Cloud VM Set Encryption Objects

Introduction
The KeyID Interface
Modifying KeyID Properties
Revoking Access to KeyIDs
Deleting KeyIDs
Encrypting and Decrypting Files

Introduction

This chapter describes how to use keyIDs to encrypt objects that can be moved between VMs within a single Cloud VM Set.

An encryption object is simply a file that is encrypted using an encryption key stored within the KeyControl cluster. We refer to these keys by their keyIDs, a symbolic name that references an AES encryption key. The keyID is available to all VMs within a single Cloud VM Set. Even other VMs that you own in different Cloud VM Sets are unable to access any data encrypted with a keyID from a different Cloud VM Set.

Note that to encrypt objects, you will need to have the DataControl agent software installed. However, note that this feature is independent of encrypting devices.

To explain how this all works, let's start with an example. Consider the following figure where we wish to securely move data between a Linux VM in the data center and a Linux VM in Amazon AWS.

Here we have the two VMs in a Cloud VM Set called Amazon:

The first step is to generate a key that can be accessed from within both VMs. Let's create an encryption key called aws_key:

# hcl keyid -c aws_key -d "A key to securely migrate data to AWS instances"

The keyID can be generated from any VM in the Cloud VM Set. The keyID is visible within the webGUI. For example:

Next, from the VM in the data center, we will zip up some files that we wish to encrypt and then call hcl to encrypt them:

# ls
file1  file2  file3  file4  file5
# zip files.zip *
  adding: file1 (deflated 55%)
  adding: file2 (deflated 55%)
  adding: file3 (deflated 55%)
  adding: file4 (deflated 55%)
  adding: file5 (deflated 55%)
# hcl encryptfile -k aws_key files.zip files.zip.enc

The files.zip.enc file is now encrypted and can be safely copied to the Linux VM in AWS. Let's just make sure that the encrypted file is different from the original zip file:

# od -x files.zip | head -4
0000000 4b50 0403 0014 0000 0008 82ce 42d9 44cb
0000020 cabd 01ad 0000 03bf 0000 0005 001c 6966
0000040 656c 5531 0954 0300 2633 51ca 5a5f 51d4
0000060 7875 000b 0401 0000 0000 0004 0000 5500
# od -x files.zip.enc | head -4
0000000 3255 7346 4764 6b56 3158 412f 6433 5739
0000020 4470 3557 336a 2b51 4355 344d 3245 6773
0000040 684b 746d 766f 4d79 4856 4843 7a6a 4970
0000060 6159 5350 3734 5069 7145 4959 7758 4231

From within the Amazon VM, we can now decrypt the encrypted zip file and get access to our unencrypted files as follows:

# hcl decryptfile files.zip.enc files.zip
# unzip files.zip
Archive:  files.zip
  inflating: file1
  inflating: file2
  inflating: file3
  inflating: file4
  inflating: file5

We do not distinguish between where the keyIDs are generated or which VM is encrypting/decrypting, so you can move encrypted objects between any VM in the same Cloud VM Set, wherever they happen to reside. Remember that they can only be shared within the same Cloud VM Set.

The keyID Interface

There are three hcl subcommands available to create and manage keyIDs and to encrypt/decrypt files:

keyid <-c keyid_to_create> [-a crypto_algo] [-e days_to_expire]
         [-o "NO USE"|"SHRED"] <-l>
         <-r keyid_to_remove> <-u keyid_to_update> [-d description]
encryptfile [-k keyid] filename [encryptedfile]
decryptfile encryptedfile [filename]

The options that can be passed to keyid are:

-c - the name of the keyID. This symbolic will be used when encrypting or decrypting files.
-a - the encryption algorithm to use. Options are AES-128 or AES-256.
-e - the number of days for which the key is valid. On expiration the selected action will be taken (see below). If you do not specify this option, keys will not expire. You will receive alerts when a key approaches expiration.
-o - what happens when the key expires. By default NO USE is used. The key is not served to a VM but can be reactivated in the webGUI. Another option is SHRED, where the key is destroyed on expiration.
-l - a list all current keyIDs associated with this Cloud VM Set.
-r - the name of the keyID that you wish to delete.
-u - Coupled with -d below, allows you to update the description for a keyID.
-d - an optional description for the key. It is generally a good idea to add a description.

