Creating a Cloud VM Set

A VM must be part of a Cloud VM Set before it can be encrypted. The set controls global options for the VMs it contains. It also allows you to enable the BoundaryControl feature that uses Policy Rules and constraints in HyTrust CloudControl (HTCC) to authenticate and authorize delivery of encryption keys for the data encrypted by the HyTrust DataControl Policy Agent and managed by KeyControl.

Before You Begin

If you want to use a Key Encryption Key (KEK) with the Cloud VM Set, KeyControl must have access to a hardware security module (HSM) in which it can store the KEK. For more information, see KEKs with Cloud VM Sets and Hardware Security Modules with KeyControl.

If you are using the BoundaryControl feature, make sure you know the URL or IP address of the CloudControl server you want to use. A link between KeyControl and the CloudControl server must already be established before you can use it in the Cloud VM Set. For details about establishing the link, see Linking KeyControl with CloudControl.

Important:

You cannot change whether the BoundaryControl feature is enabled or disabled after you have created the Cloud VM Set. If you do not select a CloudControl server link during this procedure, you cannot go back and add one. Conversely, if you do select a link you cannot go back and disable BoundaryControl later.

Procedure

Log into the KeyControl webGUI using an account with Cloud Admin privileges.
In the top menu bar, click Cloud.
Select Actions > Create New Cloud VM Set.
On the VM Set tab:
1. Enter a name for the Cloud VM Set.
2. Select the group to which this set should belong.
3. Optionally enter a description for the set.
4. If you want to use the BoundaryControl feature, select the CloudControl app server link that you want to use from the drop-down list. You can change the server link after you save the Cloud VM Set but you cannot enable BoundaryControl later if you do not select a server at this point.

If you want to specify additional options, click the Additional Properties tab specify the options you want to use.

Options

Option

Description

Heartbeat

The length of time between the heartbeats each VM in the set sends to KeyControl to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds.

If changes have been made to the VMs through the KeyControl webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the KeyControl webGUI to be applied to the VMs in the set.

If a VM cannot reach KeyControl during the heartbeat, the VM continues to run but any changes made in KeyControl are not picked up by the VM until the next successful heartbeat. KeyControl sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired.

Grace Period

The length of time that can pass without a successful heartbeat. The default is 1 day. You can specify the grace period in seconds, minutes, hours, or days.

If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with KeyControl.

Max Parallel Rekey Operations

The number of concurrent Auto Rekey operations that can be performed for VMs in the Cloud VM Set. The default is 1.

Rekey Interval

If you specify any value other than 0 (zero) for this option, KeyControl periodically creates a rekey task for every encrypted disk in every VM that is registered with this Cloud VM Set. You can select any number of days, weeks, months, or years and KeyControl will automatically rekey the encrypted disks on that schedule.

To disable Auto Rekey, enter 0 in this field. By default, Auto Rekey is disabled.

Certificate Auto Renewal Period

If you want KeyControl to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. KeyControl will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on June 12, 2019, KeyControl will renew the license on June 7, 2019. The default is 10 days.

To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

If you want to disable certificate auto-renewal, enter 0 (zero) in this field.

Certificate Expiration

The length of time for which a VM certificate will be valid when it is first registered with KeyControl or when it is auto-renewed by KeyControl. The default is 1 year.

To change the expiation, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

Note:

If you change this value for an existing Cloud VM Set, the certificate expiration date is not changed for any of the VMs that are currently part of the set. This value only takes effect for new VMs or when the certificates for the existing VMs are renewed.

Auto Encryption

If this option is enabled, whenever a new VM is registered with this Cloud VM Set, KeyControl will automatically instruct the Policy Agent to encrypt one or more of the drives on that VM.

To enable this option, click Disabled, select Enabled from the drop-down list, then click Save. When you do so, the webGUI displays the Encryption Policy fields:

Auto Encryption Policy Type. This can be:
- Exclude—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will not be automatically encrypted, although they can be encrypted manually at any time. This is the default.
- Include—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will be automatically encrypted. All other drives or devices on the the VM must be encrypted manually.
- Encrypt All Devices—All Windows drives and Linux devices will be automatically encrypted.

Auto Encryption Policy Path(s)—If the policy type is Include or Exclude, enter a path that should be included or excluded. To add additional paths, click the + (Plus sign) in this field. You can enter either a Windows drive a Linux device name. For example, any of the following would be valid path names: C:, C:\data, or sdb1.

Important:

Each path must be on its own line.

For more information, see Automatic Data Encryption.

Decryption Allowed

If this option is set to Yes, the drives and devices in the VMs registered with this Cloud VM Set can be decrypted. If it is set to No, any decryption request will fail.

Policy Agent Uninstallation Allowed

If this option is set to Yes, the Policy Agent can be uninstalled on the VMs registered with this Cloud VM Set. If it is set to No, the Policy Agent cannot be uninstalled.

If you want to specify when the VMs in the Cloud VM Set need to be re-authenticated, click the Reauthentication Settings tab and specify the options you want to use.

