You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can enable confidential VMs when installing your cluster. You can enable confidential VMs for compute nodes, control plane nodes, or all nodes.
10
+
11
+
:FeatureName: Using confidential VMs
12
+
13
+
include::snippets/technology-preview.adoc[]
14
+
15
+
//commenting out the second encryption option until https://issues.redhat.com/browse/OCPBUGS-18379 is resolved
16
+
////
17
+
Confidential VMs can operate in two modes:
18
+
19
+
* Only encrypting the virtual machine guest state storage, which contains the security state of the virtual machine
20
+
* Encrypting the virtual machine guest state storage and the operating system storage
21
+
22
+
If you encrypt the operating system storage, you can use a platform-managed encryption key or a key you manage.
23
+
////
24
+
25
+
You can use confidential VMs with the following VM sizes:
26
+
27
+
* DCasv5-series
28
+
* DCadsv5-series
29
+
* ECasv5-series
30
+
* ECadsv5-series
31
+
32
+
33
+
[IMPORTANT]
34
+
====
35
+
Confidential VMs are currently not supported on 64-bit ARM architectures.
36
+
====
37
+
38
+
.Prerequisites
39
+
* You have created an `install-config.yaml` file.
40
+
41
+
.Procedure
42
+
43
+
* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add the following stanza:
44
+
+
45
+
[source,yaml]
46
+
----
47
+
controlPlane: <1>
48
+
platform:
49
+
azure:
50
+
settings:
51
+
securityType: ConfidentialVM <2>
52
+
confidentialVM:
53
+
uefiSettings:
54
+
secureBoot: Enabled <3>
55
+
virtualizedTrustedPlatformModule: Enabled <4>
56
+
osDisk:
57
+
securityProfile:
58
+
securityEncryptionType: VMGuestStateOnly <5>
59
+
----
60
+
<1> Specify `controlPlane.platform.azure` or `compute.platform.azure` to deploy confidential VMs on only control plane or compute nodes respectively. Specify `platform.azure.defaultMachinePlatform` to deploy confidential VMs on all nodes.
61
+
<2> Enable confidential VMs.
62
+
<3> Enable secure boot. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot].
63
+
<4> Enable the virtualized Trusted Platform Module. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
64
+
<5> Specify `VMGuestStateOnly` to encrypt the VM guest state.
65
+
66
+
// commenting out the second option until https://issues.redhat.com/browse/OCPBUGS-18379 is fixed
67
+
////
68
+
+
69
+
.. To use confidential VMs that encrypt both the VM guest state and the OS disk:
70
+
+
71
+
[source,yaml]
72
+
----
73
+
controlPlane:
74
+
platform:
75
+
azure:
76
+
settings:
77
+
securityType: ConfidentialVM
78
+
confidentialVM:
79
+
uefiSettings:
80
+
secureBoot: Enabled
81
+
virtualizedTrustedPlatformModule: Enabled
82
+
osDisk:
83
+
securityProfile:
84
+
securityEncryptionType: DiskWithVMGuestState <1>
85
+
diskEncryptionSet: <2>
86
+
resourceGroup: <your-resource-group-name>
87
+
name: <your-des-name>
88
+
subscriptionId: <subscription-uuid>
89
+
----
90
+
<1> Enable OS disk and VM guest state encryption.
91
+
<2> Specify disk encryption set parameters for user-managed encryption, or omit the `diskEncryptionSet` stanza for platform-managed encryption.
You can enable two trusted launch features when installing your cluster on Azure: link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot] and link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
10
+
11
+
See the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#virtual-machines-sizes[virtual machine sizes] to learn what sizes of virtual machines support these features.
12
+
13
+
:FeatureName: Trusted launch
14
+
15
+
include::snippets/technology-preview.adoc[]
16
+
17
+
.Prerequisites
18
+
* You have created an `install-config.yaml` file.
19
+
20
+
.Procedure
21
+
22
+
* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add the following stanza:
23
+
+
24
+
[source,yaml]
25
+
----
26
+
controlPlane: <1>
27
+
platform:
28
+
azure:
29
+
settings:
30
+
securityType: TrustedLaunch <2>
31
+
trustedLaunch:
32
+
uefiSettings:
33
+
secureBoot: Enabled <3>
34
+
virtualizedTrustedPlatformModule: Enabled <4>
35
+
----
36
+
<1> Specify `controlPlane.platform.azure` or `compute.platform.azure` to enable trusted launch on only control plane or compute nodes respectively. Specify `platform.azure.defaultMachinePlatform` to enable trusted launch on all nodes.
37
+
<2> Enable trusted launch features.
38
+
<3> Enable secure boot. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot].
39
+
<4> Enable the virtualized Trusted Platform Module. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
|Enables host-level encryption for compute machines. You can enable this encryption alongside user-managed server-side encryption. This feature encrypts temporary, ephemeral, cached, and un-managed disks on the VM host. This parameter is not a prerequisite for user-managed server-side encryption.
0 commit comments