Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
The following example shows the process of initializing an existing Linux device using voradmin idt config xform and guarding it as an IDT-Capable GuardPoint from the viewpoint of the Linux root user. In this example, all files in /bin/* are copied to a temporary location outside the device, then compared with the corresponding files on the device after the device has been resized and encrypted. The comparison proves that the file system is unchanged after the encryption process has completed.
First, we verify that the device is not protected, then we check the current size of the disk and create the copy of the files in /bin/*. After that, we run the voradmin idt config xform command to initialize the device.
voradmin idt status /dev/sdc1
Device /dev/sdc1 is not configured as IDT-Capable
# fdisk -l /dev/sdc1
Disk /dev/sdc1: 21.1 GiB, 21103640576 bytes, 41218048 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
# mkfs.xfs /dev/sdc1
meta-data=/dev/sdc1 isize=256 agcount=4, agsize=1288064 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0, sparse=0
data = bsize=4096 blocks=5152256, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
# mount -t xfs /dev/sdc1 /xfs
# cp /bin/* xfs
# voradmin idt config xform /dev/sdc1
Device /dev/sdc1 must be resized to at least 41347072 sectors (40378 MBs) before guarding as IDT-Capable GuardPoint
At this point, you need to resize the device using your device management tools. You must increase the size by at least 41347072 sectors (40378 MBs). After the device has been resized, you can verify the new size:
fdisk -l /dev/sdc1
Disk /dev/sdc1: 21.2 GiB, 21169700864 bytes, 41347072 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
After the device has been resized, the Administrator can guard the device with the desired in-Place Data Transformation policy. If the Administrator chooses Auto Guard, data transformation begins as soon as the policy is pushed to the host. If the Administrator chooses Manual Guard, data transformation does not begin until the Linux root user initiates it with the secfsd -guard command. Once data transformation begins, the Linux root user can check the progress using the voradmin idt status xform command.
secfsd -guard /dev/sdc1
secfsd: Path is guarded
# voradmin idt status xform /dev/sdc1
Status: In-Process
Relocation Zone 9764864 (relocated = 1)
SegSpc 27, Xformation Range: 3217 ... 4799, SegIDs: 4795 4796 4791 4792 4797 4798 4799
KeyID: 2793 Key Name: IDT_DEMO_KEY_1
Old KeyID: 0 Old Key Name: clear_key
After the status has changed to completed, you can compare the current version of the files in /bin/* with the ones you copied earlier.
voradmin idt status xform /dev/sdc1
Status: Complete
Relocation Zone 9764864 (relocated = 1)
SegSpc 27, Xformation Range: 3217 ... 20189, SegIDs: none
KeyID: 2793 Key Name: IDT_DEMO_KEY_1
Old KeyID: 0 Old Key Name: clear_key
# voradmin idt status /dev/sdc1
IDT Header on /dev/secvm/dev/sdc1
Version: 1
Change: 0
Private Region Size: 129024 sectors
Exported Device Size: 41218048 sectors
Key UUID: 9cc3c8e4-7ea7-310f-85c7-6f911de1ab52
Mount Path: None
# mount -t xfs /dev/secvm/dev/sdc1 /xfs
# for file in '/bin/ls /sfx'; do cmp /bin/$file /xfs/$file; done
# unmount /xfs
