Creating a Cloud VM Set

All VMs must be part of a Cloud VM Set before they can be encrypted. The set controls global options for the VMs it contains and tracks KeyIDs and FSIDs. It also allows you to enable the BoundaryControl feature that uses Policy Rules and constraints in HyTrust CloudControl (HTCC) to authenticate and authorize delivery of encryption keys for the data encrypted by DataControl and managed by KeyControl.

Before You Begin 

Procedure 

  1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.

  2. In the top menu bar, click Cloud.
  3. Select Actions > Create New Cloud VM Set.
  4. On the VM Set tab:
    1. Enter a name for the Cloud VM Set.
    2. Select the group to which this set should belong.
    3. Optionally enter a description for the set.

    4. If you want to use the BoundaryControl feature, select the HTCC app server link that you want to use from the drop-down list. You can change the server link after you save the Cloud VM Set but you cannot enable BoundaryControl later if you do not select a server at this point.

  5. If you want to specify additional options, click the Additional Properties tab specify the options you want to use.

    ClosedOptions

    Option

    Description

    Heartbeat

    The length of time between the heartbeats each VM in the set sends to KeyControl to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds.

    If changes have been made to the VMs through the KeyControl webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the KeyControl webGUI to be applied to the VMs in the set.

    If a VM cannot reach KeyControl during the heartbeat, the VM continues to run but any changes made in KeyControl are not picked up by the VM until the next successful heartbeat. KeyControl sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired.

    Grace Period

    The length of time that can pass without a successful heartbeat. The default is 1 day. You can specify the grace period in seconds, minutes, hours, or days.

    If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with KeyControl.

    Max Parallel Rekey Operations

    The number of concurrent Auto Rekey operations that can be performed for VMs in the Cloud VM Set. The default is 1.

    Rekey Interval

    The length of time after the current Auto Rekey operation finishes and the next Auto Rekey starts for the disk. You can select any number of days, weeks, months, or years. To disable Auto Rekey, enter 0 in this field. By default, Auto Rekey is disabled.

    Reauthenticate on IP Change

    Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No.

    Reauthenticate on H/W Signature change

    Whether a VM must be reauthorized if its hardware signature changes. The default is Yes.

    KeyControl uses the MAC address of the first Ethernet card as the hardware signature. Typically, when a VM is copied the hypervisor changes the MAC address of the new copy. In this case, the default setting requires a copied VM to be reauthenticated with KeyControl.

    Reauthenticate on Reboot

    Whether a VM must be reauthenticated every time it reboots. The default is No.

    Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.

    Certificate Auto Renewal Period

    If you want KeyControl to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. KeyControl will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on June 12, 2017, KeyControl will renew the license on June 7, 2017. The default is 10 days.

    To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

    If you want to disable certificate auto-renewal, enter 0 (zero) in this field.

    Certificate Expiration

    The length of time for which a VM certificate will be valid when it is first registered with KeyControl or when it is auto-renewed by KeyControl. The the default is 1 year.

    To change the expiation, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

    Note: If you change this value for an existing Cloud VM Set, the certificate expiration date is not changed for any of the VMs that are currently part of the set. This value only takes effect for new VMs or when the certificates for the existing VMs are renewed.

  6. If you want to specify a key encryption key (KEK), click the Key Encryption Key tab and specify the required information.

    A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

    You cannot change whether the Cloud VM Set uses a KEK after the Cloud VM Set has been created.

    Note: If you associate a KEK with this Cloud VM Set, you do not have to specify the KEK immediately, but you will not be able to associate any VMs with the Cloud VM Set until the KEK has been successfully created and stored in the HSM. For details on associating an HSM, see Hardware Security Modules with KeyControl.
    ClosedOptions

    Option

    Description
    Key Encryption Key Association

    Determines whether KeyControl creates a KEK for this Cloud VM Set. The default is No KEK Association.

    To use a KEK, select Use KEK from the drop-down list and click Save. After you click Save, KeyControl displays the Base64 Encoded Key field and allows you to make changes to the rest of the KEK properties.

    Important: If you have already configured an HSM  for this KeyControl cluster, you can enter the encoded key now. If you have not yet configured the HSM, however, do not enter an encoded key at this time. Instead, leave the Base64 Encoded Key field blank and click Create to create the Cloud VM Set with the KEK association set but no key created. You can import the KEK later as described in Importing a KEK for an Existing Cloud VM Set.

    Base64 Encoded Key

    The encryption key KeyControl should use to encrypt all data encryption keys for all VMs in the Cloud VM Set. The expiration option settings for this KEK are automatically inherited by all VMs registered with the Cloud VM Set.

    Specify the base64-encoded value for a 128-bit or 256-bit key. KeyControl stores the KEK in the associated HSM when you save the Cloud VM Set.

    Important: Do not specify an encoded key unless you have already associated this KeyControl cluster with an HSM. If you specify an encoded key with no HSM, the Cloud VM Set creation request will fail.

    Key Expiration Period

    The length of time for which the KEK and all data encryption keys on the VMs will be valid. The default is 2 weeks. To indicate that the KEK should never expire, set this field to 0 (zero).

    When this time period expires:

    • All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
    • Any attempt to register a new VM with the Cloud VM Set will fail.
    • Any encrypt or decrypt operation on any of the associated VMs will fail.

    To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

    Key Expiration Action

    The options are:

    • No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.

    • Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted.

      Only use Shred if you are absolutely certain that you will never need to access the Cloud VM Set or the VMs registered with the Cloud VM Set again.
    VM Set Retention Period

    If Key Expiration Action is set to No Use, this field determines the period of time for which Cloud VM Set objects will be retained after the expiration date is reached.

    After this period passes, KeyControl permanently deletes all cloud VMs, the Cloud VM Set, and the associated KEK.

    Key Expiration Option

    The options are:

    • No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached.
    • Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date.
    • Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.
  7. When you have finished specifying the Cloud VM Set options, click Create.
  8. When you see the Cloud VM Set Successfully Created message, click Close.

 

HyTrust DataControl v 4.1

Copyright © 2017 HyTrust, Inc. All Rights Reserved.

Follow us: