All VMs must be part of a Cloud VM Set before they can be encrypted. The set controls global options for the VMs it contains and tracks KeyIDs and FSIDs. It also allows you to enable the BoundaryControl feature that uses Policy Rules and constraints in HyTrust CloudControl (HTCC) to authenticate and authorize delivery of encryption keys for the data encrypted by DataControl and managed by KeyControl.
Before You Begin
If you are using the BoundaryControl feature, make sure you know the URL or IP address of the CloudControl server you want to use. A link between KeyControl and the CloudControl server must already be established before you can use it in the Cloud VM Set. For details about establishing the link,
| Important: | You cannot change whether the BoundaryControl feature is enabled or disabled after you have created the Cloud VM Set. If you do not select a CloudControl server link during this procedure, you cannot go back and add one. Conversely, if you do select a link you cannot go back and disable BoundaryControl later. |
Procedure
Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
If you want to use the BoundaryControl feature, select the CloudControl app server link that you want to use from the drop-down list. You can change the server link after you save the Cloud VM Set but you cannot enable BoundaryControl later if you do not select a server at this point.
If you want to specify additional options, click the Additional Properties tab. The options are:
|
Option |
Description |
|||
|---|---|---|---|---|
|
Heartbeat |
The length of time between the heartbeats each VM in the set sends to KeyControl to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds. If changes have been made to the VMs through the KeyControl webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the KeyControl webGUI to be applied to the VMs in the set. If a VM cannot reach KeyControl during the heartbeat, the VM continues to run but any changes made in KeyControl are not picked up by the VM until the next successful heartbeat. KeyControl sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired. |
|||
|
Grace Period |
The length of time that can pass without a successful heartbeat. The default is 1 day. You can specify the grace period in seconds, minutes, hours, or days. If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with KeyControl. |
|||
|
Max Parallel Rekey Operations |
The number of concurrent Auto Rekey operations that can be performed for VMs in the Cloud VM Set. The default is 1. |
|||
|
Rekey Interval |
The length of time after the current Auto Rekey operation finishes and the next Auto Rekey starts for the disk. You can select any number of days, weeks, months, or years. To disable Auto Rekey, enter 0 in this field. By default, Auto Rekey is disabled. |
|||
|
Reauthenticate on IP Change |
Whether a VM in the set must be re-authenticated when the VM's IP address changes. The default is No. |
|||
|
Reauthenticate on H/W Signature change |
Whether a VM must be reauthorized if its hardware signature changes. The default is Yes. KeyControl uses the MAC address of the first Ethernet card as the hardware signature. Typically, when a VM is copied the hypervisor changes the MAC address of the new copy. In this case, the default setting requires a copied VM to be reauthenticated with KeyControl. |
|||
|
Reauthenticate on Reboot |
Whether a VM must be reauthenticated every time it reboots. The default is No. Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely. |
|||
|
Certificate Auto Renewal Period |
If you want KeyControl to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. KeyControl will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on June 12, 2017, KeyControl will renew the license on June 7, 2017. The default is 10 days. To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. If you want to disable certificate auto-renewal, enter 0 (zero) in this field. |
|||
|
Certificate Expiration |
The length of time for which a VM certificate will be valid when it is first registered with KeyControl or when it is auto-renewed by KeyControl. The the default is 1 year. To change the expiation, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.
|
If you want to specify a key encryption key (KEK) that will controls when the data encryption keys on the associated VMs are expired or revoked, click the Key Encryption Key tab and specify the following information. You cannot change whether the Cloud VM Set uses a KEK after the Cloud VM Set has been created.
|
Option |
Description |
|---|---|
|
Key |
The encryption key KeyControl should use to encrypt all data encryption keys for all VMs in the Cloud VM Set. The expiration option settings for this KEK are automatically inherited by all VMs registered with the Cloud VM Set. The key should be base64-encoded and must be unique across all Cloud VM Sets defined in the KeyControl cluster. You must specify this key again if you want to make any changes to the KEK properties after the Cloud VM Set has been created. If you enable changes to the KEK, make sure you save a copy of the KEK in a secure location. |
|
Key Expiration Period |
The length of time after the VM is created for which the KEK and all data encryption keys on the VMs will be valid. The default is 2 weeks. When this time period expires:
To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. |
|
Key Expiration Action |
The options are:
|
|
Key Expiration Option |
The options are:
|