Creating a Cloud VM Set for the Cryptographic Security Platform Vault for Databases
A VM must be part of a Cloud VM Set before it can be used for Transparent Data Encryption (TDE) in a database.
Before You Begin
-
If you want to use a Key Encryption Key (KEK) with the Cloud VM Set, Cryptographic Security Platform Vault for Databases must have access to a hardware security module (HSM) in which it can store the KEK.
Procedure
- Log into the Cryptographic Security Platform Vault for Databases webGUI using an account with Cloud Admin privileges.
- In the top menu bar, click Workloads.
- Select Actions > Create New Cloud VM Set.
- On the VM Set tab:
- Enter a name for the Cloud VM Set.
- Select the group to which this set should belong, or accept the default.
- Optionally enter a description for the set.
-
If you want to specify additional options, click the Additional Properties tab specify the options you want to use.
Options
Option
Description
Heartbeat
The length of time between the heartbeats each VM in the set sends to the Cryptographic Security Platform Vault for Databases to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds.
If changes have been made to the VMs through the Cryptographic Security Platform Vault for Databases webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the Cryptographic Security Platform Vault for Databases webGUI to be applied to the VMs in the set.
If a VM cannot reach the Cryptographic Security Platform Vault for Databases during the heartbeat, the VM continues to run but any changes made are not picked up by the VM until the next successful heartbeat. Cryptographic Security Platform Vault for Databases sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired.
Grace Period
The length of time that can pass without a successful heartbeat. The default is 365 days. You can specify the grace period in seconds, minutes, hours, or days.
If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with Cryptographic Security Platform Vault for Databases.
Maximum VMs allowed
The maximum number of cloud VMs allowed to register in this Cloud VM Set. The default is unlimited.
Certificate Auto Renewal Period
If you want Cryptographic Security Platform Vault for Databases to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. Cryptographic Security Platform Vault for Databases will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on
To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
If you want to disable certificate auto-renewal, enter 0 (zero) in this field.
Note: If you have auto-renewal set, but the renewal fails, Cryptographic Security Platform Vault for Databases will continue to retry until the certificate is valid. When the certificate is no longer valid, the admin password will be required.
Certificate Expiration
The length of time for which a VM certificate will be valid when it is first registered with Cryptographic Security Platform Vault or when it is auto-renewed by Cryptographic Security Platform Vault. The default is 1 year.
To change the expiration, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
Note: If you change this value for an existing Cloud VM Set, the certificate expiration date is not changed for any of the VMs that are currently part of the set. This value only takes effect for new VMs or when the certificates for the existing VMs are renewed.
-
If you want to specify when the VMs in the Cloud VM Set need to be re-authenticated, click the Reauthentication Settings tab and specify the options you want to use.
Option
Description
Reauthentication on IP Change
Whether
If your system configuration uses DHCP or multiple NICs, do not set this option to Yes. If you do so, the
Reauthentication on H/W Signature Change
Whether
The options are:
-
Yes—If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option.
- Permissive—Both the MAC address and the UUID must change before the VM requires reauthentication.
-
No—The Cryptographic Security Platform Vault for Databases does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM.
If you do select this option, you must confirm the selection before you can proceed. If Cryptographic Security Platform Vault for Databases detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, Cryptographic Security Platform Vault for Databases generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, Cryptographic Security Platform Vault for Databases generates an alert when client operations, such as key access or device registration, occur on the cloned VMs.
Reauthentication on Reboot
Whether
Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.
-
-
If you want to specify a key encryption key (KEK), click the Key Encryption Key tab, choose the type of Key Encryption Key Association, and then specify the required information.
A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. To protect the KEK, Cryptographic Security Platform Vault requires that the KEK be stored in the hardware security module (HSM) associated with this Cryptographic Security Platform Vault cluster. For more information, see
You can add the KEK during Cloud VM Set creation or at a later time.
-
Determine whether Cryptographic Security Platform Vault for Databases creates a KEK for this Cloud VM Set. To use a KEK, select Use KEK from the drop-down list and click Save to view the KEK properties.
If you do not make a selection, then the default value is No KEK Association is used, and the tab is not populated. If you decide you want to use a KEK, you can add the KEK to the Cloud VM Set later.
-
Complete the required information for your choice:
If you selected USE KEK, complete the following:
Option
Description
Key Expiration Period
The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default.
If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created.
When this time period expires:
- All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
- Any attempt to register a new VM with the Cloud VM Set will fail.
- Any encrypt or decrypt operation on any of the associated VMs will fail.
To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
Key Expiration Action
The options are:
- No Use—The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.
-
Shred—The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from Cryptographic Security Platform Vault for Databases and the Cloud VM Set itself is deleted.
Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option
The options are:
- No Change—The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from Cryptographic Security Platform Vault for Databases when the expiration date is reached.
- Change—The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default.
- Extend—All KEK expiration options can be changed after the Cloud VM Set has been created.
-
- When you have finished specifying the Cloud VM Set options, click Create.
- When you see the Cloud VM Set Successfully Created message, click Close.
What to Do Next
Install the Policy Agent on the VM(s) where you want to use TDE and register it with Cryptographic Security Platform Vault.
- For Linux, see
- For Windows, see