Install Zettaset XCrypt Full Disk - Futurex Documentation

The installer sends the Zettaset XCrypt Full Disk libraries and configuration files to each target node. It also encrypts the nodes and partitions listed in the hosts.inv file.

The Zettaset XCrypt Full Disk installer must be able to write to the Futurex PKCS #11 (FXPKCS11) log file (such as fxpkcs11.log) on the primary KMIP node. Before proceeding with the following steps, run the following command as root or sudo to add write permissions on the fxpkcs11.log file.

Text

$ sudo chmod 666 /tmp/fxpkcs11.log

Perform a sanity check on the inventory file. This confirms that the settings in your file are valid.

Text

$ ./install_zts-xcrypt-full-disk.sh -vv -i hosts.inv check

Run the installer:

Text

$ ./install_zts-xcrypt-full-disk.sh -vv -i hosts.inv install

This creates any KMIP and HSM servers needed, establishes secure connectivity between all nodes and services, and encrypts partitions. You should see zero failures for all nodes in the PLAY RECAP at the end of the install output.

Zettaset XCrypt Full Disk creates four keys on the CryptoHub: one public and one private RSA 2048 asymmetric key and two AES-256 Data Encryption keys.

View the block devices for each target node to confirm partition encryption. The output reflects your partitions.

Text

$ ssh target03 "lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT"
NAME FSTYPE SIZE MOUNTPOINT
└─sdc crypto_LUKS 5G
  └─crypt2 (dm-2) xfs 5G /data2

View the encryption key names by viewing cryptinittab on the target node:

Text

$ ssh target03 "cat /etc/zts/conf.default/cryptinittab"
partition mount point mapper name key name
/dev/sdc /data2 crypt2 688eda48-337f-49fd

Back up the cryptinittab file for each encrypted node. This file is the only way to associate a key with a partition.

Review install.log when needed.

Remove the HSM PIN values from the hosts.inv file.

⌘I