With IBM Cloud Data Shield, powered by Fortanix , you can protect the data in your container workloads that run on Kubernetes Service or OpenShift while your data is in use.

Already have an app that's configured to use Intel SGX? Check out information about using Intel SGX on Kubernetes, OpenShift, or directly with bare metal.

You can be up and running with IBM Cloud Data Shield in just three steps. To get started with the first step, complete the getting started tutorial. If you've already installed IBM Cloud Data Shield on the cluster, and you're ready to convert or deploy, skip to Next steps. For more information about IBM Cloud Data Shield, and what it means to protect your data in use, see about the service.

Before you begin

Before you get started, ensure that you've the following CLIs and plug-ins downloaded.

• IBM Cloud CLI
• Kubernetes Service and Container Registry plug-ins
• Kubernetes
• Docker

Step 1: Prepare the cluster

To work with IBM Cloud Data Shield, you must have an SGX enabled bare metal cluster. Depending on whether you're working with Kubernetes or OpenShift, the machine type differs. Be sure that you've the correct machine type by reviewing the following table. For help with configuring your Kubernetes Service environment, check out creating Kubernetes clusters or creating OpenShift clusters.

Type of cluster	Available machine types
Kubernetes Service	mb2c.4x32 and ms2c.4x32.1.9tb.ssd To see the options, you must filter to the Ubuntu 16 operating system.
OpenShift	mb3c.4x32 and ms3c.4x32.1.9tb.ssd

Your cluster must be using Kubernetes version 1.16 or earlier to install the service.

When you've a running cluster, you can start obtaining the information that you need to install the service. Be sure to save the information that you obtain so that you can use during installation.

1. Log in to the IBM Cloud CLI by running the following command and then following the prompts. If you've a federated ID, append the --sso option to the end of the command.

   
           
         ibmcloud login
   

2. Set the context for the cluster.

   
           
         ibmcloud ks cluster config --cluster <cluster_name_or_ID>
   

3. If you don't know the email that is associated with the administrator or the account ID, run the following command. Make a note of this information.

   
           
         ibmcloud account show
   

4. Get the Ingress subdomain for the cluster. Make a note of this information.

   
           
         ibmcloud ks cluster get --cluster <cluster_name>
   

Step 2: Configure credentials

Before you can run applications in an Enclave, your container image must be converted. To prepare your image for conversion, create a service ID and give it permissions to work with the container converter.

Not working with IBM Cloud Container Registry? Learn how to configure credentials for other registries.

1. Create a service ID and a service ID API key for the IBM Cloud Data Shield container converter.

   
           
         ibmcloud iam service-id-create data-shield-container-converter -d 'IBM Cloud Data Shield Container Converter'
   

2. Create an API key for the container converter.

   
           
         ibmcloud iam service-api-key-create 'IBM Cloud Data Shield Container Converter' data-shield-container-converter
   

3. Grant the service ID permission to access your container registry.

   
           
         ibmcloud iam service-policy-create data-shield-container-converter --roles Reader,Writer --service-name container-registry
   

4. Create a Kubernetes secret to be used for future conversions. Replace the <api key> variable, and then run the following command. If you don't have openssl, you can use any command-line base64 encoder with appropriate options. Be sure that there are not new lines in the middle or at the end of the encoded string.

   
           
         (echo -n '{"auths":{"<region>.icr.io":{"auth":"'; echo -n 'iamapikey:<api key>' | openssl base64 -A;  echo '"}}}') | kubectl create secret generic converter-docker-config --from-file=.dockerconfigjson=/dev/stdin
   

Step 3: Install Helm and cert manager cert manager

To work with IBM Cloud Data Shield, you can use Helm version 2 or 3 to install the service. The following steps explain how to set up Helm if Tiller is not installed with a service account. If you already have Tiller installed, check out the Kubernetes Service docs for more information.

Installing Helm v3

1. Install version 3 of the CLI.

2. Add the iks-charts repo to the instance of Helm.

   
           
         helm repo add iks-charts https://icr.io/helm/iks-charts
   

Installing Helm v2

If you're using version 2, you might want to configure Helm to use --tls mode. For help with enabling TLS check out the Helm repository. If you enable TLS, be sure to append --tls to every Helm command that you run.

1. Download version 2.

2. Add the iks-charts repo to the instance of Helm.

   
           
         helm repo add iks-charts https://icr.io/helm/iks-charts
   

3. Create a Kubernetes service account and cluster role binding for Tiller in the kube-system namespace of the cluster.

   
           
         kubectl create serviceaccount tiller -n kube-system
   

   
           
         kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller -n kube-system
   

4. Verify that the Tiller service account is created.

   
           
         kubectl get serviceaccount -n kube-system tiller
   

5. Initialize the Helm CLI and install Tiller in the cluster with the service account that you created.

   
           
         helm init --service-account tiller
   

Installing cert manager

IBM Cloud Data Shield uses open source cert manager to set up TLS certificates for internal communication between IBM Cloud Data Shield services.

