IBM Cloud Docs
Using End to End (E2E) Encryption to provision an encrypted instance

Using End to End (E2E) Encryption to provision an encrypted instance

The End to End (E2E) Encryption feature is used so that you can bring your own encrypted, cloud-init enabled operating system image. You encrypt the image by using a data encryption key that you own and control. After you complete some environment setup, you can import your encrypted image to the image template repository and use it to provision encrypted virtual server instances. E2E encryption provides data-at-rest encryption for the storage that is associated with provisioned virtual server instances.

E2E Encryption brings together several IBM Cloud® components to provide a secure solution for your critical information.

  • An IBM key management service such as IBM Key Protect or IBM Cloud Hyper Protect Crypto Services to secure your encryption keys (see Table 1).
  • IBM Cloud Identity and Access Management (IAM) enables the Cloud Block Storage service to access your key management system and your root key that is used to wrap your data encryption key.
  • IBM Cloud Object Storage securely stores your encrypted image when you upload it.
  • In IBM Cloud console you can import your encrypted image and create an image template.
  • With an encrypted image template available in the IBM Cloud console infrastructure environment, you can provision encrypted virtual server instances.
  • Finally, you can audit events that are associated with your encrypted virtual servers through Activity Tracker.

Encryption key management services

Key Protect and Hyper Protect Crypto Services (now available in certain regions) use a common key provider API to provide a consistent approach for managing encryption keys. Behind the scenes, IBM Cloud data centers provide a dedicated hardware security module (HSM) to protect your keys. You can choose from the following options:

Table 1. Available key management service options
Key Management Service HSM Encryption Certification
Key Protect FIPS 140-2 Level 3 compliance
Hyper Protect Crypto Services FIPS 140-2 Level 4 compliance

Preparing your environment

  1. You must have an upgraded account to use E2E encryption for virtual servers. For more information, see Switching to IBMid and linking accounts.

  2. Use your key management service to create and manage keys. The following example steps are specific to Key Protect, but the general flow also applies to Hyper Protect Crypto Services. If you're using Hyper Protect Crypto Services, see the documentation for that service for corresponding instructions.

    1. Provision the Key Protect service.
    2. Install the IBM Cloud Key Protect CLI plug-in. You must use the Key Protect CLI to wrap the base64-encoded 32-byte standard data encryption key (DEK) that you intend to use to encrypt your Virtual Hard Drive (VHD) image with the root key.
    3. Create or import a root key (CRK) in Key Protect. You will use your root key in the next step to wrap the data encryption key that you use to encrypt your image.
    4. Identify the DEK that you want use to encrypt your image, and then wrap it with your root key. If you need to generate a DEK, you can use the kp wrap command with no plain text parameter (-p) to generate the key and wrap it. If you already have a DEK, you can import it and then wrap it by specifying the plain text parameter on the kp wrap command. Make sure to save the cipher text that is returned by the kp wrap command. You must specify the WDEK cipher text when you import your encrypted image to IBM Cloud console.
    Key Protect doesn't save extra authentication data (AAD), so use WDEKs that don't require ADD for unwrapping them.
{: tip}

  3. From IBM Cloud Identity and Access Management (IAM), create an authorization between your Cloud Block Storage (source service) and your Key Management Service (target service). The authorization permits the IBM Cloud backplane services to use your WDEK for data encryption.

  4. In IBM Cloud Console, create an instance of IBM Cloud Object Storage and create a bucket to store the data. For more information, see the Getting started tutorial for IBM Cloud Object Storage

    1. Create the IBM Cloud Object Storage instance in the region where your key management service is provisioned.
    2. When you create the bucket, the Resiliency setting must be Regional.
    3. Optionally, when you create the bucket, you can encrypt it with your DEK.

Preparing your encrypted images

  1. Select an unencrypted image that works in the IBM Cloud infrastructure environment that you want to encrypt. One option is to use an existing virtual server to create an image template. For more information, see Work with an image template that was created from a cloud-init provisioned virtual server. You can also use an existing VHD image. Make sure that the image meets encrypted image requirements.
  2. If you're using an image template from IBM Cloud infrastructure customer portal, export the unencrypted image to IBM Cloud Object Storage.
  3. Download the image file from IBM Cloud Object Storage to a secure local machine to encrypt the image. In your service dashboard, select the Download action to retrieve your object from storage. You can use the Aspera high-speed transfer plug-in to download images larger than 200 MB.
  4. Use the vhd-util tool to encrypt your VHD image.
  5. In IBM Cloud Object Storage, navigate to your bucket and click Add Objects to upload the encrypted image. You can use the Aspera high-speed transfer plug-in to upload images larger than 200 MB.

If you're interested in automating image encryption, check out this IBM Cloud blog post.

Importing an encrypted image and ordering an instance

  1. Using IBM Cloud Identity and Access Management (IAM), create a service ID to authenticate with when you import the encrypted image into IBM Cloud console.
    1. Create a service ID.
    2. Assign an access policy. Assign access for these services: IBM Cloud Object Storage and key management.
    3. Create an API key for a service ID.
    4. For more information, see Introducing IBM Cloud IAM Service IDs and API Keys.
  2. From IBM Cloud console, import the encrypted image to the Image Templates page.
  3. From the Image Templates page, you can use your encrypted image to order a virtual server instance.
  4. With an encrypted virtual server provisioned, you can audit virtual server events through Activity Tracker.