If you use an encrypted disk, create an encrypted LVM volume that contains the
/ and /var logical volumes.
About this task
The following procedure requires either physical or remote console access to the Guardium
system.
Procedure
-
Insert the IBM®
Guardium® DVD and
boot the machine.
- Choose Custom Partition Installation from the boot screen.
- Press Enter.
-
In the Installation Summary, select
Installation Destination. Under Other Storage Options,
select I will configure partitioning and check Encrypt my
data.
- Select Click here to create them automatically
and change the Mount Point and Name from
home to var. Click Done.
- When prompted, enter a Disk encryption passphrase
and safeguard it. Click Save Passphrase and Accept
Changes.
Tip: The encryption passphrase is required to unlock the LVM volume when you restart the
system. This key cannot be replaced if lost.
- Optional: You can set up a tang server to automatically
enter the encryption key and unlock each volume of your encrypted disks when you restart your
system. If a tang server is down when rebooting, the message dracut-initqueue: Error
communicating with server appears. You must then unlock the encrypted machine by
manually entering the passphrase.
Tip: Set up the tang server by using the CLI command
store tang
server or by using the API command
grdapi clevis_bind on your central
manager to bind all your managed units to a tang server. For more information on the commands, see
store tang server,
reset luks keys, and
grdapi
clevis_bind.