Importing a KEK for an Existing Cloud VM Set

If a Cloud VM Set was created with an associated Key Encryption Key (KEK) but the Base64 encoded key was not specified at the time of creation, you need to import one before you can register VMs with the Cloud VM Set.

KeyControl creates the KEK based on a user-provided 128- or 256-bit encoded key and stores the KEK in an associated hardware security module (HSM).

Before You Begin 

Make sure there is an HSM associated with this KeyControl cluster. For details, see Hardware Security Modules with KeyControl.

Procedure 

1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.

2. In the top menu bar, click Cloud.
3. Select the Cloud VM Set whose KEK you want to import.

4. Select Actions > Import Key Encryption Key and specify the options you want to use.

   Options

   Option	Description
   Base64 Encoded Key	The encryption key KeyControl should use to encrypt all data encryption keys for all VMs in the Cloud VM Set. The expiration option settings for this KEK are automatically inherited by all VMs registered with the Cloud VM Set. Specify the base64-encoded value for a 128-bit or 256-bit key. KeyControl stores the KEK in the associated HSM when you submit the import request.
   Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created. When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
   Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Only use Shred if you are absolutely certain that you will never need to access the Cloud VM Set or the VMs registered with the Cloud VM Set again.
   Key Expiration Option	The options are: No Change — None of the KEK properties can be changed. The only thing you can do is revoke access to all VMs in the Cloud VM Set by selecting Actions > Revoke Key Encryption Key. Change — You can change the expiration options but you cannot set an expiration date beyond the date originally specified when the Cloud VM Set was created. Extend — You can change any of the expiration options as desired.
   VM Set Retention Period	If Key Expiration Action is set to No Use, this field determines the period of time for which Cloud VM Set objects will be retained after the expiration date is reached. After this period passes, KeyControl permanently deletes all cloud VMs, the Cloud VM Set, and the associated KEK.

5. Click Proceed.