1 00:00:00,990 --> 00:00:03,250 I'm ready for them rebias fun. 2 00:00:03,440 --> 00:00:05,960 So let's do it. 3 00:00:05,960 --> 00:00:13,760 You have an encrypted snapshot that was shared with you from another account encrypted snapshot shared 4 00:00:13,760 --> 00:00:15,830 with you from another account. 5 00:00:16,160 --> 00:00:18,410 You want to use this snapshot. 6 00:00:18,410 --> 00:00:24,230 So the shared encrypted snapshot to create a new obvious volume under your account would you. 7 00:00:24,230 --> 00:00:26,650 The below statement is that right. 8 00:00:26,810 --> 00:00:27,910 Is that right. 9 00:00:28,070 --> 00:00:31,700 It's not is not the right or it's wrong or it's not relevant. 10 00:00:31,700 --> 00:00:33,770 It is the right next step. 11 00:00:33,800 --> 00:00:40,940 You must do what is the step that you must do next before you can create as volumes from the shared 12 00:00:40,940 --> 00:00:41,930 snapshot. 13 00:00:42,140 --> 00:00:47,390 There's a snapshot is shared with your account and it is encrypted. 14 00:00:48,690 --> 00:00:54,510 So what's the next step that you can do in order after that step to be able to create it as volumes 15 00:00:54,510 --> 00:00:55,680 under your account. 16 00:00:56,010 --> 00:01:03,240 They create an ABS volume from the shares not shot directly or immediately be stored the same Kiki's 17 00:01:03,240 --> 00:01:06,780 used to encrypt the original snapshot for future encryption. 18 00:01:06,780 --> 00:01:12,450 See an encrypted snapshot then create the volume from the unencrypted snapshot. 19 00:01:12,930 --> 00:01:16,730 The first you must create a copy of the shared snapshot. 20 00:01:16,740 --> 00:01:23,150 Then you can create the ABS volume from the copy. 21 00:01:23,810 --> 00:01:28,310 Important information shared encrypted snapshot from another account. 22 00:01:28,340 --> 00:01:31,780 You want to create an obvious volume and it is a single choice. 23 00:01:31,850 --> 00:01:35,860 OK so let's look at the choices analysis a. 24 00:01:36,200 --> 00:01:37,940 So what are we trying to do. 25 00:01:37,940 --> 00:01:46,250 We have a shared encrypted snapshot and we want to make Amoebe as volume of that snapshot in the new 26 00:01:46,250 --> 00:01:46,760 account. 27 00:01:46,750 --> 00:01:54,510 So the new account owner needs to do that couldn't be as volume from the shared snapshot directly wrong. 28 00:01:54,530 --> 00:01:55,840 That is not the next step. 29 00:01:55,860 --> 00:01:58,040 What is the next step you must do. 30 00:01:59,870 --> 00:02:05,250 Store the CME Kiki's used during a snapshot for future encryption. 31 00:02:06,460 --> 00:02:11,100 And encrypt the snapshot then create the volume from the encrypted snapshot is wrong. 32 00:02:11,100 --> 00:02:12,560 Because I'm here. 33 00:02:12,560 --> 00:02:14,080 Why am I saying wrong and right. 34 00:02:14,090 --> 00:02:19,070 Because there is there are steps to do that and none of these is the next step. 35 00:02:20,680 --> 00:02:27,940 The and here is the right one you must create first ones it is sheared an encrypted snapshot were in 36 00:02:27,940 --> 00:02:29,500 your account with your account. 37 00:02:29,500 --> 00:02:33,490 Then you must create a copy of the shared snapshot in your account. 38 00:02:33,670 --> 00:02:39,680 Then you can create volumes from the copy that you just made that these are the steps. 39 00:02:39,680 --> 00:02:41,000 OK. 40 00:02:42,340 --> 00:02:48,760 So it is incorrect because you must first create your own copy B is incorrect because you only have 41 00:02:48,790 --> 00:02:52,570 access to the encryption keys does not mean you own them. 42 00:02:52,600 --> 00:03:00,380 C is incorrect because you do not have to unencrypted first and the is the correct one refresher. 43 00:03:00,700 --> 00:03:08,050 You must first create a copy of the shared snap shot from other accounts from a shared encrypted before 44 00:03:08,050 --> 00:03:10,730 you can use it to create restore as Williams. 45 00:03:10,750 --> 00:03:20,140 You can choose to encrypt during the copy process using one of UCM Kiki to have full control over it. 46 00:03:20,170 --> 00:03:21,390 Why would you do that. 47 00:03:22,630 --> 00:03:29,700 Remember when we talked about the Keys we said that when you are about to create the first encrypted 48 00:03:29,850 --> 00:03:36,730 snapshot of your abs volume what happens it will create for you exactly that default. 49 00:03:36,950 --> 00:03:39,690 See Kiki's. 50 00:03:40,400 --> 00:03:47,620 And that key will be used to create exactly the first snapshot or the first copy created. 