What is IBM Cloud Data Shield and how can it help you on your move to the cloud?
Welcome to a new blog series on IBM Cloud Data Shield. In this post, I’m going to focus on the installation of the service.
When it comes to protecting your data, encryption is one of the most popular and effective controls. But, after an application starts to run, data that is in use by CPU and memory is vulnerable to various attacks. The attacks might include malicious insiders, root users, credential compromise, OS zero-day, network intruders, and others. Taking that protection one step further, you can use IBM Cloud Data Shield encrypt the data in your container workload while it is in use.
With IBM Cloud Data Shield, your app code and data run in CPU-hardened enclaves. The enclaves are trusted areas of memory on the worker node that protect the critical aspects of your apps. The enclaves help to keep the user-level code and data confidential and prevent modification— even from processes that run at higher privilege levels.
For more information on how IBM Cloud Data Shield can help you to move to the cloud, check out the documentation.
Installing IBM Cloud Data Shield with Helm
Before we get started, we need to make sure we have the following prerequisites:
- An SGX-enabled Kubernetes cluster
- The Kubernetes, Helm, and IBM Cloud CLIs.
For more information or help getting the prerequisites installed, see the docs.
1. First, I’ll log in to my IBM Cloud account.
2. Once I have logged in, I need to gain access to my IBM Cloud Kubernetes Service cluster.
- Get cluster configuration:
- Export environment variables to start using Kubernetes:
3. Since this is my first time installing IBM Cloud Data Shield in a new cluster, I need to create the Helm role binding policy for Tiller.
- Create a service account for Tiller:
- Create the rolebinding policy:
- Initialize Helm:
4. Now, I will to update my Helm repo.
5. After updating my Helm repo, I can now install cert-manager, which is a requirement for IBM Cloud Data Shield to run.
6. I will verify that cert-manager is installed.
7. To install the Data Shield Helm chart, I need to add the iks-charts repository.
8. In order to convert images using Data Shield, I need to set up a converter secret, which should have access to my converter registry.
- Create a service ID and an API key for the container registry:
- Create an IAM service policy:
- Create a converter secret by using the API Key that you created, and set the region from where images will be pushed and pulled during the conversion:
9. Now, I will obtain my account ID.
10. I also need to know the Ingress Subdomain for my cluster.
11. I’m now ready to install IBM Cloud Data Shield. I need to make sure I specify the right options, which are explained below. At the end of the installation process, I need to copy the Enclave Manager URL that is provided in the output, which I will use after to access the Enclave Manager UI.
enclaveos-chart.Manager.AdminEmail: Enclave Manager UI administrator email
enclaveos-chart.Manager.AdminName: Enclave Manager UI administrator name
enclaveos-chart.Manager.AdminIBMAccountId: Your IBM Account ID that you obtained in Step 9
global.IngressDomain: The Ingress subdomain for your cluster that you obtained in Step 10
converter-chart.Converter.DockerConfigSecret: The secret created that you created in Step 8 as converter-docker-config. This secret contains the necessary credentials to access the container registry where you pull and push images during conversion.
12. I can now verify that the Helm chart exists and that my pods are up and running. This might take a couple of minutes.
13. Now, it’s time to copy the Enclave Manager URL that is returned in the notes of my install output and paste it in a browser. I should be able to log in by using your IAM token.
That's it. We have installed IBM Cloud Data Shield!
Learn more about IBM Cloud Data Shield.
Keep reading on with the second post in this series: "Converting and Deploying Applications Using IBM Cloud Data Shield."