August 27, 2019 By Eduardo Rodriguez 5 min read

What is IBM Cloud Data Shield and how can it help you on your move to the cloud?

Welcome to a new blog series on IBM Cloud Data Shield. In this post, I’m going to focus on the installation of the service.

When it comes to protecting your data, encryption is one of the most popular and effective controls. But, after an application starts to run, data that is in use by CPU and memory is vulnerable to various attacks. The attacks might include malicious insiders, root users, credential compromise, OS zero-day, network intruders, and others. Taking that protection one step further, you can use IBM Cloud Data Shield encrypt the data in your container workload while it is in use.

With IBM Cloud Data Shield, your app code and data run in CPU-hardened enclaves. The enclaves are trusted areas of memory on the worker node that protect the critical aspects of your apps. The enclaves help to keep the user-level code and data confidential and prevent modification— even from processes that run at higher privilege levels.

For more information on how IBM Cloud Data Shield can help you to move to the cloud, check out the documentation.

Installing IBM Cloud Data Shield with Helm

Before we get started, we need to make sure we have the following prerequisites:

  • An SGX-enabled Kubernetes cluster
  • The Kubernetes, Helm, and IBM Cloud CLIs.

For more information or help getting the prerequisites installed, see the docs.

1. First, I’ll log in to my IBM Cloud account.

ibmcloud login

2. Once I have logged in, I need to gain access to my IBM Cloud Kubernetes Service cluster.

  • Get cluster configuration:
    ibmcloud ks cluster-config <cluster-name>
  • Export environment variables to start using Kubernetes:
    export KUBECONFIG=<cluster-config-yml-path>

3. Since this is my first time installing IBM Cloud Data Shield in a new cluster, I need to create the Helm role binding policy for Tiller.

  • Create a service account for Tiller:
    kubectl --namespace kube-system create serviceaccount tiller
  • Create the rolebinding policy:
    kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
  • Initialize Helm:
    helm init --service-account tiller –upgrade

4. Now, I will to update my Helm repo.

helm repo update

5. After updating my Helm repo, I can now install cert-manager, which is a requirement for IBM Cloud Data Shield to run.

helm install --version 0.5.0 stable/cert-manager

6. I will verify that cert-manager is installed.

Helm list

7. To install the Data Shield Helm chart, I need to add the iks-charts repository.

helm repo add iks-charts https://icr.io/helm/iks-charts

8. In order to convert images using Data Shield, I need to set up a converter secret, which should have access to my converter registry.

  • Create a service ID and an API key for the container registry:
    ibmcloud iam service-id-create data-shield-container-converter -d 'Data Shield Container Converter'
    ibmcloud iam service-api-key-create 'Data Shield Container Converter' data-shield-container-converter
  • Create an IAM service policy:
    ibmcloud iam service-policy-create data-shield-container-converter --roles Reader,Writer --service-name container-registry 
  • Create a converter secret by using the API Key that you created, and set the region from where images will be pushed and pulled during the conversion:
    (echo -n '{"auths":{".icr.io":{"auth":"'; echo -n 'iamapikey:' | openssl base64 -A; echo '"}}}') | kubectl create secret generic converter-docker-config --from-file=.dockerconfigjson=/dev/stdin

9. Now, I will obtain my account ID.

ibmcloud account show

10. I also need to know the Ingress Subdomain for my cluster.

ibmcloud ks cluster-get <cluster-name>

11. I’m now ready to install IBM Cloud Data Shield. I need to make sure I specify the right options, which are explained below. At the end of the installation process, I need to copy the Enclave Manager URL that is provided in the output, which I will use after to access the Enclave Manager UI.

helm install iks-charts/ibmcloud-data-shield --set enclaveos-chart.Manager.AdminEmail= --set enclaveos-chart.Manager.AdminName= --set enclaveos-chart.Manager.AdminIBMAccountId= --set global.IngressDomain=<your cluster's ingress domain>
  • enclaveos-chart.Manager.AdminEmail: Enclave Manager UI administrator email
  • enclaveos-chart.Manager.AdminName: Enclave Manager UI administrator name
  • enclaveos-chart.Manager.AdminIBMAccountId: Your IBM Account ID that you obtained in Step 9
  • global.IngressDomain: The Ingress subdomain for your cluster that you obtained in Step 10
  • converter-chart.Converter.DockerConfigSecret: The secret created that you created in Step 8 as converter-docker-config. This secret contains the necessary credentials to access the container registry where you pull and push images during conversion.

12. I can now verify that the Helm chart exists and that my pods are up and running. This might take a couple of minutes.

helm list
kubectl get pods

13. Now, it’s time to copy the Enclave Manager URL that is returned in the notes of my install output and paste it in a browser. I should be able to log in by using your IAM token.

ibmcloud iam oauth-tokens

That’s it. We have installed IBM Cloud Data Shield!

Learn more about IBM Cloud Data Shield.

Keep reading on with the second post in this series: “Converting and Deploying Applications Using IBM Cloud Data Shield.”

 

 

Was this article helpful?
YesNo

More from Cloud

X-Force report reveals top cloud threats: AITM phishing, business email compromise, credential harvesting and theft

4 min read - As we step into October and mark the start of Cybersecurity Awareness Month, organizations’ focus on protecting digital assets has never been more important. As innovative new cloud and generative AI solutions help advance today’s businesses, it’s also important to understand how these solutions have added to the complexity of today’s cyber threats, and how organizations can address them. That’s why IBM—as a leading global security, cloud, AI and business service provider—advocates to our global clients to take a proactive…

Top 6 innovations from the IBM – AWS GenAI Hackathon

5 min read - Eight client teams collaborated with IBM® and AWS this spring to develop generative AI prototypes to address real-world business challenges in the public sector, financial services, energy, healthcare and other industries. Over the course of several weeks, cross-functional teams comprising client teams, IBM and AWS representatives worked to design, develop and iterate on prototypes that push the boundaries of what's possible with generative AI. IBM used design thinking and user-centric approach to guide the teams throughout the hackathon. AWS provided…

IBM + AWS: Transforming Software Development Lifecycle (SDLC) with generative AI

7 min read - Generative AI is not only changing the way applications are built, but the way they are envisioned, designed, tested, documented, and deployed. It’s also revolutionizing the software development lifecycle (SDLC). IBM and AWS are infusing Amazon Bedrock generative AI capabilities into the IBM® SDLC solution to drive increased efficiency, speed, quality and value in every application lifecycle consistently and at scale. The evolution of the SDLC landscape The software development lifecycle has undergone several silent revolutions in recent decades. The…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters