KEKs with Cloud VM Sets

A Key Encryption Key (KEK) provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with a Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.

To protect the KEK, KeyControl Vault for VM Encryption requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl Vault for VM Encryption cluster. If the HSM is not available, then the VMs protected by the KEK cannot be accessed or rebooted. If you decide to associate a KEK with a Cloud VM Set, it is imperative that the HSM be available to KeyControl Vault for VM Encryption at all times.

The KEK also provides a way to control the accessibility of all the associated VMs with a single command. If the KEK expires or is revoked, then all associated VMs become inaccessible at the next heartbeat regardless of the state of their individual data encryption keys.

As the KEK expiration date nears, KeyControl Vault for VM Encryption issues an alert notifying the Domain Admins associated with the Cloud VM Set that the KEK is about to expire. When the expiration date is reached, the KEK state changes from ACTIVE to EXPIRED_PENDING. What happens at that point depends on the Key Expiration Action defined for the KEK. For more information, see Changing KEK Properties.

For information on configuring an HSM, see Hardware Security Modules with KeyControl.

Considerations

  • The HSM must be available before you can encrypt any virtual disk on any VM associated with a Cloud VM Set that uses a KEK.
  • After you encrypt the virtual disk, the HSM must be available any time that VM is booted or rebooted, or the boot operation will fail.
  • The Cloud Admin user can specify the Cloud VM Set to be associated with a KEK either during the Cloud VM Set creation or at a later time.
  • If a Cloud VM Set is associated with a KEK, no VMs can be registered with the Cloud VM Set until KeyControl Vault for VM Encryption has successfully stored the KEK in the HSM.