KEKs with Cloud VM Sets

A Key Encryption Key (KEK) provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with a Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.

To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. If the HSM is not available, then the VMs protected by the KEK cannot be accessed or rebooted. If you decide to associate a KEK with a Cloud VM Set, it is imperative that the HSM be available to KeyControl at all times.

The KEK also provides a way to control the accessibility of all the associated VMs with a single command. If the KEK expires or is revoked, then all associated VMs become inaccessible at the next heartbeat regardless of the state of their individual data encryption keys.

As the KEK expiration date nears, KeyControl issues an alert notifying the Domain Admins associated with the Cloud VM Set that the KEK is about to expire. When the expiration date is reached, the KEK state changes from ACTIVE to EXPIRED_PENDING. What happens at that point depends on the Key Expiration Action defined for the KEK. For more information, see Changing KEK Properties.

For information on configuring an HSM, see Hardware Security Modules with KeyControl.

Considerations

The HSM must be available before you can encrypt the root drive on any VM associated with a Cloud VM Set that uses a KEK.
After you encrypt the root drive, the HSM must be available any time that VM reboots or the reboot will fail.
If you create a Cloud VM Set, you must decide whether to associate the Cloud VM Set with a KEK at creation time. You cannot add or remove a KEK from a Cloud VM Set after the set has been created.
If you associate a KEK with a Cloud VM Set, you must supply the Base64-encoded 128-bit or 256-bit KEK key bits that KeyControl can encrypt and store in the HSM. If the HSM is not available, you can create the Cloud VM Set without specifying a key. You can then import the Base64 key into the Cloud VM Set after connection to the HSM has been restored.
If a Cloud VM Set is associated with a KEK, no VMs can be registered with the Cloud VM Set until KeyControl has successfully stored the KEK in the HSM.