Configuring access to KMS by using Thales CipherTrust Manager

Configure Thales CipherTrust Manager to provide secure key management by creating the required KMIP clients and interfaces, and generating the Key Encryption Key (KEK) for storageclass encryption.

Before you begin

  1. Create a KMIP client if one does not exist.

    1. From the user interface, select KMIP > Client Profile > Add Profile.
    2. Add the CipherTrust username to the Common Name field during profile creation.

  2. Go to KMIP > Registration Token > New Registration Token to create a token.

    Copy the token for the next step.

  3. To register the client, go to KMIP > Registered Clients > Add Client.

    1. Specify the Name.
    2. Paste the Registration Token from the previous step, and click Save.
  4. Download the private key and client certificate by clicking Save Private Key and Save Certificate, respectively.

  5. To create a new KMIP interface, go to Admin Settings > Interfaces > Add Interface.

    1. Select KMIP Key Management Interoperability Protocol, and click Next.
    2. Select a free Port.
    3. Select Network Interface to all.
    4. Select Interface Mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    5. (Optional) Enable hard delete to delete both metadata and material when the key is deleted.

      This option is disabled by default.

    6. Select the CA to use, and click Save.
  6. To get the server CA certificate, click the Action menu (⋮) next to the newly created interface, and click Download Certificate.

Procedure

  1. Go to Keys > Add Key.
  2. Enter Key Name.
  3. Set Algorithm to AES and Size to 256.
  4. Enable Create a key in Pre-Active state, and set the date and time for activation.
  5. Ensure that Encrypt and Decrypt are enabled under Key Usage.
  6. Copy the ID of the newly created key to use as the unique identifier during deployment.