Migrate Portworx volumes from HPCS to Key Protect

Migrate your Hyper Protect Crypto Services (HPCS) encryption for Portworx storage volumes to use IBM Key Protect (Key Protect) instead.

Before you begin

Before you migrate your Portworx encrypted volumes from Hyper Protect Crypto Services to Key Protect, complete the following steps.

  1. Access your Red Hat OpenShift cluster.
  2. Make sure you have installed the Key Protect CLI plugin.
  3. If you do not already have one, create a Key Protect instance to use for the migration.
  4. Make sure you have the Portworx HPCS to Key Protect migration script to use for migrating your volumes. This tool is included in the hpcs-2-kp-k8s.zip file when you request tool access. See step 1 of the migration overview for more information.

Migrating Portworx encrypted volumes

Follow the steps to migrate your Portworx encrypted volumes from Hyper Protect Crypto Services to Key Protect. These steps include running a migration script.

  1. Set your IBM Cloud API key as an environment variable.

    export IC_API_KEY="YOUR_API_KEY"

  2. Run the migration script with the required flags. Replace the placeholder values with your specific configuration details.

    ./hpcs_kp_px_migration_script.sh \
  --region us-south \
  --resource-group Default \
  --hpcs-endpoint https://api.us-south.hs-crypto.cloud.ibm.com:8389/ \
  --hpcs-instance-id <hpcs-instance-id> \
  --hpcs-root-key-id <hpcs-root-key-id> \
  --kp-endpoint https://us-south.kms.cloud.ibm.com/ \
  --kp-instance-id <kp-instance-id> \
  --kp-root-key-id <kp-root-key-id> \
  --cluster-name my-px-cluster \
  --etcd-endpoints <etcd-endpoints> \
  --px-namespace kube-system

    Review the table for required command parameters.

    Migration script flags
    Flag Description
    --api-key IBM Cloud API key.
    --region IBM Cloud region (for example, us-south).
    --resource-group IBM Cloud resource group.
    --hpcs-endpoint Hyper Protect Crypto Services key management endpoint URL.
    --hpcs-instance-id Hyper Protect Crypto Services instance ID.
    --hpcs-root-key-id Hyper Protect Crypto Services root key ID.
    --kp-endpoint Key Protect endpoint URL.
    --kp-instance-id Key Protect instance ID.
    --kp-root-key-id Key Protect root key ID.
    --cluster-name Portworx cluster name (from pxctl status output).
    --px-namespace Namespace where Portworx runs on your cluster.

  3. After the migration script completes, update the px-ibm Kubernetes secret in the portworx namespace to point to the Key Protect instance and root key you configured. Update the following fields:

    • IBM_SERVICE_API_KEY
    • IBM_INSTANCE_ID
    • IBM_BASE_URL
    • IBM_CUSTOMER_ROOT_KEY

  4. Restart Portworx on each cluster nodes. Wait for Portworx to show as healthy on each node before proceeding to the next.

    Restart Portworx on a node.

    kubectl label node px/service=restart

  5. Validate that encrypted volumes are accessible and that new volumes use Key Protect as the key management service (KMS).