IBM Cloud Docs
Securing your data in Hyper Protect Virtual Servers

Securing your data in Hyper Protect Virtual Servers

To ensure that you can securely manage your data when you use IBM Cloud® Hyper Protect Virtual Servers, it is important that you know exactly what data is stored and encrypted and how you can delete any personal data. All data that is stored on Hyper Protect Virtual Servers disks is automatically encrypted and the encryption key is stored on a secure enclave.

How your data is stored and encrypted in Hyper Protect Virtual Servers

Hyper Protect Virtual Servers uses the following methods to protect your data:

  • Hyper Protect Virtual Servers is built on IBM Secure Service Container technology, and provides workload isolation, restricted administrator access and tamper protection for the underlying host system.
  • The default SSH connection uses your private and public keypair for authentication and the connection is encrypted automatically.
  • Identity and Access Management (IAM) secures access to the IBM Cloud account, the Hyper Protect Virtual Servers management Web user interface and CLI.
  • All disks attached to a Hyper Protect Virtual Servers are provided on storage encrypted with LUKS according to AES-256. The default keys are managed by the underlying IBM Secure Service Container technology.

Protecting your sensitive data in Hyper Protect Virtual Servers

Data at rest

The data that you store in Hyper Protect Virtual Servers is encrypted securely at rest by using a randomly generated key, which the underlying IBM Secure Service Container technology manages. Use the Linux command-line tools to delete data in a virtual server.

Data in flight

The IBM LinuxONE infrastructure components for the Hyper Protect Virtual Servers service are situated in colocation with the data centers. This means that these components are placed in the same data centers as the IBM Cloud infrastructure but have their own network setup, which affects the network connection.

Hyper Protect Virtual Servers** architecture network isolation
Figure 1. Hyper Protect Virtual Servers Architecture network isolation

It is your responsibility to protect the connection for any application that runs in your IBM Cloud and it is recommended that you follow these guidelines:

  • You can either use the public route or a private route through IBM Cloud Service Endpoints if you want to connect any other service to a Hyper Protect Virtual Servers instance. You can find a list of all IBM Cloud services, which support IBM Cloud Service Endpoints here. It is recommended that you use a protected connection if you use the public route, for example, a VPN.
  • Public IP addresses are mapped to internal IP addresses on all ports. Make sure you open only the ports on your virtual server that you want to be exposed to the public network.
  • Use the internal IP address to connect from one virtual server to another in the same region via the internal network. Your traffic on the internal network is automatically isolated from other tenants.

Deleting Hyper Protect Virtual Servers instances

Use the web user interface or the CLI to delete your instance. The virtual server and all the data that is stored in it is deleted after the 7-day reclamation period, as described here.

The Hyper Protect Virtual Servers data retention policy describes how long your data is stored after you delete the service. The data retention policy is included in the IBM Cloud Hyper Protect Virtual Servers service description, which you can find in the Terms and Notices.