Data-at-rest encryption for the data volumes attached to the HPVS for VPC instance is currently enabled by a Linux Unified Key Setup (LUKS) passphrase derived from two seeds: one from the deployer and one from the workload personas. These are provided during deployment as part of the HPVS for VPC deployment contract.

With the integration of HPVS for VPC with IBM Cloud Hyper Protect Crypto Services (HPCS) key management service (KMS), encryption protection and data control are enhanced with the option to bring your own key managed by HPCS. The cloud user can gain full control of the data volumes because access to the encrypted data is only possible—even for the deployed workload—if the corresponding KMS confirms so on a regular basis.

With this additional capability, more complex zero-trust principles can be realized. This integration is achieved through an optional third seed, which is generated by HPCS and stored in a metadata partition of the data volume. This third seed is wrapped with the Customer Root Key (CRK), which always remains within the HPCS hardware security module. The LUKS passphrase for data volume encryption is generated by using these three seeds. Refer to this documentation for more details.