Preparing to connect to an external KMS server in IBM Storage Fusion Data Foundation
Procedure to prepare for the connection to an external KMS from IBM Storage Fusion Data Foundation.
Before you begin
- For external Key Management System (KMS), choose either HashiCorp Vault or Thales CipherTrust Manager.
- You need to install IBM Storage Fusion Data Foundation from the services page and ensure that it is in running state.
- For HashiCorp Vault, select an unique path name as the backend path that follows the naming convention. If you change this path name later, then the data becomes inaccessible.
- For Thales CipherTrust Manager, enable the Key Management Interoperability Protocol.
- Ensure that you are using signed certificates on your KMS servers.
About this task
This procedure is used in Configuring Data Foundation local storage and Configuring Data Foundation dynamic storage.
IBM Storage Fusion Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and Multicloud Object Gateway operations in the storage cluster. The keys are stored using a Kubernetes secret or an external KMS. You can enable cluster-wide encryption before you deploy IBM Storage Fusion Data Foundation. However, you still need to do some manual steps to configure and connect to the external KMS server.
This procedure provides steps (manual part) to initialize encryption configuration with KMS before you enable encryption. For HashiCorp Vault, you can choose either the token authentication method or the Kubernetes authentication method.
If errors occur, see IBM Storage Fusion Data Foundation service error scenarios.