Options

Option	Description
Reauthentication on IP Change	Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No. If your system configuration uses DHCP or multiple NICs, do not set this option to Yes. If you do so, the VMs in the set may go into a reboot loop if their boot partitions are encrypted and any encrypted drives may be detached.
Reauthentication on H/W Signature Change	Whether a VM in the set must be re-authenticated if its MAC address or UUID changes. The options are: Yes — If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option. Permissive — Both the MAC address and the UUID must change before the VM requires reauthentication. You can use this option if your system administrators are performing maintenance on the VMs in this Cloud VM Set that require changes to the network cards and hence to the MAC addresses of the VMs in the set. We recommend you reset this value to Yes once maintenance is finished. No — KeyControl does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM. If you do select this option, you must confirm the selection before you can proceed. If KeyControl detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, KeyControl generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, KeyControl generates an alert when client operations, such as key access or device registration, occur on the cloned VMs.
Reauthentication on Reboot	Whether a VM in the set must be re-authenticated every time it reboots. The default is No. Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.

Option

Description

Reauthentication on IP Change

Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No.

If your system configuration uses DHCP or multiple NICs, do not set this option to Yes. If you do so, the VMs in the set may go into a reboot loop if their boot partitions are encrypted and any encrypted drives may be detached.

Reauthentication on H/W Signature Change

Whether a VM in the set must be re-authenticated if its MAC address or UUID changes.

The options are:

Yes — If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option.
Permissive — Both the MAC address and the UUID must change before the VM requires reauthentication. You can use this option if your system administrators are performing maintenance on the VMs in this Cloud VM Set that require changes to the network cards and hence to the MAC addresses of the VMs in the set. We recommend you reset this value to Yes once maintenance is finished.
No — KeyControl does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM.

If you do select this option, you must confirm the selection before you can proceed. If KeyControl detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, KeyControl generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, KeyControl generates an alert when client operations, such as key access or device registration, occur on the cloned VMs.

Reauthentication on Reboot

Whether a VM in the set must be re-authenticated every time it reboots. The default is No.

Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.

If you want to specify a key encryption key (KEK), click the Key Encryption Key tab and specify the required information.

A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

You cannot change whether the Cloud VM Set uses a KEK after the Cloud VM Set has been created.

Note:

If you associate a KEK with this Cloud VM Set, you do not have to specify the KEK immediately, but you will not be able to associate any VMs with the Cloud VM Set until the KEK has been successfully created and stored in the HSM. For details on associating an HSM, see Hardware Security Modules with KeyControl.

Options

Option

Description

Key Encryption Key Association

Determines whether KeyControl creates a KEK for this Cloud VM Set. The default is No KEK Association.

To use a KEK, select Use KEK from the drop-down list and click Save. After you click Save, KeyControl displays the Base64 Encoded Key field and allows you to make changes to the rest of the KEK properties.

Important:

If you have already configured an HSM for this KeyControl cluster, you can enter the encoded key now. If you have not yet configured the HSM, however, do not enter an encoded key at this time. Instead, leave the Base64 Encoded Key field blank and click Create to create the Cloud VM Set with the KEK association set but no key created. You can import the KEK later as described in Importing a KEK for an Existing Cloud VM Set.

Base64 Encoded Key

The encryption key KeyControl should use to encrypt all data encryption keys for all VMs in the Cloud VM Set. The expiration option settings for this KEK are automatically inherited by all VMs registered with the Cloud VM Set.

Specify the base64-encoded value for a 128-bit or 256-bit key. KeyControl stores the KEK in the associated HSM when you save the Cloud VM Set.

Important:

Do not specify an encoded key unless you have already associated this KeyControl cluster with an HSM. If you specify an encoded key with no HSM, the Cloud VM Set creation request will fail.

Key Expiration Period

The length of time for which the KEK and all data encryption keys on the VMs will be valid. The default is 2 weeks. To indicate that the KEK should never expire, set this field to 0 (zero).

When this time period expires:

All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
Any attempt to register a new VM with the Cloud VM Set will fail.
Any encrypt or decrypt operation on any of the associated VMs will fail.

To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

Key Expiration Action

The options are:

No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend.
Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. This is the default.

Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.

VM Set Retention Period

If Key Expiration Action is set to No Use, this field determines the period of time for which Cloud VM Set objects will be retained after the expiration date is reached.

After this period passes, KeyControl permanently deletes all cloud VMs, the Cloud VM Set, and the associated KEK.

Key Expiration Option

The options are:

No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached.
Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date.
Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

If you want the VMs in this Cloud VM Set to use a Single Encryption Key (SEK), click the Single Encryption Key tab specify the required information.

If you enable this option, all the VMs registered with the Cloud VM Set will be encrypted with the same encryption key, and the key's expiry date and expiration option will be set at the Cloud VM Set level instead of at the disk level. Using a SEK enables data deduplication because identical blocks at the same offset will be encrypted with the same key and will therefore still be identical after encryption. For details, see Data Deduplication with Cloud VM Sets.

Options

Option	Description
Single Key Encryption State	This feature is Disabled by default. To enable it, click Disabled, then select Enabled from the drop-down list and click Save. After you click Save, the KeyControl webGUI displays the rest of the SEK option fields.
Single Key Encryption Expiration	The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.
Single Key Encryption Expiration Action	No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default. Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

If you want to want KeyControl to store the keys for VMs in this Cloud VM Set in an Ionic Keyspace, click the Ionic Properties tab and specify the options you want to use. For details about using KeyControl with Ionic, contact HyTrust support.
When you have finished specifying the Cloud VM Set options, click Create.
When you see the Cloud VM Set Successfully Created message, click Close.