Preparing to connect to an external KMS server in Fusion Data Foundation
Procedure to prepare for the connection to an external KMS from Fusion Data Foundation.
Before you begin
- For external Key Management System (KMS), choose either HashiCorp Vault or Thales CipherTrust Manager.
- You must install Fusion Data Foundation from the Services page of
the user interface and ensure that it is in running state.
For the procedure to install, see Data Foundation.
- For HashiCorp Vault, select an unique path name as the backend path that follows the naming convention. If you change this path name later, then the data becomes inaccessible.
- For Thales CipherTrust Manager, enable the Key Management Interoperability Protocol.
- Ensure that you are using signed certificates on your KMS servers.
About this task
This procedure is used in Configuring Data Foundation local storage and Configuring Data Foundation dynamic storage.
Fusion Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and Multicloud Object Gateway operations in the storage cluster. The keys are stored using a Kubernetes secret or an external KMS. When you store the keys by using a Kubernetes secret, no need for you to do manual steps. You can enable cluster-wide encryption when you deploy Fusion Data Foundation.
This procedure provides steps (manual part) to initialize encryption configuration with KMS before you enable encryption. For HashiCorp Vault, you can choose either the token authentication method or the Kubernetes authentication method.