51 00:03:47,630 --> 00:03:49,520 So this one is created with the same key. 52 00:03:49,520 --> 00:03:56,750 Now if you want to create Eby as volumes of snapshot snapshots created from an encrypted volume of encrypted 53 00:03:57,260 --> 00:04:01,950 volumes created from an encrypted snapshot are also encrypted. 54 00:04:02,180 --> 00:04:11,340 So how can that be as volume that you're creating from the snapshot be encrypted using the same key. 55 00:04:11,460 --> 00:04:13,850 So the same key gets used all the way. 56 00:04:14,070 --> 00:04:22,590 Now let's look at the one that was shared with you so the one that was shared with you was encrypted. 57 00:04:22,620 --> 00:04:23,740 Right. 58 00:04:23,840 --> 00:04:29,370 The snapshot was encrypted so it was created from an encrypted volume. 59 00:04:29,450 --> 00:04:30,410 Right. 60 00:04:30,530 --> 00:04:36,570 And it was encrypted was another the phone system cakey How do I know. 61 00:04:36,590 --> 00:04:43,430 Because the snapshot for that to cross account boundaries for either of us to allow to be shared from 62 00:04:43,430 --> 00:04:44,840 one account to another. 63 00:04:44,990 --> 00:04:53,350 It must not be encrypted using the default TMK cakey of the original or the sharing account. 64 00:04:53,540 --> 00:04:55,290 So it is not it's done on the phone. 65 00:04:55,410 --> 00:05:01,520 Kicky that's not so just created an encrypted using these key and there's snapchat when it is shared 66 00:05:01,520 --> 00:05:02,070 with you. 67 00:05:02,090 --> 00:05:02,960 Now it does. 68 00:05:02,960 --> 00:05:06,860 It has cost account a to account b your account. 69 00:05:07,160 --> 00:05:10,620 So that's natural that you have here. 70 00:05:10,730 --> 00:05:17,330 Why did we dictate as part of the process that they should give you access to that non-default TMK cakey 71 00:05:17,330 --> 00:05:18,580 for the snapshot. 72 00:05:18,920 --> 00:05:24,740 Because there is no way you can do anything on the snapshot unless if you have access or permissions 73 00:05:24,800 --> 00:05:32,990 on the key that was used to encrypt the snapshot or originally to encrypt the original abs volume that 74 00:05:32,990 --> 00:05:35,030 created the snapshot. 75 00:05:35,030 --> 00:05:37,270 Now it is highly recommended by either of us. 76 00:05:37,280 --> 00:05:39,500 Because now I can't it gives you that permission. 77 00:05:39,500 --> 00:05:44,530 What if it can't revoke the permission before you do anything with a snapchat. 78 00:05:44,540 --> 00:05:51,590 Or maybe you did not do anything you would just create a copy under your account of the snapshot and 79 00:05:51,590 --> 00:05:54,820 you use this copy to create business volumes in your account. 80 00:05:54,830 --> 00:05:56,180 Now what's happening. 81 00:05:56,690 --> 00:06:01,970 How did you copy the encrypted one because you had access to the key. 82 00:06:02,030 --> 00:06:06,750 How did you create an Eby s volume of that copy of that encrypted snapshot copy. 83 00:06:06,770 --> 00:06:10,910 Because again the volume would be encrypted using the same key. 84 00:06:10,940 --> 00:06:14,560 So are you noticing something here that account is key. 85 00:06:14,630 --> 00:06:21,040 You are totally dependent on that key and your access privileges that are granted to you temporarily 86 00:06:21,060 --> 00:06:25,400 could be temporarily account you can revoke access whenever they want. 87 00:06:25,400 --> 00:06:31,910 So anything you are creating if I created a snapshot of these CBS volume that I created again in the 88 00:06:31,910 --> 00:06:32,680 same key. 89 00:06:32,750 --> 00:06:35,890 So all of these are dependent on a key that you don't own. 90 00:06:35,900 --> 00:06:38,680 That's what the U.S. is always recommending. 91 00:06:38,930 --> 00:06:45,290 If you have an encrypted snapshot shared with you from another account the very first thing you do is 92 00:06:45,290 --> 00:06:51,740 when you are creating the copy that he encrypted with an different key that you own. 93 00:06:51,740 --> 00:06:52,430 Why. 94 00:06:52,430 --> 00:06:57,520 Because it means this one will be key to not key one anymore. 95 00:06:57,960 --> 00:07:04,850 If it is with K-2 that means that eBay has volume will also be encrypted using key to and you own K-2 96 00:07:05,120 --> 00:07:09,620 and that's natural that you will create this volume will be also encrypted using K-2. 97 00:07:09,650 --> 00:07:17,240 So you have full control over the copies and volumes and the snapshots encryption if you lose if you 98 00:07:17,240 --> 00:07:19,200 lose no account is key. 99 00:07:19,220 --> 00:07:26,910 You don't care k because that will only affect the original snapshot that was shared with you which 100 00:07:26,910 --> 00:07:32,500 you don't need it anymore because you created a copy encrypted encrypted with your your key created 101 00:07:32,720 --> 00:07:34,570 as volumes and snapshots. 