompted enter the Cloud VMSet name (this is case sensitive). Also select a KeyControlMappingby entering the corresponding numberlisted.
$ hcl register -a <KeyControl VM IP>
Now if we type hcl status, it shows the policy agent status as Connected.
Next edit the file /opt/hcs/bin/params.conf
Change the following values:
prompt_for_confirmation = “no”
do_not_reboot = “no”
primary_interface = “ens192”
If using a static IP, please set use_dhcp to “no” and enter a valid IP address, default gateway, netmask, DNS server and DNS domain.
Next run the following command to setup the Linux boot GRUB loader:
$ htroot setup -c /opt/hcs/bin/params.conf
$ hcl status
This will display the current status along with the name of the disks and partitions. Now we are ready to encrypt the disks.
Run the following command to encrypt the listed disks:
$ htroot encrypt centos_centos7-swap,centos_centos7-root –yes
This will trigger an automatic reboot of the VM and begin the encryption.
Run the following command to check the progress of the encryption:
$ hcl status
After the encryption succeeds it will show up on the console as shown below:
The HyTrustKeyControl web GUI will also display the devices as active/attached:
While encrypting the status is shown as Active/Encrypt. Post the completion of encryption the status changes to Active/Attached.