Disk Encryption After Initial Deployment
For added security, the disk of CipherTrust Manager can be fully encrypted with the public SSH key. For public cloud deployments on Amazon Web Services, Google Cloud, Microsoft Azure, or Oracle Cloud, this SSH key was provided during first launch. For physical appliance and private cloud deployments, the SSH key is provided after initial deployment.
Encryption can be initiated when an instance is first launched for Virtual CipherTrust Manager, or after deployment for both physical appliance and virtual instances. Cloud-init configuration with a user-data file is used for encryption on first launch.
Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time when possible to ensure these secrets are never exposed.
After encrypting the disk, you will need to unlock the encrypted instance on every boot using the 'ksctl diskenc secureboot' command and the private SSH key associated with the instance. See to unlock an encrypted instance. Disk encryption is always applied on reboot, and this behavior cannot be disabled. If you wish to store your keys on an unencrypted instance, you can launch a new Virtual CipherTrust Manager and then use backup and restore to transfer keys and other data.
Encrypting an already launched instance
The following are examples for encrypting an already launched instance and for checking on its encryption status. Also provided is a CLI example for unlocking the instance at boot time.
To encrypt the instance
Run the following command:
$ ksctl diskenc cryptsetup
Reboot the instance.
To check encryption status
To check the encryption progress, you can run following CLI command:
$ ksctl diskenc status -p
This command might time out during system restart or due to a slow connection. As an alternative, you can view the Console for the instance to see disk encryption progress.
Example:
$ ksctl diskenc status -p
This returns the following response:
Encrypting...
14.81 GiB / 15.52 GiB [====================================>-----] 95.44% 11s
The instance starts up after the encryption has finished. You do not need to unlock the disk on this startup after the initial encryption.
To unlock an encrypted instance
Every time an encrypted instance boots, the following CLI command must be executed to unlock the instance and allow admins and users access to Virtual CipherTrust Manager interfaces. You can provide the private key in OpenSSH, PKCS1, and PKCS8 format.
Run the following command to unlock the disk.
$ ksctl diskenc secureboot -i <private ssh key for the instance> -u https://<instance dns name>