Working with IBM Hyper Protect Virtual ServersEdit online System requirements Additional security responsibilities for IBM Hyper Protect Virtual Servers Confidential computing with LinuxONE Downloading the IBM Hyper Protect Virtual Servers bundle Downloading the IBM Hyper Protect Virtual Servers fix pack bundle About the contract Validating the certificates Setting up and configuring IBM Hyper Protect Virtual Servers Attestation Using snapshots for recovering the virtual server instance Logging for IBM Hyper Protect Virtual Servers Encrypting log messages Securing your data Verifying disk encryption status Using a dynamic registry reference Known issues and limitations Troubleshooting System requirementsSoftware, hardware, and system configuration settings that are required for setting up a Hyper Protect Virtual Server offering.Additional security responsibilities for IBM Hyper Protect Virtual ServersLearn about the security related responsibilities that you must observe when you use IBM Hyper Protect Virtual Servers.Confidential computing with LinuxONEConfidential computing is enabled on LinuxONE (s390x processor architecture) by using the IBM Secure Execution for Linux technology. This technology is part of the hardware of IBM z16, IBM z15, IBM LinuxONE Emperor 4, and IBM LinuxONE III systems. With IBM Secure Execution for Linux, you can securely deploy workloads in the cloud. It ensures the integrity and confidentiality of boot images, and server authenticity. Applications are isolated from the operating system, thus providing more privacy and security for the workload.Downloading the IBM Hyper Protect Virtual Servers bundleDownloading the IBM Hyper Protect Virtual Servers fix pack bundleYou can download the IBM Hyper Protect Virtual Servers (HPVS) fix pack from IBM Fix Central.About the contractWhen you create a virtual server instance by using the HPVS image, you must specify a contract as part of the user input (user-data).Crypto PassthroughCrypto resources or domains that are also named as Hardware Security Modules (HSM) can now be available within IBM Secure Execution (SE) guests. To enable crypto domains on the VSI, you must create and associate an association request with the AP queue.Validating the certificatesSetting up and configuring IBM Hyper Protect Virtual ServersAttestationAttestation is a process that starts by default at virtual instance creation, ensures that the virtual server instance image is indeed built by IBM, and that it was not modified. This process also provides information and allows validation of any data that is provided to the instance at the time of deployment.Using snapshots for recovering dataIf your IBM Hyper Protect Virtual Servers fails for any reason, you can create a new instance and attach the data volume that was attached to the failed instance. Ensure that you use the same contract that was used originally to create the instance.Logging for IBM Hyper Protect Virtual ServersTo launch an IBM Hyper Protect Virtual Servers instance, you need to set up logging first by adding the logging configuration in the env section of the contract. The instance reads the configuration and configure logging accordingly. All other services start only after logging is configured. If the logging configuration is incorrect, the instance will not start and an error message will be displayed in the serial console.Encrypting log messagesThis tutorial walks you through how to encrypt log messages that are generated by your container workload in your IBM Hyper Protect Virtual Server instance.Securing your dataThe data volume that you attach to your IBM Hyper Protect Virtual Server instance is protected by a Linux Unified Key Setup (LUKS) encryption passphrase derived from seeds provided during deployment. You can add a higher level of encryption protection and control to your data at rest by using your own key from Hyper Protect Crypto Services.Verifying disk encryption statusBoth the root disk and data disks in the Hyper Protect Virtual Server instance are encrypted with Linux Unified Key Setup (LUKS) Encryption. You can verify the encryption status by checking the messages in the log.Using a dynamic registry referenceThe documentation walks you through how to use a dynamic registry reference in the contract.Known issues and limitationsThis topic lists some of the known issues and limitations of IBM Hyper Protect Virtual Servers.Troubleshooting IBM Hyper Protect Virtual ServersError messagesThe following list shows the error messages from Hyper Protect Virtual Servers.