Configuring encryption with Gemalto SafeNet KeySecure key servers

Edit online

Encryption key servers create and manage encryption keys that are used by the system. In environments with many systems, key servers distribute keys remotely without requiring physical access to the systems.

Gemalto SafeNet KeySecure key servers also supports KMIP and creates keys on demand, and then shares them with the other clustered servers, providing redundant access. The system supports different types of configurations on key servers. The following configurations are supported:
  • KeySecure key servers use an active-active model, where multiple key servers to provide redundancy. In these configurations one key server must be specified as the primary key server. The primary key server is the key server that the system uses when you create any new encryption keys. The key is immediately replicated to the other key servers in the cluster. All of the key servers that are defined on the system can be used to retrieve keys. Although it is possible to configure a single key server instance, two key servers are recommended to ensure availability of keys, if one key server experiences an outage.
  • The system supports up to four key servers. If the system is accessing multiple key servers, they need to belong to the same cluster of key servers.
For SafeNet KeySecure key servers, ensure that you complete the following tasks before you enable encryption:
  1. Each key server must be configured to allow TLS 1.2 for secure communications.
  2. Ensure that a valid SSL certificate from each KeySecure key server is installed on the system and in use. Either add the server certificate for each KeySecure key server, or add the root CA certificate that was used to sign each server certificate.
  3. If you plan to use a username and password to authenticate the system to these key servers, you must configure user credentials for authentication in the key server management interface. For KeySecure versions of 8.10 and up, administrators can configure a username and password to authenticate the system when it connects. Before version KeySecure 8.10, the use of a password is optional. To set up authentication with a username and password between the system and KeySecure key servers, disable global keys on the High Security menu in the SafeNet KeySecure interface. When global keys are disabled, key servers cannot authenticate clients to create or access keys without valid credentials.
  4. Ensure that the system encryption certificate is a trusted entity on the KeySecure key server management interface. You can use two methods to add the system encryption certificate as a trusted entity. You can export the current system encryption certificate and then add it to the known certificate authorities (CA) on the Trusted CA List or create a new certificate signing request to a third-party certificate authority that is already listed on the Trusted CA List. The system encryption certificate might also require a user name, if a user name is enabled for certificates for key servers.
  5. If you currently have encryption that is enabled with USB flash drives, at least one of the USB flash drives must be inserted into the system before key servers can be configured for managing keys.
To enable encryption with a KeySecure key server with the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome page, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. Select Gemalto SafeNet KeySecure for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server.
  6. On the Key Server Credentials page, enter a user name and password that is used to authenticate the system to the key servers.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. All instances are connected over secure connections with the same key server certificate. Either the server certificate for each key server, or the root CA certificate or a file that contains all CA certificates within that chain. This file does not need to include the key server certificate, only the intermediate and root CA certificates. Any server certificates take priority over any CA certificate that is installed on the system for the key servers. Click Next.
  8. If using SafeNet KeySecure servers, the system's self-signed certificate can be exported on the System Encryption Certificate page. Click Export Public Key to download the public key to the system. These certificates are uploaded to one of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications. On the Secure Communications page, select Update Certificate to create or import a certificate. For more information about certificates, see the topic about certificates that are used for key servers.
  9. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  10. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods that are configured simultaneously, click No.
  11. Click Next.
  12. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with a KeySecure key server in the command-line interface, complete the following steps:
  1. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  2. Enable the key server type and supply the root certificate authority (CA) certificate if one is required:
    chkeyserverkeysecure -enable -sslcert /tmp/CASigned.crt
  3. Configure the username and password that is used to the system to the key servers if one is required:
    chkeyserverkeysecure -username admin -password 'examplepassword'
  4. Decide whether to use a signed certificate from a CA or a self-signed client certificate. To use the existing self-signed certificate and export it to /dumps/certificate.pem, enter the following CLI command:
    svctask chsystemcert -export

    Copy the certificate to the key server and add it as a trusted CA. If using a signed certificate, follow the instructions here Requesting and installing a new signed certificate and sign the certificate with a CA that the key server trusts.

  5. Create the primary key server and specify the key server certificate, if one is required: 
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt -primary
  6. Create up to three more secondary key servers and specify the key server certificate, if one is required.
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt
  7. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command requests the primary key server to create a new key.
  8. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  9. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key on the system.