Securing your data in VPC
To ensure that you can securely manage your data when you use IBM Cloud® Virtual Private Cloud, it's important to know exactly what data is stored and encrypted and how you can delete any stored personal data. Data encryption with your own root keys is available by using a supported key management service (KMS).
VPN for VPC does not store any customer data other than what is required to configure VPN gateways, connections, and policies. Data that is transmitted through a VPN gateway is not encrypted by IBM. Data about your specific VPN and policy configurations are encrypted in transit and at rest. VPN configuration data is deleted upon your request through API or User Interface.
How your data is stored and encrypted in VPC
All Block Storage volumes are encrypted by default with IBM-managed encryption. IBM®-managed keys are generated and securely stored in a Block Storage vault that is backed by Consul and maintained by IBM Cloud® operations.
For more security and control, you can protect your data with your own root keys (also called a customer root key or CRK). This feature is commonly called Bring Your Own Key, or BYOK. Root keys encrypt the keys that safeguard your data. You can import your root keys to Key Protect or Hyper Protect Crypto Services, or have either key management service create one for you.
The KMS stores your key and makes it available during volume and custom image encryption. Key Protect provides FIPS 140-2 Level 3 compliance. Hyper Protect Crypto Services offers the highest level of security with FIPS 140-2 Level 4 compliance. Your key material is protected in transit (when it's transported) and at rest (when it is stored).
Customer-managed encryption is available for custom images, boot volumes, and data volumes. When an instance is provisioned from an encrypted custom image, its boot volume is encrypted by using the image’s root key. You can also choose a different root key. Data volumes are encrypted by using root keys when you provision a virtual server instance or when you create a stand-alone volume.
Images and volumes are often referred to as being encrypted with a root key when, in fact, envelope encryptionThe process of encrypting data with a data encryption key and then encrypting the key with a root key that can be fully managed. is used. Internally, each image or volume is encrypted with a data encryption key (DEK)A cryptographic key used to encrypt data that is stored in an application., which is an open source QEMU technology that is used by the IBM Cloud VPC Generation 2 infrastructure. A LUKS passphrase, also called a key encryption key, encrypts the DEK. The LUKS passphrase is then encrypted with a root key, creating what is called a wrapped DEK (WDEK). For more information about IBM Cloud VPC key encryption technology, see IBM Cloud VPC Generation 2 encryption technology.
For example, if you provision two volumes by using the same root key, unique passphrases are generated for each volume, which are then encrypted with the root key. Envelope encryption provides more protection for your data, and ensures that the root key can be rotated without having to reencrypt the data. For more information about envelope encryption, see Protecting your sensitive data in VPC.
All your interaction with VPN for VPC is encrypted. For example, when you use an API or interact with the service through the console to configure VPN gateways and VPN connections, all such interactions are encrypted end-to-end. Likewise, data elements that are related to your configuration are encrypted in transit and at rest. No personal or sensitive data is stored, processed, or transmitted. Data at rest is stored in an encrypted database.
After the VPN for VPC is provisioned and the network connections are created, the encryption of data that you choose to transmit across the network is your responsibility.
Instance storage data isolation and encryption
The instance storage disk or disks, which are attached to the virtual server instance, cannot be shared with any other virtual servers and cannot be accessed by any other virtual servers in the future. They are one-time use, single-attach, for the virtual server that requested the instance storage.
Instance storage data is secured with on-disk encryption. The physical disks that are used for instance storage are self-encrypting with the strong AES-256 encryption standard. The data is automatically decrypted when your instance accesses the data. When your instance is shut down or deleted, the underlying storage space is erased and unrecoverable. At that point, the data is unrecoverable.
Data is automatically encrypted on the physical media at the drive level. However, customer-managed keys are not supported for instance storage. For sensitive data, it is strongly recommended that users utilize software-based file system encryption such as LUKS for Linux® or BitLocker for Windows®. This technology allows end users to encrypt entirely within the instance, and can provide additional protection for sensitive data in-transit between the instances and the physical drive media. Some operating systems also provide FIPS certified encryption algorithms that may also be used. See Encrypting block devices using LUKS for an example of how to encrypt on Red Hat Enterprise Linux® however, refer to the Operating System documentation or specific information on how to encrypt each device.
Protecting your sensitive data in VPC
Key Protect or Hyper Protect Crypto Services provide a higher level of protection called envelope encryption.
