Creating a Cloud VM Set

A VM must be part of a Cloud VM Set before it can be encrypted. The set controls global options for the VMs it contains. It also allows you to enable the BoundaryControl feature that uses Policy Rules and constraints in HyTrust CloudControl (HTCC) to authenticate and authorize delivery of encryption keys for the data encrypted by the HyTrust DataControl Policy Agent and managed by KeyControl.

Before You Begin

If you want to use a Key Encryption Key (KEK) with the Cloud VM Set, KeyControl must have access to a hardware security module (HSM) in which it can store the KEK. For more information, see KEKs with Cloud VM Sets and Hardware Security Modules with KeyControl.

Note: If you are using IBM Hyper Protect Crypto Services (HPCS), the KEK is not stored in the HSM.
If you are using the BoundaryControl feature, make sure you know the URL or IP address of the CloudControl server you want to use. A link between KeyControl and the CloudControl server must already be established before you can use it in the Cloud VM Set. For details about establishing the link, see Linking KeyControl with CloudControl.

Important: You cannot change whether the BoundaryControl feature is enabled or disabled after you have created the Cloud VM Set. If you do not select a CloudControl server link during this procedure, you cannot go back and add one. Conversely, if you do select a link you cannot go back and disable BoundaryControl later.

Procedure

Log into the KeyControl webGUI using an account with Cloud Admin privileges.
In the top menu bar, click Cloud.
Select Actions > Create New Cloud VM Set.
On the VM Set tab:
1. Enter a name for the Cloud VM Set.
2. Select the group to which this set should belong.
3. Optionally enter a description for the set.
4. If you want to use the BoundaryControl feature, select the CloudControl app server link that you want to use from the drop-down list. You can change the server link after you save the Cloud VM Set but you cannot enable BoundaryControl later if you do not select a server at this point.

If you want to specify additional options, click the Additional Properties tab specify the options you want to use.

Option	Description
Heartbeat	The length of time between the heartbeats each VM in the set sends to KeyControl to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds. If changes have been made to the VMs through the KeyControl webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the KeyControl webGUI to be applied to the VMs in the set. If a VM cannot reach KeyControl during the heartbeat, the VM continues to run but any changes made in KeyControl are not picked up by the VM until the next successful heartbeat. KeyControl sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired.
Grace Period	The length of time that can pass without a successful heartbeat. The default is 1 day. You can specify the grace period in seconds, minutes, hours, or days. If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with KeyControl.
Max Parallel Rekey Operations	The number of concurrent Auto Rekey operations that can be performed for VMs in the Cloud VM Set. The default is 1.
Rekey Interval	If you specify any value other than 0 (zero) for this option, KeyControl periodically creates a rekey task for every encrypted disk in every VM that is registered with this Cloud VM Set. You can select any number of days, weeks, months, or years and KeyControl will automatically rekey the encrypted disks on that schedule. To disable Auto Rekey, enter 0 in this field. By default, Auto Rekey is disabled.
Maximum VMs allowed	The maximum number of cloud VMs allowed to register in this Cloud VM Set. The default is unlimited.
Certificate Auto Renewal Period	If you want KeyControl to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. KeyControl will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on June 12, 2019, KeyControl will renew the license on June 7, 2019. The default is 10 days. To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. If you want to disable certificate auto-renewal, enter 0 (zero) in this field.
Certificate Expiration	The length of time for which a VM certificate will be valid when it is first registered with KeyControl or when it is auto-renewed by KeyControl. The default is 1 year. To change the expiation, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. Note: If you change this value for an existing Cloud VM Set, the certificate expiration date is not changed for any of the VMs that are currently part of the set. This value only takes effect for new VMs or when the certificates for the existing VMs are renewed.
Auto Encryption	If this option is enabled, whenever a new VM is registered with this Cloud VM Set, KeyControl will automatically instruct the Policy Agent to encrypt one or more of the drives on that VM. To enable this option, click Disabled, select Enabled from the drop-down list, then click Save. When you do so, the webGUI displays the Encryption Policy fields: Auto Encryption Policy Type. This can be: Exclude—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will not be automatically encrypted, although they can be encrypted manually at any time. This is the default. Include—The Windows drives and Linux devices listed in the Auto Encryption Policy Path(s) field will be automatically encrypted. All other drives or devices on the the VM must be encrypted manually. Encrypt All Devices—All Windows drives and Linux devices will be automatically encrypted. Auto Encryption Policy Path(s)—If the policy type is Include or Exclude, enter a path that should be included or excluded. To add additional paths, click the + (Plus sign) in this field. You can enter either a Windows drive a Linux device name. For example, any of the following would be valid path names: `C:`, `C:\data`, or `sdb1`. Important: Each path must be on its own line. For more information, see Automatic Data Encryption.
Decryption Allowed	If this option is set to Yes, the drives and devices in the VMs registered with this Cloud VM Set can be decrypted. If it is set to No, any decryption request will fail.
Policy Agent Uninstallation Allowed	If this option is set to Yes, the Policy Agent can be uninstalled on the VMs registered with this Cloud VM Set. If it is set to No, the Policy Agent cannot be uninstalled.

