Skip to content

Latest commit

 

History

History
85 lines (63 loc) · 9.68 KB

provision-encrypted-image.md

File metadata and controls

85 lines (63 loc) · 9.68 KB
copyright lastupdated keywords subcollection
years
2014, 2021
2021-05-20
image-templates

{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:tip: .tip} {:external: target="_blank" .external} {:pre: .pre} {:table: .aria-labeledby="caption"}

Using End to End (E2E) Encryption to provision an encrypted instance

{: #using-end-to-end-e2e-encryption-to-provision-an-encrypted-instance}

The End to End (E2E) Encryption feature is used so that you can bring your own encrypted, cloud-init enabled operating system image. You encrypt the image by using a data encryption key that you own and control. After you complete some environment setup, you can import your encrypted image to the image template repository and use it to provision encrypted virtual server instances. E2E encryption provides data-at-rest encryption for the storage that is associated with provisioned virtual server instances. {: shortdesc}

E2E Encryption brings together several {{site.data.keyword.cloud}} components to provide a secure solution for your critical information.

  • An IBM key management service such as {{site.data.keyword.keymanagementservicelong_notm}} or {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} to secure your encryption keys (see Table 1).
  • IBM {{site.data.keyword.iamshort}} (IAM) enables the Cloud Block Storage service to access your key management system and your root key that is used to wrap your data encryption key.
  • {{site.data.keyword.cos_full_notm}} securely stores your encrypted image when you upload it.
  • In {{site.data.keyword.cloud_notm}} console you can import your encrypted image and create an image template.
  • With an encrypted image template available in the {{site.data.keyword.cloud_notm}} console infrastructure environment, you can provision encrypted virtual server instances.
  • Finally, you can audit events that are associated with your encrypted virtual servers through Activity Tracker.

Encryption key management services

{{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.hscrypto}} (now available in certain regions) use a common key provider API to provide a consistent approach for managing encryption keys. Behind the scenes, {{site.data.keyword.cloud_notm}} data centers provide a dedicated hardware security module (HSM) to protect your keys. You can choose from the following options:

Key Management Service HSM Encryption Certification
{{site.data.keyword.keymanagementserviceshort}} FIPS 140-2 Level 3 compliance
{{site.data.keyword.hscrypto}} FIPS 140-2 Level 4 compliance
{: caption="Available key management service options" caption-side="top"}

Preparing your environment

  1. You must have an upgraded account to use E2E encryption for virtual servers. For more information, see Switching to IBMid and linking accounts.

  2. Use your key management service to create and manage keys. The following example steps are specific to {{site.data.keyword.keymanagementserviceshort}}, but the general flow also applies to {{site.data.keyword.hscrypto}}. If you're using {{site.data.keyword.hscrypto}}, see the documentation for that service for corresponding instructions.

    1. Provision the {{site.data.keyword.keymanagementserviceshort}} service.
    2. Install the {{site.data.keyword.cloud_notm}} Key Protect CLI plug-in. You must use the Key Protect CLI to wrap the base64-encoded 32-byte standard data encryption key (DEK) that you intend to use to encrypt your Virtual Hard Drive (VHD) image with the root key.
    3. Create or import a root key (CRK) in {{site.data.keyword.keymanagementserviceshort}}. You will use your root key in the next step to wrap the data encryption key that you use to encrypt your image.
    4. Identify the DEK that you want use to encrypt your image, and then wrap it with your root key. If you need to generate a DEK, you can use the kp wrap command with no plain text parameter (-p) to generate the key and wrap it. If you already have a DEK, you can import it and then wrap it by specifying the plain text parameter on the kp wrap command. Make sure to save the cipher text that is returned by the kp wrap command. You must specify the WDEK cipher text when you import your encrypted image to {{site.data.keyword.cloud_notm}} console.

    Key Protect doesn't save extra authentication data (AAD), so use WDEKs that don't require ADD for unwrapping them. {: tip}

  3. From IBM {{site.data.keyword.iamshort}} (IAM), create an authorization between your Cloud Block Storage (source service) and your Key Management Service (target service). The authorization permits the {{site.data.keyword.cloud_notm}} backplane services to use your WDEK for data encryption.

  4. In IBM Cloud Console, create an instance of {{site.data.keyword.cos_full_notm}} and create a bucket to store the data. For more information, see the Getting started tutorial for {{site.data.keyword.cos_full_notm}}

    1. Create the {{site.data.keyword.cos_full_notm}} instance in the region where your key management service is provisioned.
    2. When you create the bucket, the Resiliency setting must be Regional.
    3. Optionally, when you create the bucket, you can encrypt it with your DEK.

Preparing your encrypted images

  1. Select an unencrypted image that works in the {{site.data.keyword.cloud_notm}} infrastructure environment that you want to encrypt. One option is to use an existing virtual server to create an image template. For more information, see Work with an image template that was created from a cloud-init provisioned virtual server. You can also use an existing VHD image. Make sure that the image meets encrypted image requirements.
  2. If you're using an image template from {{site.data.keyword.slportal}}, export the unencrypted image to {{site.data.keyword.cos_full_notm}}.
  3. Download the image file from {{site.data.keyword.cos_full_notm}} to a secure local machine to encrypt the image. In your service dashboard, select the Download action to retrieve your object from storage. You can use the Aspera high-speed transfer plug-in to download images larger than 200 MB.
  4. Use the vhd-util tool to encrypt your VHD image.
  5. In {{site.data.keyword.cos_full_notm}}, navigate to your bucket and click Add Objects to upload the encrypted image. You can use the Aspera high-speed transfer plug-in to upload images larger than 200 MB.

If you're interested in automating image encryption, check out this {{site.data.keyword.cloud_notm}} blog post. {: tip}

Importing an encrypted image and ordering an instance

  1. Using IBM {{site.data.keyword.iamshort}} (IAM), create a service ID to authenticate with when you import the encrypted image into {{site.data.keyword.cloud_notm}} console.
    1. Create a service ID.
    2. Assign an access policy. Assign access for these services: {{site.data.keyword.cos_full_notm}} and key management.
    3. Create an API key for a service ID.
    4. For more information, see Introducing {{site.data.keyword.cloud_notm}} IAM Service IDs and API Keys{: external}.
  2. From {{site.data.keyword.cloud_notm}} console, import the encrypted image to the Image Templates page.
  3. From the Image Templates page, you can use your encrypted image to order a virtual server instance.
  4. With an encrypted virtual server provisioned, you can audit virtual server events through Activity Tracker.