IBM Cloud™ Virtual Private Cloud -Block Storage Encryption

When I talk to customers about what their top requirements are in choosing a cloud provider, invariably security is mentioned as one of the top priorities. In particular, data security has become an issue of paramount importance to companies as they develop and enhance security strategies in an environment that relies more and more on cloud technologies. IBM Virtual Private Cloud (VPC) Block Storage meets this challenge by providing secure data encryption technology for block volumes while allowing customers to own and govern the encryption keys used to encrypt the volume data independently.

What is Customer-managed encryption?

When provisioning IBM Block Storage boot volumes and secondary data volumes to virtual machine instances you have two choices to protect your data. You, as a customer, may choose IBM provider managed encryption which provides secure storage side data at rest encryption or customer managed encryption which allows greater level of security and oversight of encryption keys. With customer managed encryption, data is always encrypted using a root key you have provided which is governed and persisted outside of the host/hypervisor itself. The service is flexible in that you have the option to specify different root keys for different volumes as your security process dictates. In this model, data is protected while in transit between the host system and IBM storage systems, as well as at rest in the back end IBM storage system. This means data being written to storage is encrypted before it leaves the hypervisor, and conversely data being read from block storage is only de-encrypted once it reaches the hypervisor and delivered to the guest OS.

Envelope Encryption

An important element of customer managed encryption is the use of envelope encryption. Envelope encryption provides a level of indirection between the encryption key being managed by the customer and the key being used to encrypt and decrypt data on the hypervisor. In practice, the customer root key specified above is leveraged as a key-wrapping key used to encrypt the key encryption keys which in turn are used to encrypt the data within the virtual disk. Said another way, with envelope encryption, root keys encrypt key encryption keys which, in turn, secure data encryption keys (DEKs) that encrypt your data on the virtual disk.

More details regarding data encryption including this diagram can be found here: Data Encryption for VPC

Customer Managed Encryption Advantages

Here are some advantages of Customer-managed encryption over provider managed encryption:

• Data encryption available for both boot volumes and data volumes
• Data is encrypted both on disk and in transit. All data being written to storage is encrypted before it leaves the hypervisor.
• Customer root keys are controlled by you the customer and are governed in a Key Management System (Key Protect or HPCS) external to the IBM Block Storage service.
• Unique customer root keys can be used for each block volume allowing you to limit exposure in the case of a compromised root key.
• You choose the key management service that is right for you. Key Protect (FIPS 140–2 L3 compliant), or Hyper Protect Crypto Services (FIPS 140–2 L4 compliant). Key Management Service Details

Thank you for reading. In my upcoming IBM Block Storage security series blogs I will discuss Block Storage key rotation and key deletion capabilities which provide the tools to allow you to enforce a comprehensive encryption key security and compliance strategy.