Creating an AWS type keystore

If your remote key server is Amazon Web Services Key Management Service (AWS-KMS), you can create two types of keystore : “AWS-EAR” to be used by the Storage Space Encryption feature, or “AWS-BAR” to be used by the Integrated Backup Encryption feature.

The only difference between these credentials is that the AWS-EAR requires, also, access to the AWS Secrets Manager (AWS-SSM) where the IDS Master Encryption Key is stored.

When asked to create an AWS keystore, the following information must be readily available to the operator:
  • AWS Key Id, this is not an encryption key, this is the AWS access key (the equivalent of a username) to get access to the AWS infrastructure. You can generate a “AWS Key Id”/”AWS Key Secret” pair (AWS Services -> IAM -> Users -> “User Name” -> Security Credentials -> Access Keys).
  • AWS Key Secret, this is not an encryption key, this is the AWS secret key (the equivalent of a password) to get access to the AWS infrastructure. You can generate a “AWS Key Id”/”AWS Key Secret” pair (AWS Services -> IAM -> Users -> “User Name” -> Security Credentials -> Access Keys).
  • AWS Region, this is the AWS region, all keys and CMKs are region bound, you must provide the region where you have your keys (ie us-east-1).
  • AWS CMK Id, this is the id (or name) of the AWS Customer Master Key (Remote Master Encryption Key). This key never leaves the AWS infrastructure and it is used by onkstore to generate the master encryption key used by IDS with the Storage Spaces Encryption feature or the Backup Encryption Keys used by the Integrated Backup Encryption feature.
  • SSM Key Location, this is needed only for AWS-EAR types of keystores. This is the hierarchical path where the IDS Master Encryption Key will be stored after being generated by onkstore. The MEK is encrypted using the CMK before being stored here.
To use a JSON file as input for onkstore, create a file with the following structure:
            {
              "Credentials" :
                {
                "Type" : "..." ,
                "AWS Key Id" : "...",
                "AWS Key Secret" : "...",
                "AWS Region" : "...",
                "AWS CMK Id" : "...",
                "SSM Key Location" : "..."
                }
            }
          where the value for "Type" is either "aws-ear" or "aws-bar".