Cloud
Security
August 27, 2019 By Eduardo Rodriguez 5 min read

What is IBM Cloud Data Shield and how can it help you on your move to the cloud?

Welcome to a new blog series on IBM Cloud Data Shield. In this post, I’m going to focus on the installation of the service.

When it comes to protecting your data, encryption is one of the most popular and effective controls. But, after an application starts to run, data that is in use by CPU and memory is vulnerable to various attacks. The attacks might include malicious insiders, root users, credential compromise, OS zero-day, network intruders, and others. Taking that protection one step further, you can use IBM Cloud Data Shield encrypt the data in your container workload while it is in use.

With IBM Cloud Data Shield, your app code and data run in CPU-hardened enclaves. The enclaves are trusted areas of memory on the worker node that protect the critical aspects of your apps. The enclaves help to keep the user-level code and data confidential and prevent modification— even from processes that run at higher privilege levels.

For more information on how IBM Cloud Data Shield can help you to move to the cloud, check out the documentation.

Installing IBM Cloud Data Shield with Helm

Before we get started, we need to make sure we have the following prerequisites:

  • An SGX-enabled Kubernetes cluster
  • The Kubernetes, Helm, and IBM Cloud CLIs.

For more information or help getting the prerequisites installed, see the docs.

1. First, I’ll log in to my IBM Cloud account.

ibmcloud login

2. Once I have logged in, I need to gain access to my IBM Cloud Kubernetes Service cluster.

  • Get cluster configuration: 
    ibmcloud ks cluster-config <cluster-name>
  • Export environment variables to start using Kubernetes: 
    export KUBECONFIG=<cluster-config-yml-path>

3. Since this is my first time installing IBM Cloud Data Shield in a new cluster, I need to create the Helm role binding policy for Tiller.

  • Create a service account for Tiller: 
    kubectl --namespace kube-system create serviceaccount tiller
  • Create the rolebinding policy: 
    kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
  • Initialize Helm: 
    helm init --service-account tiller –upgrade

4. Now, I will to update my Helm repo.

helm repo update

5. After updating my Helm repo, I can now install cert-manager, which is a requirement for IBM Cloud Data Shield to run.

helm install --version 0.5.0 stable/cert-manager

6. I will verify that cert-manager is installed.

Helm list

7. To install the Data Shield Helm chart, I need to add the iks-charts repository.

helm repo add iks-charts https://icr.io/helm/iks-charts

8. In order to convert images using Data Shield, I need to set up a converter secret, which should have access to my converter registry.

  • Create a service ID and an API key for the container registry: 
    ibmcloud iam service-id-create data-shield-container-converter -d 'Data Shield Container Converter'
    ibmcloud iam service-api-key-create 'Data Shield Container Converter' data-shield-container-converter
  • Create an IAM service policy: 
    ibmcloud iam service-policy-create data-shield-container-converter --roles Reader,Writer --service-name container-registry
  • Create a converter secret by using the API Key that you created, and set the region from where images will be pushed and pulled during the conversion: 
    (echo -n '{"auths":{".icr.io":{"auth":"'; echo -n 'iamapikey:' | openssl base64 -A; echo '"}}}') | kubectl create secret generic converter-docker-config --from-file=.dockerconfigjson=/dev/stdin

9. Now, I will obtain my account ID.

ibmcloud account show

10. I also need to know the Ingress Subdomain for my cluster.

ibmcloud ks cluster-get <cluster-name>

11. I’m now ready to install IBM Cloud Data Shield. I need to make sure I specify the right options, which are explained below. At the end of the installation process, I need to copy the Enclave Manager URL that is provided in the output, which I will use after to access the Enclave Manager UI.

helm install iks-charts/ibmcloud-data-shield --set enclaveos-chart.Manager.AdminEmail= --set enclaveos-chart.Manager.AdminName= --set enclaveos-chart.Manager.AdminIBMAccountId= --set global.IngressDomain=<your cluster's ingress domain>
  • enclaveos-chart.Manager.AdminEmail: Enclave Manager UI administrator email
  • enclaveos-chart.Manager.AdminName: Enclave Manager UI administrator name
  • enclaveos-chart.Manager.AdminIBMAccountId: Your IBM Account ID that you obtained in Step 9
  • global.IngressDomain: The Ingress subdomain for your cluster that you obtained in Step 10
  • converter-chart.Converter.DockerConfigSecret: The secret created that you created in Step 8 as converter-docker-config. This secret contains the necessary credentials to access the container registry where you pull and push images during conversion.

12. I can now verify that the Helm chart exists and that my pods are up and running. This might take a couple of minutes.

helm list
kubectl get pods

13. Now, it’s time to copy the Enclave Manager URL that is returned in the notes of my install output and paste it in a browser. I should be able to log in by using your IAM token.

ibmcloud iam oauth-tokens

That’s it. We have installed IBM Cloud Data Shield!

Learn more about IBM Cloud Data Shield.

Keep reading on with the second post in this series: “Converting and Deploying Applications Using IBM Cloud Data Shield.”

 

 

Was this article helpful?
YesNo
Eduardo Rodriguez
Cloud Security Developer

More from Cloud
May 23, 2024

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

May 9, 2024

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters