| 主权项 |
1. A resource providing device, comprising:
a storage device; one or more processor devices, coupled to the storage device, configured to perform actions comprising: receiving a request from a customer via a customer device to create (i) a virtual server instance and (ii) a boot volume that is encrypted; and initiating the virtual server instance based at least in part on a pre-defined instance image; and a server configured to execute the virtual server instance configured to perform actions comprising: identifying a security token; associating the security token with metadata received with the request from the customer; publishing the security token to an out-of-band location using an out-of-band communications channel, wherein the out-of-band location is accessible to the customer device to enable the customer device to access the security token from the out-of-band location and transmit the security token to a key server; transmitting a request for authentication to the key server device using an in-band communications channel, wherein the request for authentication includes at least one of (i) the security token or (ii) information derived based on the security token, wherein the key server device authenticates the virtual server instance based at least in part on (i) receiving the request for authentication and (ii) receiving the security token that was published by the virtual server instance to the out-of-band location, and wherein the in-band communications channel is different from the out-of-band communications channel; receiving from the key server device an access key, in response to the key server device authenticating the virtual server instance, wherein the security token and the access key are different; decrypting the encrypted boot volume using the access key; and booting from the encrypted boot volume. |
