Migrating Files into AWS S3 Buckets
This section covers the tools that HyTrust provides to encrypt files, place them within Amazon Web Services (AWS) S3 buckets and access the files securely from VMs that reside within the same Cloud VM Set, regardless of whether the other VMs in the set are running in AWS.
This is accomplished using KeyIDs, which are symbolic names that references the actual encryption keys.
Basically, you use the hcs3 command to create an S3 bucket, then you securely add KeyID-encrypted files to the bucket. VMs within the same Cloud VM Set can access those files and decrypt them without having to manipulate or manage encryption keys.
For example, consider the following figure:
We want to create an S3 bucket, encrypt files and place them in the bucket and then access the files from the VM running in AWS. Here are the sequence of operations that are performed within the VM in the data center:
# hcs3 setstore TKIAN7ZDFBY2BU36DVPQ FZ9gsvIT1oDvuOiJrdSLRqBvmLZPcxzOWT4Qx7y5 # hcs3 create spate_aws # hcs3 add spate_aws file1 # hcs3 add spate_aws file2 # hcs3 list spate_aws file1 file2
First we call hcs3 setstore to provide our AWS access key id and secret. This is only called once. Next we create a bucket called spate_aws. Note that this will have the side effect of creating a KeyID which is also called spate_aws. Finally, we start adding files to the bucket. As the files are created, we first encrypt them before moving them to the bucket.
From within the VM in AWS, we can simply access the files as follows:
# hcs3 get spate_aws file1 # ls file1
