Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CCKM Administration

Managing AWS Keys

search

Please Note:

Managing AWS Keys

This section describes how to manage AWS keys on the CCKM.

Adding AWS Keys

This section describes about the different types of keys and how to create/use these keys. The CCKM allows you to:

Creating New Local Keys

To create a new local AWS key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click AWS.

  3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

Select Material Origin

  1. Select Create New Local Key. The CipherTrust Manager will create a new key material locally.

  2. Click Next. The Create CipherTrust Key screen is displayed.

** Create CipherTrust Key**

  1. Enter a Key name.

  2. Click Create Key next to the Key name field. A CipherTrust key is created and displayed on the screen. The Enable Key Expiration toggle is displayed.

  3. (Optional) Enable expiration of the key.

    1. Turn on the Enable Key Expiration toggle.

    2. Specify an Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      • To select a specific time, click Time, and select hours and minutes, from the GUI.

  4. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired AWS Account.

  2. Select an AWS Region for the key.

  3. Enter a user-friendly alias for the key. This helps in uniquely identify a key.

  4. (Optional) Describe the key in a maximum of 250 characters.

  5. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  6. Click Save.

The newly created key is displayed in the list of AWS keys.

The origin of the key is EXTERNAL.

Creating AWS Native Keys

  1. Open the Cloud Key Manager application.

  2. In the left pane, click AWS.

  3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

Select Material Origin

  1. Select Create AWS Native Key. The AWS will create a native key material.

  2. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired AWS Account.

  2. Select an AWS Region for the key.

  3. Enter a user-friendly alias for the key. This helps in uniquely identify a key.

  4. (Optional) Describe the key in a maximum of 250 characters.

  5. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  6. Click Save.

The newly created key is displayed in the list of AWS keys.

The origin of the key is AWS_KMS.

Creating Keys by Using Key Material of Existing Local Key

  1. Open the Cloud Key Manager application.

  2. In the left pane, click AWS.

  3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

Select Material Origin

  1. Select Use Existing Local Key. The already existing CipherTrust key material will be used.

  2. Click Next. The Select CipherTrust Key screen is displayed.

Select CipherTrust Key

  1. Select an existing CipherTrust key from the Key name drop-down list. The Enable Key Expiration toggle is displayed.

  2. (Optional) Enable expiration of the key.

    1. Turn on the Enable Key Expiration toggle.

    2. Specify an Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      • To select a specific time, click Time, and select hours and minutes, from the GUI.

  3. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired AWS Account.

  2. Select an AWS Region for the key.

  3. Enter a user-friendly alias for the key. This helps in uniquely identify a key.

  4. (Optional) Describe the key in a maximum of 250 characters.

  5. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  6. Click Save.

The newly created key is displayed in the list of AWS keys.

The origin of the key is EXTERNAL.

Creating Keys and Importing Key Material Later

  1. Open the Cloud Key Manager application.

  2. In the left pane, click AWS.

  3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

Select Material Origin

  1. Select Decide Later. A key is created with state PendingImport. A CipherTrust key material can be imported at a later date.

  2. Click Next.

Add Labels

  1. Select the desired AWS Account.

  2. Select an AWS Region for the key.

  3. Enter a user-friendly alias for the key. This helps in uniquely identify a key.

  4. (Optional) Describe the key in a maximum of 250 characters.

  5. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  6. Click Save.

The newly created key is displayed in the list of AWS keys.

The origin of the key is EXTERNAL.

Viewing AWS Keys

To view an AWS key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:

    FieldDescription
    AliasUnique, user-friendly alias of the key. This is useful in searching for specific keys.
    Key IDUnique ID of the CipherTrust Manager key.
    AccountAWS account name.
    CloudName of the cloud. Supported clouds are:
    • aws
    • aws-us-gov
    • aws-cn
    RegionAWS region.
    AlgorithmName of the algorithm. Supported algorithms are:
    • SYMMETRIC_DEFAULT (Default)
    • RSA_2048 (Asymmetric)
    • RSA_3072 (Asymmetric)
    • RSA_4096 (Asymmetric)
    • ECC_NIST_P256 (secp256r1) (Asymmetric)
    • ECC_NIST_P384 (secp384r1) (Asymmetric)
    • ECC_NIST_P521 (secp521r1) (Asymmetric)
    • ECC_SECG_P256K1 (secp256k1) (Asymmetric)
    Key StateState of the key. The state can be:
    • Enabled
    • Disabled
    • Deleted
    • PendingImport
    • PendingDeletion
    • Unavailable
    Creation DateTime when the key is created.
    OriginSource of the key material. The origin of the key can be:
    • AWS_KMS
    • EXTERNAL
    • AWS_CLOUDHSM

Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

  • Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.

