Planning data encryption
When you're planning a data encryption strategy for your Block Storage for VPC volumes, snapshots, File Storage for VPC shares, or custom images, you might find this checklist helpful.
Planning for data encryption
Consider the following prerequisites before you set up data encryption for your VPC resources.
| Considerations |
|---|
| __ Evaluate the amount of control that you want over your data encryption. IBM-managed encryption is provided by default for boot volumes, data volumes, and file shares. With customer-managed encryption, you own the encryption keys and control the encryption process. |
| __ For encrypted custom images, review the image requirements, supported operating systems, and learn about creating and importing QCOW2 custom image files. For more information, see Planning for custom images. |
| __ Evaluate which key management service best meets your needs. Determine the availability of these services in your region and zone. For Key Protect, choose between Standard (multi-tenant with FIPS 140-2 Level 3) or Dedicated (single-tenant with FIPS 140-3 Level 4). Consider regulatory requirements, data sensitivity, budget, and whether you need complete control over the root of trust. For more information, see About Standard and Dedicated Key Protect. |
| __ Determine whether your account can authorize access: For Cloud Block Storage as the source service, Lite accounts must upgrade to a Pay-As-You-Go account or a Subscription account. For more information, see IBM Cloud account types. For File Storage for VPC, specify VPC Infrastructure Services under (source service), check the box (Resource type), and choose File Storage for VPC and Key Protect (target service). For custom images, authorize access between Image Service for VPC (source service) and IBM Cloud Object Storage (target service). Specify reader access for the role. For all VPC Source services, do not filter by resource group. Do not select the resource group checkbox. |
| __ For customer-managed encryption, consider importing or creating multiple root keys and rotating your keys for greater security. |
| __ Make sure you have a unique name for your virtual server instances, volumes, and file shares. For example, if you have a method for naming volumes with customer-managed encryption, it's much easier to filter and search for them later. |
| __ Determine how long you want to retain the resource and whether you might want to make the data inaccessible for any reason. |
Prerequisites for setting up customer-managed encryption
Complete the following prerequisites to configure customer-managed encryption for your VPC resources.
General setup procedure
Setting up customer-managed encryption for your VPC resources involves the following steps:
-
Generate or create your root key - You can use your on-premises HSM to generate a root key, or create one by using an IBM Cloud key management service.
IBM Cloud data centers provide a dedicated HSM to create and protect your keys. By using Hyper Protect Crypto Services, you can take control of your cloud data encryption keys and cloud hardware security module.
-
Provision a key management service (KMS) - Choose the KMS that best meets your needs and provision an instance.
-
Import your root key - Use your KMS to securely import your root key to the cloud service. For added security, create an import token in your KMS to encrypt and import root keys to the service.
-
Authorize service access - From IBM Cloud® Identity and Access Management (IAM), authorize service between your VPC resource service (such as Cloud Block Storage or Cloud File Storage) and your KMS. For custom images, also authorize between Image Service for VPC (source service) and IBM Cloud Object Storage (target service).
-
Create encrypted resources - When you create volumes, file shares, or import custom images, specify your root key. The IBM Cloud VPC infrastructure uses your root key to secure the data by wrapping the passphrases.
-
Manage your keys - After setup, you can manage your keys by disabling, enabling, rotating, or deleting them. For more information, see Managing data encryption.
Block and file storage prerequisites
Provision a key management service (KMS), and authorize access between your VPC resource and KMS.
Deprecated The Hyper Protect Crypto Services are deprecated. Customers can use existing instances until 20 March 2027. For more information, see Deprecation of IBM Cloud Hyper Protect Crypto Services. For continued protection, consider migrating your existing encryption keys to a Dedicated Key Protect instance. For more information, see the Migration guide.
-
When you provision a KMS, you can choose between Key Protect Single Tenant and Multi Tenant instances, and Hyper Protect Crypto Services. Follow the linked tutorials to provision a service instance, and create or import a customer root key.
For Key Protect, choose your deployment option:
- Standard: Multi-tenant service with FIPS 140-2 Level 3 compliance. Follow the provisioning tutorial to create an instance and manage root keys.
- Dedicated: Single-tenant service with FIPS 140-3 Level 4 compliance. It requires CLI-based initialization. Follow the Dedicated initialization guide to create an instance, generate admin credentials, and create your master key.
For guidance on choosing between Standard and Dedicated, see When to use Standard vs Dedicated Key Protect.
-
From IBM Cloud Identity and Access Management (IAM), authorize access between Cloud Block Storage or Cloud File Storage (source service) and the target KMS service (Key Protect or Hyper Protect Crypto Services). For more information, see Establish service-to-service authorizations for File Storage for VPC and Establishing service-to-service authorizations for Block Storage for VPC.
You might need to upgrade your account to a Pay-as-you-go account to complete this set. For more information, see Upgrading to a Pay-As-You-Go account.
Encrypted custom image prerequisites
If you plan to import an encrypted custom image, follow the instructions in Setting up your key management service and keys.