Adding KEK to an Existing Cloud VM Set

You can add a Key Encryption Key (KEK) to an existing Cloud VM Set that contains VMs. A KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with this Cloud VM Set. It also controls the expiration and revocation of those data encryption keys. When you add the KEK, all existing KeyIDs, disk encryption keys, and any new VM keys created will be encrypted using the KEK. A rekey process will be started to encrypt the existing encryption keys. An alert will be generated when the encryption of all keys has completed successfully.

To protect the KEK, KeyControl Vault for VM Encryption requires that the KEK be stored in a hardware security module (HSM) that is associated with this KeyControl Vault for VM Encryption cluster. For more information, see KEKs with Cloud VM Sets.

After the KEK has been added, you cannot change whether the Cloud VM Set uses a KEK, or what type of KEK is used. The HSM must be available before you can encrypt keys with KEK. Keys will remain accessible by clients when the rekey is in progress.

Procedure

Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
In the top menu bar, click Workloads.
Select the Cloud VM Set to which you would like to add the KEK.
Select Actions > Add KEK.
In the Add KEK to Cloud VM Set window, choose Use KEK from the drop-down list and click Save to view the Key Encryption Key properties.

Complete the required information:

Option	Description
Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default. If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created. When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
Key Expiration Action	The options are: No Use—The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default. Shred—The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl Vault for VM Encryption and the Cloud VM Set itself is deleted. Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
Key Expiration Option	The options are: No Change—The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached. Change—The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default. Extend—All KEK expiration options can be changed after the Cloud VM Set has been created.

Option

Description

Key Expiration Period

The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). This is the default.

If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created.

When this time period expires:

All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
Any attempt to register a new VM with the Cloud VM Set will fail.
Any encrypt or decrypt operation on any of the associated VMs will fail.

To change the expiration period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save.

Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.

Key Expiration Action

The options are:

No Use—The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.
Shred—The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl Vault for VM Encryption and the Cloud VM Set itself is deleted.

Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.

Key Expiration Option

The options are:

No Change—The KEK expiration options cannot be changed after the Cloud VM Set has been created. This is the default. Selecting this option means that once the top-level key expires it cannot be reactivated and all VMs will be automatically detached from KeyControl when the expiration date is reached.
Change—The KEK expiration options can be changed after the Cloud VM Set has been created, but the Key Expiration Period cannot be extended beyond the original date. This is the default.
Extend—All KEK expiration options can be changed after the Cloud VM Set has been created.

Click Add.