request system filesystem encryption enable
Syntax
request system filesystem encryption enable <dry-run | re0 | re1>
Prerequisites
Following are the prerequisites to enable file-system encryption:
-
System contains a TPM2.0 with IDevID provisioned.
-
System having single or redundant disk are supported.
-
Take data backup of configurations and log files.
Description
When you enable encryption process on the file-system, the conversion process starts with the backup routing engine followed by the active Routing Engine. In the case of redundant disks, the conversion starts with the primary disk followed by the secondary disk to avoid loss of data.
Once enabled, the encryption cannot be disabled and all the software image versions that does not support file-system encryption are deleted.
Options
| none |
Enable file-system encryption on all Routing Engines. |
||||||||||
| dry-run |
(Optional) Display the file-system encryption message without running the encryption process. |
||||||||||
| re0 |
(Optional) Enable file-system encryption on RE0. |
||||||||||
| re1 |
(Optional) Enable file-system encryption on RE1. |
||||||||||
| routing-engine |
(Optional) Enable file-system encryption on the specified Routing Engine. Use one of the following options to specify the Routing Engine:
|
Required Privilege Level
maintenance
Sample Output
request system filesystem encryption enable
user@host> request system filesystem encryption enable
You are about to encrypt LVM partitions on "/dev/sda5 and /dev/sdb5"
LVM volumes currently on /dev/sda5
jvg_P-jlvmjunos
jvg_P-jlvmrootrw
jvg_P-jlvmspare
jvg_P-jlvmvm
The swap partition on /dev/sda6 will be deleted and added to VG jvg_P
LVM volumes currently on /dev/sdb5
jvg_S-jlvmjunos
jvg_S-jlvmrootrw
jvg_S-jlvmspare
jvg_S-jlvmvm
The swap partition on /dev/sdb6 will be deleted and added to VG jvg_S
Type YES to continue: ? YES
Preparing partition /dev/sda5 for encryption
Fixing PV device size
Physical volume "/dev/sda5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
Logical volume "jlvmswap" created.
Setting up swapspace version 1, size = 108 MiB (113242112 bytes)
no label, UUID=72162649-0bdd-4827-bc83-0e18278f5aac
Preparing partition /dev/sdb5 for encryption
Fixing PV device size
Physical volume "/dev/sdb5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
Logical volume "jlvmswap" created.
Setting up swapspace version 1, size = 108 MiB (113242112 bytes)
no label, UUID=d89d3741-feb7-4152-8883-de5a9a2d1e5d
During the conversion process, the vmhost reboot using request vmhost
reboot is required to start file-system encryption and to reflect the
changes.
user@host> request vmhost reboot
error: no suitable video mode found.
Booting in blind mode
mount: /dev: none already mounted or mount point busy.
. . . . . . .
. . . . . . .
Encrypt Filesystem requested [y]...
Partition /dev/sda5 is lvm.
0 logical volume(s) in volume group "jvg_P" now active
Adding LUKS header to /dev/sda5 and initializing encryption
Starting encryption on Partition /dev/sda5
Progress: 100.0%, ETA 00:08, 188166 MiB written, speed 150.0 MiB/s
Finished, time 20:17.484, 186166 MiB written, speed 150.4 MiB/s
Partition /dev/sda5 is fully encrypted
Fixing PV size after adding LUKS2 header
WARNING: Device /dev/mapper/luks2-sda5 has size of 381268367 sectors which is smaller than corresponding PV size of 381286799 sectors. Was device resized?
WARNING: One or more devices used as PVs in VG jvg_P have changed sizes.
Physical volume "/dev/mapper/luks2-sda5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
Successfully enrolled TPM2.0 key to keyslot: 0
Successfully added token to keyslot: 0
Attempting to Unlock LUKS volume using TPM2.0 key in keyslot: 0
Successfully unlocked LUKS2 partition /dev/sda5 using TPM 2.0 key. Removing Keyslot: 1
Partition /dev/sdb5 is lvm.
0 logical volume(s) in volume group "jvg_S" now active
Adding LUKS header to /dev/sdb5 and initializing encryption
Starting encryption on Partition /dev/sdb5
Progress: 100.0%, ETA 00:25, 188166 MiB written, speed 150.5 MiB/s
Finished, time 20:37.884, 186166 MiB written, speed 150.4 MiB/s
Partition /dev/sdb5 is fully encrypted
Fixing PV size after adding LUKS2 header
WARNING: Device /dev/mapper/luks2-sdb5 has size of 381268367 sectors which is smaller than corresponding PV size of 381286799 sectors. Was device resized?
WARNING: One or more devices used as PVs in VG jvg_S have changed sizes.
Physical volume "/dev/mapper/luks2-sdb5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
Successfully enrolled TPM2.0 key to keyslot: 0
Successfully added token to keyslot: 0
Attempting to Unlock LUKS volume using TPM2.0 key in keyslot: 0
Successfully unlocked LUKS2 partition /dev/sdb5 using TPM 2.0 key. Removing Keyslot: 1
Rebooting in 5 seconds
Release Information
Command introduced in Junos OS Release 22.3R1.