Adding KEK to an Existing Cloud VM Set

You can add a Key Encryption Key (KEK) to an existing Cloud VM Set that contains VMs. A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. When you add the KEK, all existing KeyIDs, disk encryption keys, and any new VM keys created will be encrypted using the KEK. A rekey process will be started to encrypt the existing encryption keys. An alert will be generated when the encryption of all keys has completed successfully.

To protect the KEK, KeyControl requires that the KEK be stored in a hardware security module (HSM) that is associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

After the KEK has been added, you cannot change whether the Cloud VM Set uses a KEK, or what type of KEK is used. The HSM must be available before you can encrypt keys with KEK. Keys will remain accessible by clients when the rekey is in progress.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Select the Cloud VM Set to which you would like to add the KEK.
  4. Select Actions > Add KEK.
  5. In the Add KEK to Cloud VM Set window, choose the type of Key Encryption Key association that you want to use. Choose one of the following: 

    • Select Use KEK from the drop-down list and click Save to view the KEK properties.
    • Select Use HPCS KEK from the drop-down list and click Save to view the HPCS KEK properties.
  6. Complete the required information for your choice: 

  7. Click Add.