Let's try a few examples. First of, let's create a keyID:

# hcl keyid -c my_new_key

And now let's list the current set of keys:

# hcl keyid -l
Keyid                    Description
-----                    -----------
aws_key                  A key to securely migrate data to AWS instances
my_new_key

We didn't add a description to the keyID so let's do that now:

# hcl keyid -u my_new_key -d "This is my new key"
# hcl keyid -l
Keyid                    Description
-----                    -----------
aws_key                  A key to securely migrate data to AWS instances
my_new_key               This is my new key

Now let's take a look in the GUI at the keyIDs:

Note that one of the keys has expired. We shall discuss key expiration later in this chapter.

Once again, note that these keyIDs can only be used by the two VMs in our Amazon Cloud VM Set as well as any VMs we subsequently create in the Amazon Cloud VM Set.

Both keyIDs listed use AES-256. If you wish to use AES-128, you can create a keyID as follows:

# hcl keyid -c my_128-bit_key -a AES-128

And here it is in the webGUI:

Modifying KeyID Properties

For each keyID, you can modify several properties either through the webGUI or through the command line. Within the webGUI, only the expiration date can be modified. To change this click the pencil icon next to the keyID:

You will be able to select the expiration date and then specify what happens at expiration. Either the key will be shredded or will be switched to NO_USE in which case the key will be escrowed but will be unusable.

Note that if you select NO_USE you will be able to grant access back to the key in future.

If you wish to modify the description of the keyID, from the command line, invoke hcl as follows:

# hcl keyid -u aws_key -d "This is my new description"

Revoking Access to KeyIDs

You can revoke access to a keyID which will prevent usage of the keyID. To do so, click the X icon in the webGUI shown next to the keyID and then click YES.

Now if you attempt to use the keyID, you will see the following:

# hcl encryptfile -k aws_key files.zip files.zip.enc
Error on keyid getkey aws_key: Keyid not ACTIVE

You can give back access to the key by clicking the padlock icon as follows:

Deleting KeyIDs

keyIDs can be removed as follows:

# hcl keyid -r aws_key
WARNING: Removal of keyid will result in permanent failure to decrypt anything using that keyid.
Do you want to proceed? (y/n)

Please note that if you confirm and remove the key, it will no longer be accessible so any data that was encrypted using the key will no longer be accessible.

Encrypting and Decrypting Files

Encryption and decryption is very straightforward. We use a keyID to encrypt or decrypt a file. As shown earlier, here is an example of how to zip/encrypt and then decrypt/unzip some files. First, let's zip up some files and encrypt them using the aws_key keyID.

# ls
file1  file2  file3  file4  file5
# zip files.zip *
  adding: file1 (deflated 55%)
  adding: file2 (deflated 55%)
  adding: file3 (deflated 55%)
  adding: file4 (deflated 55%)
  adding: file5 (deflated 55%)
# hcl encryptfile -k aws_key files.zip files.zip.enc

The files.zip.enc file is an encrypted version of files.zip and can be safely copied to any VM within the same Cloud VM Set.

To decrypt a file from within the same or any other VM in the same Cloud VM Set:

# hcl decryptfile files.zip.enc files.zip
# unzip files.zip
Archive:  files.zip
  inflating: file1
  inflating: file2
  inflating: file3
  inflating: file4
  inflating: file5

We suggest that you experiment with encrypting and decrypting files together with setting expiration dates and revoking access to the keyIDs. Be careful when shredding keys!

Back to Contents

Administrator's Guide to HyTrust KeyControl and HyTrust DataControl v2.6