  • Connection is changed in KMS. The new connection does not have permissions to access the keys.

  • When AWS regions are changed or removed. The keys from the configured region are no longer accessible.

Editing AWS Keys

To view or edit an AWS key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click View/Edit.

  4. Edit or configure the following fields and click Update:

    • Description: Update description of the key.

    • Tags: Add tags to the key.

    • SCHEDULES: Applies rotation schedule to the key.

    • AWS AUTO-ROTATE: Automatically rotates AWS native key every year.

    • Policies: Grant access to external accounts, key administrators, and key users.

Adding/Editing Policies

To add or edit key policy:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Add/Edit Policies. The Add/Edit Policies screen is displayed. It contains two options to edit policies:

    • Basic: Select this option and grant the desired permissions. The permission can be granted for the following roles:

      The permission can be granted for the following roles:

      RoleDescription
      External AccountsAWS accounts that can use this key.
      Key AdministratorsIAM users who can administer this key.
      Key UsersIAM users who can use this key in cryptographic operations.

    • Raw: Select this option to edit the AWS policy under Raw Policy. Refer to "Using key policies in AWS KMS" in AWS documentation for details.

  4. Click Save.

Disabling Keys

To disable a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Disable.

  4. On the Disable AWS key screen, click Disable Key.

A message Key disabled is displayed on the screen.

Caution

Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key.

Enabling Keys

To enable a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Enable.

  4. On the Enable AWS key screen, click Yes, Enable Key.

A message Key enabled is displayed on the screen.

Importing Key Material

You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.

Note

You can only import AES keys to the AWS KMS.

To import key material:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Import Material.

  4. Select Key Material Origin. Either select a new CipherTrust key or use an existing CipherTrust key.

Create New Local Key

  1. Enter Key Name.

  2. Select the Key Material Expiration Date from the on-screen calendar.

  3. Click Save.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled.

Use Existing Local Key

  1. Select an existing CipherTrust key from the Source Key drop-down list.

  2. Select the Key Material Expiration Date from the on-screen calendar.

  3. Click Save.

In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled.

Deleting Key Material

To delete key material:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Delete Material.

  4. On the Delete Key Material screen, select I wish to delete key material.

  5. Click Delete Key Material.

A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport.

Warning

Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.

Scheduling Key Deletion

Schedule key deletion permanently removes the key from the AWS KMS at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.

To schedule key deletion:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Schedule Key Deletion.

  4. On the Schedule Key Deletion screen:

    1. Select I wish to delete this key.

    2. Select the Waiting period after which the key will be deleted.

    3. Click Schedule Deletion.

    A message Key scheduled for deletion is displayed on the screen. The key state changes to PendingDeletion.

Warning

Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.

Canceling Scheduled Deletion

To cancel scheduled deletion:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Cancel Deletion.

A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key if you want to use this key in the cryptographic operations.

Rotating Keys

Key rotation allows you to create a new cryptographic material for the keys.

To rotate a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Rotate Key.

  4. Select Key Material Origin. You can either create a new local key or use an existing local key.

Key Material Origin: New Local Key

  1. In the Select Key Material Origin section, select Create New Local Key.

  2. Specify a unique New Key Name for the key.

  3. Enter description in the New Key Description field.

  4. Specify a Key Material Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

  5. Turn on the Disable Encrypt permission on current key toggle.

  6. Click Rotate Key.

In this scenario, the CipherTrust Manager first creates a key material and then this key material is utilized in rotating the key.

A message Successfully rotate key is displayed on the screen.

Key Material Origin: Existing Local Key

  1. In the Select Key Material Origin section, select Use Existing Local Key.

  2. From the Source key drop-down list, select an existing key.

  3. Enter description in the New Key Description field.

  4. Specify a Key Material Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

  5. Turn on the Disable Encrypt permission on current key toggle.

  6. Click Rotate Key.

In this scenario, an already existing CipherTrust Manager's key is used in rotating the key.

A message Successfully rotate key is displayed on the screen.

On this page