request system filesystem encryption enable
Syntax
request system filesystem encryption enable <dry-run | re0 | re1>
Prerequisites
Following are the prerequisites to enable filesystem encryption:
-
System contains a TPM2.0 with IDevID provisioned.
-
System having single or redundant disk are supported.
-
Take data backup of configurations and log files.
Description
When you enable encryption process on the filesystem, the conversion process starts with the backup routing engine followed by the active Routing Engine. In the case of redundant disks, the conversion starts with the primary disk followed by the secondary disk to avoid loss of data.
Once enabled, encryption cannot be disabled. All software image (Junos OS Evolved) versions in the snapshot that don't support filesystem encryption are deleted. For Junos OS/VM Host, manually delete snapshots before enabling filesystem encryption. To roll back, perform a USB installation.
Table 1 shows user actions for a new unpartitioned hard disk in the system.
| Filesystem Encryption | Action | Expected Behavior |
|---|---|---|
|
When the filesystem encryption is not enabled and secondary disk is replaced. |
Secondary disk is replaced with a new disk. |
Leave the new disk unchanged. Create a snapshot on it using CLI. |
|
Secondary disk is replaced with a disk having random partitions. |
Leave the new disk unchanged. Create the snapshot on it using CLI. |
|
|
Secondary disk is replaced with a disk from another EVO system. |
Leave the new disk unchanged. Create the snapshot on it using CLI. |
|
|
When the filesystem encryption is not enabled and the primary disk is replaced. |
Primary disk is replaced with a new disk. |
System will boot from the secondary disk. Use CLI to restore the primary disk from a snapshot. |
|
Primary disk is replaced with random partitions. |
System will boot from the secondary disk. Use CLI to restore the primary disk from a snapshot. |
|
|
Primary disk is replaced with a disk from another EVO system. |
System will boot from the secondary disk. Use CLI to restore the primary disk from a snapshot. |
|
|
When the filesystem encryption is enabled and the secondary disk is replaced. |
Replace the secondary disk with a new one. |
The new disk will be formatted with encryption enabled. A snapshot will be created. |
|
Replace the secondary disk with random partitions. |
Leave the new disk unchanged. Use CLI to create a snapshot on the new disk. |
|
|
Replace the secondary disk with a disk from another EVO system with encryption. |
Leave the new disk unchanged. Use CLI to create a snapshot on the new disk. |
|
|
Replace secondary disk with a disk from another EVO system. |
The new disk will be formatted with encryption enabled. A snapshot will be created. |
|
|
When the filesystem encryption is enabled and the primary disk is replaced. |
Replace the primary disk with a brand new disk. |
The system will boot from the secondary disk. The primary disk will be formatted with encryption enabled. A snapshot will be created on the primary disk. |
|
Replace the primary disk with random partitions and data. |
The system will boot from the secondary disk. Use CLI to restore the primary disk from a snapshot. |
|
|
Replace the primary disk with a disk from another EVO system with encryption. |
The system will boot from the secondary disk. Use CLI to restore the primary disk from a snapshot. |
|
|
Replace the primary disk with a disk from another EVO system. |
The system will boot from the secondary disk. The primary disk will be formatted with encryption enabled. A snapshot will be created on the primary disk. |
Options
| none |
Enable filesystem encryption on all Routing Engines. |
||||||||||
| dry-run |
(Optional) Display the filesystem encryption message without running the encryption process. |
||||||||||
| re0 |
(Optional) Enable filesystem encryption on RE0. |
||||||||||
| re1 |
(Optional) Enable filesystem encryption on RE1. |
||||||||||
| routing-engine |
(Optional) Enable filesystem encryption on the specified Routing Engine. Use one of the following options to specify the Routing Engine:
|
Required Privilege Level
maintenance
Sample Output
- request system filesystem encryption enable (Junos OS)
- request system filesystem encryption enable (Junos OS Evolved)
request system filesystem encryption enable (Junos OS)
user@host> request system filesystem encryption enable
Please check the message on enabling filesystem encryption enable using the dry-run option. i.e. request system filesystem encrypton enable dry-run Do you want to proceed ? [yes,no] (no) yes Enable filesystem encryption ? [yes,no] (no) yes A vmhost reboot is required to start filesystem encryption.
During the conversion process, the vmhost reboot using request vmhost
reboot is required to start
filesystem
encryption and to reflect the changes.
request system filesystem encryption enable (Junos OS Evolved)
user@host> request system filesystem encryption enable
Please check the message on enabling filesystem encryption enable using the dry-run option. i.e. 'request system filesystem encrypton enable dry-run' Do you want to proceed ? [yes,no] (no) yes ------------------------------- node: re0 ------------------------------- Removing version junos-evo-install-ptx-x86-64-23.4R2.14-EVO... Removing external packages for junos-evo-install-ptx-x86-64-23.4R2.14-EVO... Done. Done. A reboot is required to start the encryption. Issue 'request system reboot' command when ready.
Release Information
Command introduced in Junos OS Release 22.3R1.