If you want to deploy your application on an Elastic Compute Service (ECS) instance or in a Container Service for Kubernetes (ACK) cluster, you can use Dedicated KMS to encrypt data during the deployment of the application. This topic describes how to use Dedicated Key Management Service (KMS) to encrypt data when you deploy your application by using an image.

Deploy an application on an ECS instance

In this example, a Linux operating system is used, and a Java application is deployed.

Prerequisites

A dedicated KMS instance is purchased. An application access point (AAP) is created for the dedicated KMS instance. The client key file is downloaded and saved. The certificate authority (CA) certificate of the dedicated KMS instance is obtained. For more information, see Getting started with Dedicated KMS of the Standard edition.
Note By default, the downloaded client key file is named in the ClientKey_******.json format.

Procedure

  1. Purchase an ECS instance based on which you want to create a custom image. For more information, see Quick start for Linux instances.
  2. Install the CA certificate of the dedicated KMS instance on the ECS instance.
    Note If you want to deploy a non-Java application, you do not need to install a CA certificate. You need to only save the CA certificate to the specified configuration directory of the application.
    1. Split the CA certificate into two files.

      A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE -------- and ends with ------END CERTIFICATE --------. The first file is rootca.pem and the second file is subca.pem.

      • File 1: rootca.pem
        -----BEGIN CERTIFICATE-----
<Root CA Certificate BASE64 Content>
-----END CERTIFICATE-----
      • File 2: subca.pem
        -----BEGIN CERTIFICATE-----
<Sub CA Certificate BASE64 Content>
-----END CERTIFICATE-----
    2. Run the following code to install OpenJDK:
      In this example, java-1.8.0-openjdk is installed. You can select a different version of OpenJDK based on your business requirements. 
      yum install java-1.8.0-openjdk -y
    3. Import the two files to the $JAVA_HOME/jre/lib/security/cacerts directory by using keytool commands.
      • Import File 1 rootca.pem
        keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file rootca.pem
      • Import File 2 subca.pem
        keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file subca.pem
    4. Run the following code to check whether the CA certificate is installed: 
      URL serviceUrl = new URL("https://<service_id>.cryptoservice.kms.aliyuncs.com");
serviceUrl.openConnection().connect();
      Note If javax.net.ssl.SSLHandshakeException is not reported, the CA certificate is installed.
  3. Upload the client key file to the specified configuration directory of the application, and use an environment variable of the application to configure the password of the AAP.
  4. Create a custom image. For more information, see Create a custom image on the Images page.
    You must select the ECS instance on which the CA certificate is installed for Instance. After the custom image is created, you can view the custom image on the Images page.

Deploy an application in an ACK cluster

In this example, a CentOS 7.1 operating system is used, and a Java application is deployed.

Prerequisites

  • A dedicated KMS instance is purchased. An AAP is created for the dedicated KMS instance. The client key file is downloaded and saved. The CA certificate of the dedicated KMS instance is obtained. For more information, see Getting started with Dedicated KMS of the Standard edition.
    Note By default, the downloaded client key file is named in the ClientKey_******.json format.
  • ACK is activated and authorized to access other cloud resources. An ACK cluster is created. For more information, see Getting started with ACK using the ACK console.
  • Docker is installed. For more information, see Install Docker.

Procedure

  1. Save the CA certificate in the working directory of the Docker image that you want to create.
    Note If you want to deploy a non-Java application, you do not need to split a CA certificate. You need to only save the CA certificate to the specified configuration directory of the application.
    1. Split the CA certificate into two files.

      A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE -------- and ends with ------END CERTIFICATE --------. The first file is rootca.pem and the second file is subca.pem.

      • File 1: rootca.pem
        -----BEGIN CERTIFICATE-----
<Root CA Certificate BASE64 Content>
-----END CERTIFICATE-----
      • File 2: subca.pem
        -----BEGIN CERTIFICATE-----
<Sub CA Certificate BASE64 Content>
-----END CERTIFICATE-----
    2. Create the working directory of the Docker image and create the cacerts subdirectory in the working directory.
    3. Save the files rootca.pem and subca.pem in the cacerts subdirectory.
  2. Create a Dockerfile in the working directory of the Docker image and add the following content to the Dockerfile: 
    ## Replace {regionId} with the ID of the region in which the dedicated KMS instance resides. 
FROM alibaba-cloud-linux-3-registry.{regionId}.cr.aliyuncs.com/alinux3/alinux3

## If you want to deploy a non-Java application, copy the extracted files of the CA certificate to the specified directory.
COPY ./cacerts/rootca.pem /etc/dkms/certs/
COPY ./cacerts/subca.pem /etc/dkms/certs/

## Copy the client key file to the specified directory.
COPY ./cacerts/ClientKey_xxxxxxxxxxx.json /etc/dkms/certs/

RUN dnf -y update && \
        dnf install findutils -y && \
        dnf clean all && \
        yum install java-1.8.0-openjdk -y && \
        yum clean all

RUN export JRE_HOME=$(find "/usr/lib/jvm" -type d -name "jre") && \
    keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/rootca.pem -noprompt && \
    keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/subca.pem -noprompt && \
    rm -f /etc/dkms/certs/rootca.pem &&\
    rm -f /etc/dkms/certs/subca.pem
  3. Run the following code to create a Docker image:
    You can use the image as the dependent base image of the application. 
    docker build -t dkmsca:v1 .
  4. In the Container Registry console, create a namespace and an image repository. For more information, see Use Container Registry Enterprise Edition instances to build images.
  5. Run the following code to push the Docker image to the image repository that you created:
    In the following code, the namespace is dkms and the image repository is dkmsca. You can modify the code based on your business requirements. 
    docker login --username=xxxxxxx {instanceId}-registry.{regionId}.cr.aliyuncs.com
docker tag  dkmsca:v1 {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1
docker push {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1
  6. Use a Secret to store the password of the AAP in the ACK cluster. Your application uses the Secret as an environment variable or data volume. For more information, see Configure a pod to use a Secret.