Creating a Cloud VM Set

All VMs must be part of a Cloud VM Set before they can be encrypted. The set controls global options for the VMs it contains and tracks KeyIDs and FSIDs. It also allows you to enable the BoundaryControl feature that uses Policy Rules and constraints in HyTrust CloudControl (HTCC) to authenticate and authorize delivery of encryption keys for the data encrypted by DataControl and managed by KeyControl.

Before You Begin 

Procedure 

  1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.

  2. In the top menu bar, click Cloud.
  3. Select Actions > Create New Cloud VM Set.
  4. On the VM Set tab:
    1. Enter a name for the Cloud VM Set.
    2. Select the group to which this set should belong.
    3. Optionally enter a description for the set.
    4. If you want to use the BoundaryControl feature, select the HTCC app server link that you want to use from the drop-down list. You can change the server link after you save the Cloud VM Set but you cannot enable BoundaryControl later if you do not select a server at this point.

  5. If you want to specify additional options, click the Additional Properties tab specify the options you want to use.

  6. If you want to specify a key encryption key (KEK), click the Key Encryption Key tab and specify the required information.

    A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

    You cannot change whether the Cloud VM Set uses a KEK after the Cloud VM Set has been created.

    Note: If you associate a KEK with this Cloud VM Set, you do not have to specify the KEK immediately, but you will not be able to associate any VMs with the Cloud VM Set until the KEK has been successfully created and stored in the HSM. For details on associating an HSM, see Hardware Security Modules with KeyControl.
  7. When you have finished specifying the Cloud VM Set options, click Create.
  8. When you see the Cloud VM Set Successfully Created message, click Close.