Envelope encryption encrypts one encryption key with another encryption key. A DEK encrypts your actual data. The DEK is never stored. Rather, it's encrypted by a key encryption key. The LUKS passphrase is then encrypted by a root key, which creates a WDEK. To decrypt data, the WDEK is unwrapped so you can access the data that's stored on the volume. This process is possible only by accessing the root key that is stored in your KMS instance. Root keys in Hyper Protect Crypto Services instances are also protected by a hardware security module (HSM)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service. master key.
You control access to your root keys stored in KMS instances within IBM Cloud® by using IBM Cloud® Identity and Access Management (IAM). You grant access to a service to use your keys. You can also revoke access at any time, for example, if you suspect your keys might be compromised, or delete your root keys.
VPN for VPC: Customer-provided preshared keys are encrypted before they are stored in database. All other data VPN gateway and VPN policy configuration is encrypted at rest at the database level.
About customer-managed keys
For Block Storage volumes and encrypted images, you can rotate the root keys for more security. When you rotate a root key by schedule or on demand, the original key material is replaced. The old key remains active to decrypt existing resources but can't be used to encrypt new ones. For more information, see Key rotation for VPC resources.
Consider regional and cross-regional implications when you choose to use customer-managed encryption. For more information, see Regional and cross regional considerations.
With Key Protect or Hyper Protect Crypto Services you can create, import, and manage your root keys. You can assign access policies to the keys, assign users or service IDs to the keys, or give the key access only to a specific service. The first 20 keys are without cost.
About customer-managed encrypted volumes and images
With customer-managed encryption, you provision root keys to protect your encrypted resources in the cloud. Root keys serve as key-wrapping keys that encrypt the encryption keys that protect your data. You decide whether to import your existing root keys, or have a supported KMS create one for you.
Block Storage volumes are assigned a unique data encryption key that is generated by the instance's host hypervisor. The data encryption key for each volume is encrypted with a unique KMS-generated LUKS passphrase, which is then encrypted by the root key and stored in the KMS.
Custom images are encrypted by your own LUKS passphrase you create by using QEMU. After the image is encrypted, you wrap the passphrase with your CRK stored in the KMS. For more information, see Encrypted custom images.
Enabling customer-managed keys for VPC
See the following procedure for creating Block Storage boot and data volumes with customer-managed encryption
Working with customer-managed keys for VPC
For more information about managing data encryption, see Managing data encryption, and the section on temporarily revoking access by removing service authorization to a root key.
Encryption of the link between a customer's workload that's outside of IBM Cloud, and a workload that's inside IBM Cloud, is the customer’s responsibility. See Encryption in Security and regulation compliance.
Deleting data in VPC
Deleting root keys
For more information about deleting root keys, see Deleting root keys.
Deleting a Block Storage volume
For more information about deleting Block Storage volumes, see this FAQ: What happens to my data when I delete a Block Storage data volume?.
Deleting a custom image
For more information about deleting custom images from IBM Cloud VPC, see Managing custom images. Be aware of any virtual server instances that you provisioned with a custom image. To remove all data associated with a specific custom image, make sure that you also delete any instances provisioned from the custom image, along with associated boot volumes.
When you want to delete an IBM Cloud VPC custom image that is part of a private catalog offering, you must first remove that image from the associated version in the private catalog offering. Then, you can delete the custom image from IBM Cloud VPC. To delete the custom image from the private catalog, see Deprecating a private product.
Deleting VPC instances
For more information about deleting a VPC and its associated resources, see Deleting a VPC.
The VPC data retention policy describes how long your data is stored after you delete the service. The data retention policy is included in the IBM Cloud® Virtual Private Cloud service description, which you can find in the IBM Cloud Terms and Notices.
The VPN and VPN policy configurations are deleted on request through the API or user interface.
Restoring deleted data for VPC
You can restore deleted root keys that you imported to the KMS within 30 days of deletion. For more information, see Restoring deleted root keys.
VPN for VPC does not support the restoration of deleted data.
Deleting all VPC data
To delete all persisted data that IBM Cloud VPC stores, choose one of the following options.
Removing your personal and sensitive information requires all of your IBM Cloud VPC resources to be deleted as well. Make sure that you back up your data before you proceed.
- Open an IBM Cloud support case. Contact IBM Support to remove your personal and sensitive information from IBM Cloud VPC. For more information, see Using the Support Center.
- End your IBM Cloud subscription. After you end your IBM Cloud subscription, IBM Cloud VPC deletes all service resources that you created, which includes all persisted data that is associated with those resources.