KEKs with Cloud VM Sets

A Key Encryption Key (KEK) provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with a Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.

To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. If the HSM is not available, then the VMs protected by the KEK cannot be accessed or rebooted. If you decide to associate a KEK with a Cloud VM Set, it is imperative that the HSM be available to KeyControl at all times.

The KEK also provides a way to control the accessibility of all the associated VMs with a single command. If the KEK expires or is revoked, then all associated VMs become inaccessible at the next heartbeat regardless of the state of their individual data encryption keys.

As the KEK expiration date nears, KeyControl issues an alert notifying the Domain Admins associated with the Cloud VM Set that the KEK is about to expire. When the expiration date is reached, the KEK state changes from ACTIVE to EXPIRED_PENDING. What happens at that point depends on the Key Expiration Action defined for the KEK. For more information, see Changing KEK Properties.

For information on configuring an HSM, see Hardware Security Modules with KeyControl.

HPCS KEK

IBM Hyper Protect Crypto Services (HPCS) is a new IBM Cloud HSM that when used in conjunction with HyTrust DataControl, can be used for greater protection of encryption keys. With KeyControl, you can connect directly to an HPCS instance, obtain or create a root key, and then use the root key to generate a KEK. The HPCS KEK is a 256 bit AES symmetric key.

To create a Cloud VM Set set with a KEK or HPCS KEK, see Creating a Cloud VM Set.

Considerations

  • The HSM must be available before you can encrypt any virtual disk on any VM associated with a Cloud VM Set that uses a KEK.
  • After you encrypt the virtual disk, the HSM must be available any time that VM is booted or rebooted, or the boot operation will fail.
  • If you create a Cloud VM Set, you must decide whether to associate the Cloud VM Set with a KEK or HPCS KEK at creation time. You cannot add or remove a KEK from a Cloud VM Set after the set has been created.
  • If a Cloud VM Set is associated with a KEK, no VMs can be registered with the Cloud VM Set until KeyControl has successfully stored the KEK in the HSM.