Adding KEK to an Existing Cloud VM Set

You can add a Key Encryption Key (KEK) to an existing Cloud VM Set that contains VMs. A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. When you add the KEK, all existing KeyIDs, disk encryption keys, and any new VM keys created will be encrypted using the KEK. A rekey process will be started to encrypt the existing encryption keys. An alert will be generated when the encryption of all keys has completed successfully.

To protect the KEK, KeyControl requires that the KEK be stored in a hardware security module (HSM) that is associated with this KeyControl cluster. For more information, see KEKs with Cloud VM Sets.

After the KEK has been added, you cannot change whether the Cloud VM Set uses a KEK, or what type of KEK is used. The HSM must be available before you can encrypt keys with KEK. Keys will remain accessible by clients when the rekey is in progress.

Procedure

Log into the KeyControl webGUI using an account with Cloud Admin privileges.
In the top menu bar, click Cloud.
Select the Cloud VM Set to which you would like to add the KEK.
Select Actions > Add KEK.
In the Add KEK to Cloud VM Set window, choose the type of Key Encryption Key association that you want to use. Choose one of the following:
- Select Use KEK from the drop-down list and click Save to view the KEK properties.
- Select Use HPCS KEK from the drop-down list and click Save to view the HPCS KEK properties.

Complete the required information for your choice:

Option	Description
Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default. If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created. When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option	The options are: No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached. Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default. Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

Option

Description

Key Expiration Period

The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default.

If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created.

When this time period expires:

All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
Any attempt to register a new VM with the Cloud VM Set will fail.
Any encrypt or decrypt operation on any of the associated VMs will fail.

To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.

Key Expiration Action

The options are:

No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.
Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted.

Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.

Key Expiration Option

The options are:

No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached.
Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default.
Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

Option	Description
HPCS URL	The URL for the IBM HPCS server to be used by the Cloud VM Set.
HPCS Api Key	The API key to be used to connect to the IBM HPCS server.
HPCS Instance ID	The instance ID for your IBM HPCS server.
HPCS Root Key	The Key ID in the IBM HPCS server to be used for generating a KEK. Note: This value is optional. If you do not include the root key, then KeyControl will create one in HPCS.
Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. The default is Never (0 days). When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option	The options are: No Change — The KEK expiration options cannot be changed after the Cloud VM Set has been created. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached. Change — The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default. Extend — All KEK expiration options can be changed after the Cloud VM Set has been created.

Click Add.