If you want to specify when the VMs in the Cloud VM Set need to be re-authenticated, click the Reauthentication Settings tab and specify the options you want to use.

Option	Description
Reauthentication on IP Change	Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No. If your system configuration uses DHCP or multiple NICs, do not set this option to Yes. If you do so, the VMs in the set may go into a reboot loop if their boot partitions are encrypted and any encrypted drives may be detached.
Reauthentication on H/W Signature Change	Whether a VM in the set must be re-authenticated if its MAC address or UUID changes. The options are: Yes — If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option. Permissive — Both the MAC address and the UUID must change before the VM requires reauthentication. You can use this option if your system administrators are performing maintenance on the VMs in this Cloud VM Set that require changes to the network cards and hence to the MAC addresses of the VMs in the set. We recommend you reset this value to Yes once maintenance is finished. No — KeyControl does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM. If you do select this option, you must confirm the selection before you can proceed. If KeyControl detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, KeyControl generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, KeyControl generates an alert when client operations, such as key access or device registration, occur on the cloned VMs.
Reauthentication on Reboot	Whether a VM in the set must be re-authenticated every time it reboots. The default is No. Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.

Option

Description

Reauthentication on IP Change

Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No.

If your system configuration uses DHCP or multiple NICs, do not set this option to Yes. If you do so, the VMs in the set may go into a reboot loop if their boot partitions are encrypted and any encrypted drives may be detached.

Reauthentication on H/W Signature Change

Whether a VM in the set must be re-authenticated if its MAC address or UUID changes.

The options are:

Yes — If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option.
Permissive — Both the MAC address and the UUID must change before the VM requires reauthentication. You can use this option if your system administrators are performing maintenance on the VMs in this Cloud VM Set that require changes to the network cards and hence to the MAC addresses of the VMs in the set. We recommend you reset this value to Yes once maintenance is finished.
No — KeyControl does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM.

If you do select this option, you must confirm the selection before you can proceed. If KeyControl detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, KeyControl generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, KeyControl generates an alert when client operations, such as key access or device registration, occur on the cloned VMs.

Reauthentication on Reboot

Whether a VM in the set must be re-authenticated every time it reboots. The default is No.

Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.

If you want to specify a key encryption key (KEK), click the Key Encryption Key tab, choose the type of Key Encryption Key Association, and then specify the required information.

A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

Note: If you are using IBM HPCS (Hyper Protect Crypto Services), the KEK is not stored in the HPCS HSM.

You cannot change whether the Cloud VM Set uses a KEK, or what type of KEK, after the Cloud VM Set has been created.

Important: For an HPCS KEK, you must specify the HPCS server information when you create the Cloud VM Set.

Determine whether KeyControl creates a KEK for this Cloud VM Set. Choose one of the following:
- Select Use KEK from the drop-down list and click Save to view the KEK properties.
- Select Use HPCS KEK from the drop-down list and click Save to view the HPCS KEK properties.
If you do not make a selection, then the default value is No KEK Association is used, and the tab is not populated.

Complete the required information for your choice:

Option	Description
Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default. If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created. When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option	The options are: No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached. Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default. Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

Option

Description

Key Expiration Period

The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default.

If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created.

When this time period expires:

All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
Any attempt to register a new VM with the Cloud VM Set will fail.
Any encrypt or decrypt operation on any of the associated VMs will fail.

To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.

Key Expiration Action

The options are:

No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.
Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted.

Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.

Key Expiration Option

The options are:

No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached.
Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default.
Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

Option	Description
HPCS URL	The URL for the IBM HPCS server to be used by the Cloud VM Set.
HPCS Api Key	The API key to be used to connect to the IBM HPCS server.
HPCS Instance Id	The instance ID for your IBM HPCS server.
HPCS Root Key	The Key ID in the IBM HPCS server to be used for generating a KEK. Note: This value is optional. If you do not include the root key, then KeyControl will create one in HPCS.
Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. The default is Never (0 days). When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option	The options are: No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached. Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default. Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

If you want the VMs in this Cloud VM Set to use a Single Encryption Key (SEK), click the Single Encryption Key tab specify the required information.

If you enable this option, all the VMs registered with the Cloud VM Set will be encrypted with the same encryption key, and the key's expiry date and expiration option will be set at the Cloud VM Set level instead of at the disk level. Using a SEK enables data deduplication because identical blocks at the same offset will be encrypted with the same key and will therefore still be identical after encryption. For details, see Data Deduplication with Cloud VM Sets.

Option	Description
Single Key Encryption State	This feature is Disabled by default. To enable it, click Disabled, then select Enabled from the drop-down list and click Save. After you click Save, the KeyControl webGUI displays the rest of the SEK option fields.
Single Key Encryption Expiration	The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.
Single Key Encryption Expiration Action	No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default. Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

If you want to want KeyControl to store the keys for VMs in this Cloud VM Set in an Ionic Keyspace, click the Ionic Properties tab and specify the options you want to use. For details about using KeyControl with Ionic, contact HyTrust support.
When you have finished specifying the Cloud VM Set options, click Create.
When you see the Cloud VM Set Successfully Created message, click Close.