1. Create the resource in the cluster.

   
           
         kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.10.1/deploy/manifests/00-crds.yaml
   

2. Create the namespace and add a label.

   
           
         kubectl create namespace cert-manager
   kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
   

3. Add the jetstack repo.

   
           
         helm repo add jetstack https://charts.jetstack.io
   

4. Install cert-manager.

   • If you're using Helm v2, run the following command.

     
             
           helm repo update && helm install --name cert-manager jetstack/cert-manager --namespace cert-manager --version v0.10.1 --set extraArgs[0]="--enable-certificate-owner-ref=true" --set webhook.enabled=false
     

• If you're using Helm v3, run the following command.

  
          
        helm repo update && helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.10.1 --set extraArgs[0]="--enable-certificate-owner-ref=true" --set webhook.enabled=false
  

Step 4: Install IBM Cloud Data Shield

Now that you've installed the prerequisites and created and configured your secrets, you're ready to install the service. You can use the provided Helm chart to install IBM Cloud Data Shield on your SGX-enabled bare metal cluster.

The Helm chart installs the following components:

• The supporting software for SGX.
• The IBM Cloud Data Shield Enclave Manager.
• The container conversion service, which allows containerized applications to run in the IBM Cloud Data Shield environment.

Installing with Helm v3

To install IBM Cloud Data Shield by using version 3 of Helm, run the following command.

        
      helm install <chart-name> iks-charts/ibmcloud-data-shield --set enclaveos-chart.Manager.AdminEmail=<admin email> --set enclaveos-chart.Manager.AdminName=<admin name> --set enclaveos-chart.Manager.AdminIBMAccountId=<hex account ID> --set global.IngressDomain=<the cluster's ingress domain> --set converter-chart.Converter.DockerConfigSecret=converter-docker-config

Command	Description
--set global.OpenShiftEnabled=true	Optional: If you are working with an OpenShift cluster, be sure to append the OpenShift tag to your installation command.
--set Manager.FailOnGroupOutOfDate=true	Optional: By default, node enrollment and the issuing of application certificates succeed. If you want the operations to fail if your platform microcode is out of date, append the flag to your install command. You are alerted in your dashboard when your service code is out of date. Note: It is not possible to change this option on existing clusters.
--set enclaveos-chart.Ias.Mode=IAS_API_KEY	Optional: You can use your own IAS API key. To do so, you must first obtain a linkable subscription for the Intel SGX Attestation Service. Then, generate a secret in the cluster by running the following command: kubectl create secret generic ias-api-key --from-literal=env=<TEST/PROD> --from-literal=spid=<spid> --from-literal=api-key=<apikey>. Note: By default, IAS requests are made through a proxy service.
--set global.ServiceReplicas=<replica-count>	Optional: If you're working with multi-node clusters, you can specify the replica count by appending the service replicas tag to your install command. Note: Your maximum replica count must be fewer than or equal to the number of nodes that exist in the cluster.

You can verify the installation and monitor the startup of your components by running kubectl get pods.

Installing with Helm v2

To install IBM Cloud Data Shield by using version 2 of Helm, run the following command.

        
      helm install iks-charts/ibmcloud-data-shield --set enclaveos-chart.Manager.AdminEmail=<admin email> --set enclaveos-chart.Manager.AdminName=<admin name> --set enclaveos-chart.Manager.AdminIBMAccountId=<hex account ID> --set global.IngressDomain=<the cluster's ingress domain> --set converter-chart.Converter.DockerConfigSecret=converter-docker-config

Command	Description
--set global.OpenShiftEnabled=true	Optional: If you are working with an OpenShift cluster, be sure to append the OpenShift tag to your installation command.
--set Manager.FailOnGroupOutOfDate=true	Optional: By default, node enrollment and the issuing of application certificates succeed. If you want the operations to fail if your platform microcode is out of date, append the flag to your install command. You are alerted in your dashboard when your service code is out of date. Note: It is not possible to change this option on existing clusters.
--set enclaveos-chart.Ias.Mode=IAS_API_KEY	Optional: You can use your own IAS API key. To do so, you must first obtain a linkable subscription for the Intel SGX Attestation Service. Then, generate a secret in the cluster by running the following command: kubectl create secret generic ias-api-key --from-literal=env=<TEST/PROD> --from-literal=spid=<spid> --from-literal=api-key=<apikey>. Note: By default, IAS requests are made through a proxy service.
--set global.ServiceReplicas=<replica-count>	Optional: If you're working with multi-node clusters, you can specify the replica count by appending the service replicas tag to your install command. Note: Your maximum replica count must be fewer than or equal to the number of nodes that exist in the cluster.

You can verify the installation and monitor the startup of your components by running kubectl get pods.

Next steps

Now that the service is installed on the cluster, you can start protecting your data! You can choose to work with the Enclave Manager UI, or you can choose to use the APIs to convert and deploy your applications.

If you don't have your own image to deploy, try deploying one of the prepackaged IBM Cloud Data Shield images or sample apps:

• Sample apps
• Examples GitHub repo
• Container Registry: Barbican image, MariaDB image, NGINX image, or Vault image.