Secure data migration for Hyper Protect Virtual Servers from VPC to on-premises
This comprehensive guide walks you through the process of securely migrating data from your Hyper Protect Virtual Servers instance that is running on IBM Cloud VPC to an on-premises environment.
Hyper Protect Virtual Servers cloud data volumes are fully encrypted using user‑provided seed values, ensuring that the data can be decrypted only by the originating user. These encrypted volumes can be transferred to an on‑premises environment preserving complete confidentiality. Decryption of the transferred volumes is only possible within a IBM Confidential Computing Container Runtime or IBM Confidential Computing Container Runtime for Red Hat Virtualization Solutions on‑premises deployment, because the LUKS decryption passphrase is generated exclusively inside the Secure Execution boundary of the HPVS instance. The Secure Execution boundary is designed to protect in‑memory secrets from tampering and inspection, including memory dumping or access attempts by system administrators or the hypervisor. As a result, encryption keys and passphrases remain isolated and protected throughout the lifecycle of the HPVS instance.
The migration steps that are described in this guide are valid only until the End of Service (EOS) window. For more information, see the Service deprecation announcement.
Prerequisites
Make sure that you have the following:
-
Active IBM Cloud account with HPVS instance
-
A Virtual Server Instance (VSI) running on IBM Cloud with
qemu-utilspackage installed -
Sufficient storage space to accomodate the volume snapshots in the machine from which you do
sshto the VSI -
Administrative access to both cloud and on-premises environments
-
Original contract and seed files that are used for HPVS deployment on IBM Cloud
-
Backup verification: Confirm that you have recent backups of your data on the HPVS instance (IBM Cloud deployment)
-
Downtime planning: It is recommended to schedule a maintenance window and avoid modification to the volume during migration.
-
Network connectivity: Ensure secure transfer mechanism (VPN, direct Link, or secure file transfer) between the machine for volume snapshot to the on-prem machine
-
Required tools: Install
qemu-utilson your VSI:-
For Ubuntu or Debian:
sudo apt-get update && sudo apt-get install -y qemu-utils -
For RHEL or CentOS:
sudo yum install -y qemu-img
-
Procedure
Step 1: Taking the snapshot of the encrypted disk volume
Take a volume snapshot of the encrypted disk volume that is attached to the HPVS instance. For more information, see Creating Block Storage for VPC snapshots.
Step 2: Creating a VSI with QEMU using the snapshot
Create a VSI by importing the snapshot. For more information, see Creating a virtual server instance in the console.
Step 3: Identify the volume location
-
SSH into your VSI:
ssh -i /path/to/private_key user@<VSI_IP_ADDRESS> -
Run the
lsblkcommand to list all block devices:lsblk -
Identify your volume in the output:
Example output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS vda 254:0 0 100G 0 disk ├─vda1 254:1 0 99.9G 0 part / ├─vda14 254:14 0 3M 0 part └─vda15 254:15 0 124M 0 part /boot/efi vdb 254:16 0 368K 0 disk vdc 254:32 0 44K 0 disk vdd 254:48 0 10G 0 disk ← new volume ├─vdd1 254:49 0 99M 0 part └─vdd2 254:50 0 9.9G 0 partThe new volume is typically the last device listed (
vddin this example). -
Note the device path (example:
/dev/vdd) for use in the next step.
Step 4: Create a volume snapshot
Use QEMU tools to create a compressed snapshot of the volume.
-
Create a directory for storing the snapshot:
sudo mkdir -p /var/lib/libvirt/images/hpvs/snap-image cd /var/lib/libvirt/images/hpvs/snap-image -
Create the snapshot by using
qemu-img:sudo qemu-img convert -p -f raw -O qcow2 /dev/vdd vdd.qcow2Command parameters:
-p: Show progress during conversion-f raw: Source format (raw block device)-O qcow2: Output format (QCOW2 compressed image)/dev/vdd: Source device (replace with your device path)vdd.qcow2: Output file name
This process can take considerable time depending on the volume size. A 10 GB volume typically takes 5-15 minutes.
-
Verify that the snapshot was created successfully:
ls -lh vdd.qcow2 qemu-img info vdd.qcow2Expected output:
image: vdd.qcow2 file format: qcow2 virtual size: 10 GiB (10737418240 bytes) disk size: 2.5 GiB cluster_size: 65536
Step 5: Transfer snapshot to on-premises
Securely transfer the snapshot file to your on-premises environment.
scp vdd.qcow2 user@on-premises-host:/var/lib/libvirt/images/hpvs/snap-image/
Step 6: Configure on-premises virtual server
Update your on-premises virtual server configuration to use the migrated volume.
-
Locate your domain XML configuration file:
- For HPVS:
hpvsnew.xml - For HPCR:
hpcrnew.xml
- For HPVS:
-
Edit the XML file to add or update the disk configuration:
For HPVS (
hpvsnew.xml):<domain type='kvm'> <name>hpvs-migrated</name> <devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none' iommu='on'/> <source file='/var/lib/libvirt/images/hpvs/snap-image/vdd.qcow2'/> <target dev='vdb' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </disk> </devices> </domain>For HPCR (
hpcrnew.xml):<domain type='kvm'> <name>hpcr-migrated</name> <devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none' iommu='on'/> <source file='/var/lib/libvirt/images/hpvs/snap-image/vdd.qcow2'/> <target dev='vdb' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </disk> </devices> </domain>Configuration parameters:
type='file': Disk source is a filedevice='disk': Device type is a diskdriver name='qemu' type='qcow2': Use QEMU driver with QCOW2 formatcache='none': Disable caching for better data integrityiommu='on': Enable IOMMU for securitytarget dev='vdb': Device name inside the guestbus='virtio': Use VirtIO for better performance
-
Ensure that you have the original contract and seed files used during the initial HPVS deployment.