Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

Disk Encryption After Initial Launch

search

Please Note:

Disk Encryption After Initial Launch

For added security, the disk of Virtual CipherTrust Manager can be fully encrypted with the public SSH key associated with the instance. For public cloud deployments on Amazon Web Services, Google Cloud, Microsoft Azure, or Oracle Cloud, this SSH key was provided during first launch. For private cloud deployments, the SSH key is provided after first launch.

Warning

Disk encryption is not supported for physical appliances. Attempting to encrypt the disk of a physical appliance might result in losing all access to the device and its data.

Encryption can either be initiated when an instance is first launched, or on an already launched instance.

Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed. Cloud-init configuration with a user-data file is used for encryption at first launch.

After encrypting the disk, you will need to unlock the encrypted instance on every boot using the 'ksctl diskenc secureboot' command and the private SSH key associated with the instance. See to unlock an encrypted instance. Disk encryption is always applied on reboot, and this behavior cannot be disabled. If you wish to store your keys on an unencrypted instance, you can launch a new Virtual CipherTrust Manager and then use backup and restore to transfer keys and other data.

Encrypting an already launched instance

The following are examples for encrypting an already launched instance and for checking on its encryption status. Also provided is a CLI example for unlocking the instance at boot time.

To encrypt the instance

  1. Run the following command:

    $ ksctl diskenc cryptsetup

  2. Reboot the instance.

To check encryption status

To check the encryption progress, you can run following CLI command:

$ ksctl diskenc status -p

This command might time out during system restart or due to a slow connection. As an alternative, you can view the Console for the instance to see disk encryption progress.

Example:

$ ksctl diskenc status -p

This returns the following response:

Encrypting...

14.81 GiB / 15.52 GiB [====================================>-----] 95.44% 11s

The instance starts up after the encryption has finished. You do not need to unlock the disk on this startup after the initial encryption.

To unlock an encrypted instance

Every time an encrypted instance boots, the following CLI command must be executed to unlock the instance and allow admins and users access to Virtual CipherTrust Manager interfaces. You can provide the private key in OpenSSH, PKCS1, and PKCS8 format.

Run the following command to unlock the disk.

$ ksctl diskenc secureboot -i <private ssh key for the instance> -u https://<instance dns name>

On this page