Planning data encryption
When you're planning a data encryption strategy for your Block Storage for VPC volumes, snapshots, File Storage for VPC shares, or custom images, you might find this checklist helpful.
Planning for data encryption
Consider the following prerequisites before you set up data encryption for your VPC resources.
Considerations |
---|
__ Evaluate the amount of control that you want over your data encryption. IBM-managed encryption is provided by default for boot volumes, data volumes, and file shares. With customer-managed encryption, you own the encryption keys and control the encryption process. |
__ For encrypted custom images, review the image requirements, supported operating systems, and learn about creating and importing QCOW2 custom image files. For more information, see Planning for custom images. |
__ Evaluate which key management service best meets your needs. Determine the availability of these services in your region and zone. |
__ Determine whether your account can authorize access: For Cloud Block Storage as the source service, Lite accounts must upgrade to a Pay-As-You-Go account or a Subscription account. For more information, see IBM Cloud account types. For File Storage for VPC, specify VPC Infrastructure Services under (source service), check the box (Resource type), and choose File Storage for VPC and Key Protect (target service). For custom images, authorize access between Image Service for VPC (source service) and IBM Cloud Object Storage (target service). Specify reader access for the role. For all VPC Source services, do not filter by resource group. Do not select the resource group checkbox. |
__ For customer-managed encryption, consider importing or creating multiple root keys and rotating your keys for greater security. |
__ Make sure you have a unique name for your virtual server instances, volumes, and file shares. For example, if you have a method for naming volumes with customer-managed encryption, it's much easier to filter and search for them later. |
__ Determine how long you want to retain the resource and whether you might want to make the data inaccessible for any reason. |
Prerequisites for setting up customer-managed encryption
Complete the following prerequisites to configure customer-managed encryption for your VPC resources.
Block and file storage prerequisites
Provision a key management service (KMS), and authorize access between your VPC resource and KMS.
-
When you provision a KMS, you can choose between Key Protect and Hyper Protect Crypto Services. Follow the linked tutorials to provision a service instance, and create or import a customer root key.
-
From IBM Cloud Identity and Access Management (IAM), authorize access between Cloud Block Storage or Cloud File Storage (source service) and the target KMS service (Key Protect or Hyper Protect Crypto Services). For more information, see Establish service-to-service authorizations for File Storage for VPC.
You might need to upgrade your account to a Pay-as-you-go account to complete this set. For more information, see Upgrading to a Pay-As-You-Go account.
Encrypted custom image prerequisites
If you plan to import an encrypted custom image, follow the instructions in Setting up your key management service and keys.