102 00:07:34,570 --> 00:07:39,640 So now whatever data was shared with you is under your full control. 103 00:07:39,670 --> 00:07:41,020 All right. 104 00:07:41,770 --> 00:07:45,910 Yes account a shared an encrypted snapshot with us. 105 00:07:46,000 --> 00:07:53,260 It can be the owner of freedom because it can be created a copy of the shared snapshot then created 106 00:07:53,260 --> 00:08:01,190 an enormous volume of that copy and remember there is no free encryption anywhere during the copy process 107 00:08:01,190 --> 00:08:01,990 that was mentioned. 108 00:08:01,990 --> 00:08:04,110 So there is no just copy it. 109 00:08:04,160 --> 00:08:06,820 Copy that and create it as well. 110 00:08:07,100 --> 00:08:14,690 Later the owner of a count a vote either as account BS writes on the CMD key encryption key of the originally 111 00:08:14,750 --> 00:08:15,970 shared snapshot. 112 00:08:16,190 --> 00:08:23,410 So if this snapshot that was shared was done with the one account be used shared encrypt a snapshot 113 00:08:23,530 --> 00:08:28,900 that was encrypted with key one to create a copy and then created the first volume of that copy. 114 00:08:28,900 --> 00:08:34,460 So all that is dependent on exactly K-1. 115 00:08:34,530 --> 00:08:41,080 So now our county has revoked your access or it can be access to the key of those shared snapshots. 116 00:08:41,190 --> 00:08:49,230 Would this account be access to the created as volume of of the sheer snapshot copy be impacted. 117 00:08:49,260 --> 00:08:56,340 Is there going to be any impact on the encrypted data when I can BS newly created volume off of that 118 00:08:56,360 --> 00:09:01,900 snapshot because of that evocation of the key the access permissions on the key. 119 00:09:02,010 --> 00:09:03,680 Yes or no and wide. 120 00:09:04,170 --> 00:09:10,840 So ACS known since that copy is already created and the volume is under the new account control wrong. 121 00:09:11,260 --> 00:09:12,510 No access. 122 00:09:12,540 --> 00:09:17,550 So no it's not impacted the access to the shared snapchat will be impacted but not to the volume created. 123 00:09:17,550 --> 00:09:18,350 Wrong. 124 00:09:18,810 --> 00:09:19,170 Yes. 125 00:09:19,170 --> 00:09:26,130 That UBS volume data will be an encrypted since Exeter's Kiki used to encrypt the shared snapshot is 126 00:09:26,130 --> 00:09:33,480 lost wrong losing an access permissions to a key does not mean the encrypted data gets decrypted or 127 00:09:33,560 --> 00:09:35,350 encrypted the. 128 00:09:35,550 --> 00:09:41,640 Yes that is volume access will be denied since the permissions over the CM key key used to encrypt the 129 00:09:41,640 --> 00:09:47,550 shared snapshot is now revoked which is still the key used to encrypt the created as well. 130 00:09:47,730 --> 00:09:49,970 The correct answer. 131 00:09:50,310 --> 00:09:54,630 So the important information a copy of this year's snapshot was copied without changing the encryption 132 00:09:54,630 --> 00:10:01,950 key so it remained encrypted with the account a custom key as volume was created from the copy of the 133 00:10:01,950 --> 00:10:04,670 shared snapshot still with the original key. 134 00:10:04,710 --> 00:10:10,800 So the volume remained encrypted with the account is custom CMD Kiki it is account means access to the 135 00:10:11,070 --> 00:10:16,940 custom TMK key used to encrypt the snapshot was revoked and it's a single choice. 136 00:10:16,950 --> 00:10:20,420 So now we understand the correct answer is D. 137 00:10:21,060 --> 00:10:22,770 And a quick refresher. 138 00:10:23,340 --> 00:10:28,140 So important information when you have an encrypted snapshot shared with you from another account and 139 00:10:28,140 --> 00:10:35,220 you are granted access permissions to the key you are highly recommended to do what the encrypted when 140 00:10:35,220 --> 00:10:38,970 you are doing the copy process using a key of your own. 141 00:10:40,400 --> 00:10:47,870 This will protect your access to the snapshot and the created volume's in if in case that the key used 142 00:10:47,870 --> 00:10:50,850 to encrypt the original shared snapshot is compromised. 143 00:10:51,080 --> 00:10:54,270 Or if you lose your rights on that key. 144 00:10:54,290 --> 00:10:54,840 All right. 145 00:10:55,010 --> 00:10:59,130 So again a break and we come back to more fun. 146 00:10:59,300 --> 00:11:00,170 I'll see in the next lecture.