| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-12-14 |
vpc |
{{site.data.keyword.attribute-definition-list}}
{: #vpc-encryption-planning}
When you're planning a data encryption strategy for your {{site.data.keyword.block_storage_is_short}} volumes, snapshots, {{site.data.keyword.filestorage_vpc_short}} shares, or custom images, you might find this checklist helpful. {: shortdesc}
{: #planning-for-data-encryption}
Consider the following prerequisites before you set up data encryption for your VPC resources.
| Considerations |
|---|
| __ Evaluate the amount of control that you want over your data encryption. IBM-managed encryption is provided by default for boot volumes, data volumes, and file shares. With customer-managed encryption, you own the encryption keys and control the encryption process. |
| __ For encrypted custom images, review the image requirements, supported operating systems, and learn about creating and importing QCOW2 custom image files. For more information, see Planning for custom images. |
| __ Evaluate which key management service best meets your needs. Determine the availability of these services in your region and zone. |
| __ Determine whether your account can authorize access: \n For Cloud Block Storage as the source service, Lite accounts must upgrade to a Pay-As-You-Go account or a Subscription account. For more information, see IBM Cloud account types. \n \n For {{site.data.keyword.filestorage_vpc_short}}, specify VPC Infrastructure Services under (source service), check the box (Resource type), and choose {{site.data.keyword.filestorage_vpc_short}} and {{site.data.keyword.keymanagementserviceshort}} (target service). \n \n For custom images, authorize access between Image Service for VPC (source service) and {{site.data.keyword.cos_full_notm}} (target service). Specify reader access for the role. \n \n For all VPC Source services, do not filter by resource group. Do not select the resource group checkbox. |
| __ For customer-managed encryption, consider importing or creating multiple root keys and rotating your keys for greater security. |
| __ Make sure you have a unique name for your virtual server instances, volumes, and file shares. For example, if you have a method for naming volumes with customer-managed encryption, it's much easier to filter and search for them later. |
| __ Determine how long you want to retain the resource and whether you might want to make the data inaccessible for any reason. |
| {: caption="Table 1. Checklist for planning data encryption" caption-side="top"} |
{: #byok-encryption-prereqs}
Complete the following prerequisites to configure customer-managed encryption for your VPC resources.
{: #byok-volumes-prereqs}
Provision a key management service (KMS), and authorize access between your VPC resource and KMS.
-
When you provision a KMS, you can choose between {{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.hscrypto}}. Follow the linked tutorials to provision a service instance, and create or import a customer root key.
-
From IBM {{site.data.keyword.iamshort}} (IAM), authorize access between Cloud Block Storage or Cloud File Storage (source service) and the target KMS service ({{site.data.keyword.keymanagementserviceshort}} or {{site.data.keyword.hscrypto}}). For more information, see Establish service-to-service authorizations for File Storage for VPC.
You might need to upgrade your account to a Pay-as-you-go account to complete this set. For more information, see Upgrading to a Pay-As-You-Go account. {: tip}
{: #byok-custom-images-prereqs}
If you plan to import an encrypted custom image, follow the instructions in Setting up your key management service and keys.
{: #next-steps-planning}