Please review the Windows Boot Drive Encryption and Windows Policy Agent Installationtopics in the HyTrust DataControl administration guide which covers the pre-requisites and process in further detail.

Note: At the time this document was produced the HyTrust DataControl Policy Agent for Windows did not support EFI, therefore the following Windows Server 2016 VM is using “BIOS” as the firmware for the Boot Option. HyTrust DataControl version 5.0 will support EFI and is tentatively scheduled for Q3 2019.

From the Windows VM that you need to encrypt, open the HyTrustKeyControl web GUI running at: https://<KeyControl IP> and navigate to the “CLOUD” tab. Under “Actions” click “Download Policy Agent”.

Follow the on-screen instructions to install the Agent and then when prompted select the option to Reboot the machine after the installation completes.

Installation Step 1: Download the Policy Agent from the KeyControl UI as shown below:

Installation Step 2: Click “Download” next to “hcs-client-agent-4.3.2-15373.exe”.

Installation Step 3: Click “Run” to begin the installation process.

Installation Step 4: Click “Next” on the Welcome Screen.

Installation Step 5: Accept the License Agreement by clicking “I Agree”.

Installation Step 6: Select the location where the Agent will be installed and click “Next”.

Installation Step 7: Please make sure that “HT Bootloader” component is selected in order to ensure that the C drive is encrypted. Click “Next”.

Installation Step 8: If the VM is configured with DHCP assignment of IP address then select “DHCP” or enter the IP address manually and click “Install”.

Select the option “Reboot Now” after the installation succeeds.

Now we will create a New VM Set and change the policies to auto encrypt all the VMs that are part of this VM Set.

Navigate to CLOUD -> VM Sets and then from the Actions drop down menu select “Create Cloud VM Set”. Leave all the defaults and then click “Create”.

Once the VM Set is created, select the VM Set “Windows” and then scroll down to the bottom of the page and click “Disabled” next to “Auto Encryption”. In the pop-up window, select “Enabled” from the drop-down menu and click save next to it.

The field “Auto Encryption Policy Type” appears and here we need to select “Encrypt All Devices” from the drop-down menu. Click save. Again click “save” at the bottom of the pop-up.

Another window pops-up. Click “Yes”.

Now we have the VM Set created with Auto Encryption enabled.

Open a PowerShell prompt in the Windows VM that needs to be encrypted and type the command below to Register the VM with the KeyControl Server.

C:\Users\Administrator> hcl register -a 10.148.112.5

Enter the username secroot and the password.

Enter the VM Set name as Windows and hit Enter. Please note that the name is case sensitive.

For Mapping enter 1 and hit Enter. This will complete the registration of the VM with HyTrust KeyControl Server and since Auto Encryption is enabled for this VM Set, the encryption will start automatically.

From the start menu on the Windows VM, open the application HyTrust DataControl. The application console shows that the encryption is in progress and also shows the percentage progress.

On the HyTrust KeyControl UI, click “DASHBOARD” tab on top. The screen shows the progress of the encryption task as shown below.

After we had all the VM’s encrypted we tested the migration of VMs to VMC on AWS cloud SDDC using HCX (Hybrid Cloud Extension/NSX Hybrid Connect). HCX is capable of migrating VM’s with zero downtime as well as in Bulk. HCX also can extend networks from on-prem to cloud.

In our case we extended two VXLANs to VMC SDDC as shown below. The gateways for both the networks remained on-prem in the NSX Edge Gateway.

We had two encrypted VM’s running CentOS 7 and two encrypted VM’s running Windows 2016. We migrated one CentOS 7 and one Windows VM using HCX vMotion and one each of CentOS 7 and Windows VM using Bulk migration to VMC.

During the entire migration we ensured that the HyTrust appliance was running in the subnet 192.168.148.1/24 and was accessible from both the subnets.

In each of these cases we observed that the migration completed successfully and the encryption was preserved in all the cases. Also, all the VM’s came up successfully in VMC with all the disks attached. We also tried a reverse migration with vMotion and this test was successful as well and encryption was preserved and the VM was accessible.