How to Install IBM Cloud Data Shield

3 min read

By: Eduardo Rodriguez

What is IBM Cloud Data Shield and how can it help you on your move to the cloud?

Welcome to a new blog series on IBM Cloud Data Shield. In this post, I’m going to focus on the installation of the service.

When it comes to protecting your data, encryption is one of the most popular and effective controls. But, after an application starts to run, data that is in use by CPU and memory is vulnerable to various attacks. The attacks might include malicious insiders, root users, credential compromise, OS zero-day, network intruders, and others. Taking that protection one step further, you can use IBM Cloud Data Shield encrypt the data in your container workload while it is in use.

With IBM Cloud Data Shield, your app code and data run in CPU-hardened enclaves. The enclaves are trusted areas of memory on the worker node that protect the critical aspects of your apps. The enclaves help to keep the user-level code and data confidential and prevent modification— even from processes that run at higher privilege levels.

For more information on how IBM Cloud Data Shield can help you to move to the cloud, check out the documentation.

Installing IBM Cloud Data Shield with Helm

Before we get started, we need to make sure we have the following prerequisites:

  • An SGX-enabled Kubernetes cluster
  • The Kubernetes, Helm, and IBM Cloud CLIs.

For more information or help getting the prerequisites installed, see the docs.

1. First, I’ll log in to my IBM Cloud account.

ibmcloud login
dsp1

2. Once I have logged in, I need to gain access to my IBM Cloud Kubernetes Service cluster.

  • Get cluster configuration:
    ibmcloud ks cluster-config <cluster-name>
    dsp2

  • Export environment variables to start using Kubernetes:
    export KUBECONFIG=<cluster-config-yml-path>
    dsp3

3. Since this is my first time installing IBM Cloud Data Shield in a new cluster, I need to create the Helm role binding policy for Tiller.

  • Create a service account for Tiller:
    kubectl --namespace kube-system create serviceaccount tiller
    dsp4

  • Create the rolebinding policy:
    kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
    dsp5

  • Initialize Helm:
    helm init --service-account tiller –upgrade
    dsp6

4. Now, I will to update my Helm repo.

helm repo update
dsp7

5. After updating my Helm repo, I can now install cert-manager, which is a requirement for IBM Cloud Data Shield to run.

helm install --version 0.5.0 stable/cert-manager
dsp8

6. I will verify that cert-manager is installed.

Helm list
dsp9

7. To install the Data Shield Helm chart, I need to add the iks-charts repository.

helm repo add iks-charts https://icr.io/helm/iks-charts
dsp10

8. In order to convert images using Data Shield, I need to set up a converter secret, which should have access to my converter registry.

  • Create a service ID and an API key for the container registry:
    ibmcloud iam service-id-create data-shield-container-converter -d 'Data Shield Container Converter'
    ibmcloud iam service-api-key-create 'Data Shield Container Converter' data-shield-container-converter
    dsp12

  • Create an IAM service policy:
    ibmcloud iam service-policy-create data-shield-container-converter --roles Reader,Writer --service-name container-registry 
    dsp13

  • Create a converter secret by using the API Key that you created, and set the region from where images will be pushed and pulled during the conversion:
    (echo -n '{"auths":{".icr.io":{"auth":"'; echo -n 'iamapikey:' | openssl base64 -A; echo '"}}}') | kubectl create secret generic converter-docker-config --from-file=.dockerconfigjson=/dev/stdin
    dsp14

9. Now, I will obtain my account ID.

ibmcloud account show
dsp15

10. I also need to know the Ingress Subdomain for my cluster.

ibmcloud ks cluster-get <cluster-name>
dsp17

11. I’m now ready to install IBM Cloud Data Shield. I need to make sure I specify the right options, which are explained below. At the end of the installation process, I need to copy the Enclave Manager URL that is provided in the output, which I will use after to access the Enclave Manager UI.

helm install iks-charts/ibmcloud-data-shield --set enclaveos-chart.Manager.AdminEmail= --set enclaveos-chart.Manager.AdminName= --set enclaveos-chart.Manager.AdminIBMAccountId= --set global.IngressDomain=<your cluster's ingress domain>
  • enclaveos-chart.Manager.AdminEmail: Enclave Manager UI administrator email
  • enclaveos-chart.Manager.AdminName: Enclave Manager UI administrator name
  • enclaveos-chart.Manager.AdminIBMAccountId: Your IBM Account ID that you obtained in Step 9
  • global.IngressDomain: The Ingress subdomain for your cluster that you obtained in Step 10
  • converter-chart.Converter.DockerConfigSecret: The secret created that you created in Step 8 as converter-docker-config. This secret contains the necessary credentials to access the container registry where you pull and push images during conversion.
dsp19

dsp20

12. I can now verify that the Helm chart exists and that my pods are up and running. This might take a couple of minutes.

helm list
kubectl get pods

13. Now, it’s time to copy the Enclave Manager URL that is returned in the notes of my install output and paste it in a browser. I should be able to log in by using your IAM token.

ibmcloud iam oauth-tokens

That's it. We have installed IBM Cloud Data Shield!

Learn more about IBM Cloud Data Shield.

Keep reading on with the second post in this series: "Converting and Deploying Applications Using IBM Cloud Data Shield."

 

 

Be the first to hear about news, product updates, and innovation from IBM Cloud