Preparing to connect to an external KMS server in Fusion Data Foundation

Procedure to prepare for the connection to an external KMS from Fusion Data Foundation.

Before you begin

  • For external Key Management System (KMS), choose either HashiCorp Vault or Thales CipherTrust Manager.
  • You must install IBM Storage Fusion Data Foundation from the Services page of the user interface and ensure that it is in running state.

    For the installation options and their procedures, see Data Foundation.

  • For HashiCorp Vault, select an unique path name as the backend path that follows the naming convention. If you change this path name later, then the data becomes inaccessible.
  • For Thales CipherTrust Manager, enable the Key Management Interoperability Protocol.
  • Ensure that you are using signed certificates on your KMS servers.

About this task

Fusion Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and Multicloud Object Gateway operations in the storage cluster. The keys are stored using a Kubernetes secret or an external KMS. When you store the keys by using a Kubernetes secret, no need for you to do manual steps. You can enable cluster-wide encryption when you deploy Fusion Data Foundation.

This procedure provides steps (manual part) to initialize encryption configuration with KMS before you enable encryption. For HashiCorp Vault, you can choose either the token authentication method or the Kubernetes authentication method.

For additional reference, see Red Hat Data Foundation 4.16 Data encryption options.