Examples: Cloud VM Sets with the KEK Feature
A Key Encryption Key (KEK) provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with a Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.
If you want to use a KEK with a Cloud VM Set, you can either specify it during Cloud VM Set creation or add it later.
If you use a KEK, all of the VMs in the Cloud VM Set share the expiration date and expiration options specified for the KEK.
For details about using a KEK with a Cloud VM Set,
Create a new Cloud VM Set with a KEK:
$ hicli cvmset new "kek_cvmset" "Cloud Admin Group" --cvm_set_type='KEK_ASSOC'
--kek_expire_days=10 --kek_expire_action='NO USE'--expiration_options=change
--retention_period=2
Add a KEK to an existing Cloud VM Set:
$ hicli cvmset add_kek ”kek_cvmset" —kek_expire_days=12 —kek_expire_action="NO USE” —expiration_options=extend
Change the configuration options for a KEK. This command requires the guid for the Cloud VM Set.
$ hicli cvmset kek_edit 30dd18df-185f-11e8-a8fd-000c2997200a --kek_expire_days=14
--kek_expire_action=SHRED --expiration_options=no_change
When you edit KEK options, keep the followings in mind:
- If you change the date on which a KEK expires using the
--kek_expire_daysparameter, the new expiration date is calculated from the date on which you run the command, not from the original expiration date. - If the KEK expiration option is set to SHRED, the KEK will be destroyed immediately upon reaching the expiration date. You cannot extend the date for a KEK if it has been shredded. If the KEK expiration option is set to NO_USE, the expiration date can be extended after the KEK expires and the KEK can be reactivated.
Revoke access to all VMs in the Cloud VM Set immediately, regardless of the expiration date associated with the KEK:
$ hicli cvmset kek_state_change 30dd18df-185f-11e8-a8fd-000c2997200a REVOKE
Restore access to all VMs in the Cloud VM Set immediately, as long as the KEK associated with the Cloud VM Set has not expired:
$ hicli cvmset kek_state_change 30dd18df-185f-11e8-a8fd-000c2997200a UNREVOKE
