Disk Encryption After Initial Launch
For added security, the disk of Virtual CipherTrust Manager can be fully encrypted with the public SSH key associated with the instance. For public cloud deployments on Amazon Web Services, Google Cloud, Microsoft Azure, or Oracle Cloud, this SSH key was provided during first launch. For private cloud deployments, the SSH key is provided after first launch.
Warning
Disk encryption is not supported for physical appliances. Attempting to encrypt the disk of a physical appliance might result in losing all access to the device and its data.
Encryption can either be initiated when an instance is first launched, or on an already launched instance.
Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed. Cloud-init configuration with a user-data file is used for encryption at first launch.
After encrypting the disk, you will need to unlock the encrypted instance on every boot using the 'ksctl diskenc secureboot' command and the private SSH key associated with the instance. See to unlock an encrypted instance.
Encrypting an already launched instance
The following are examples for encrypting an already launched instance and for checking on its encryption status. Also provided is a CLI example for unlocking the instance at boot time.
To encrypt the instance
Run the following command:
$ ksctl diskenc cryptsetup
Reboot the instance.
To check encryption status
To check the encryption progress, you can run following CLI command:
$ ksctl diskenc status -p
This command might time out during system restart or due to a slow connection. As an alternative, you can view the Console for the instance to see disk encryption progress.
Example:
$ ksctl diskenc status -p
This returns the following response:
Encrypting...
14.81 GiB / 15.52 GiB [====================================>-----] 95.44% 11s
The instance starts up after the encryption has finished. You do not need to unlock the disk on this startup after the initial encryption.
To unlock an encrypted instance
Every time an encrypted instance boots, the following CLI command must be executed to unlock the instance and allow admins and users access to Virtual CipherTrust Manager interfaces. You provide the private SSH key in PEM format for the instance. OpenSSH format private keys are not supported.
Run the following command to unlock the disk.
$ ksctl diskenc secureboot -i <private ssh key for the instance> -u https://<instance dns name>