Overview
CipherTrust Cloud Key Manager (CCKM) centralizes the management of key life cycle for various cloud services providers. The CCKM complies with data security mandates in cloud storage environments while retaining the custodianship of the encryption keys. Enterprises can back up keys on-premise, destroy keys when no longer needed, and manage the entire life cycle of the cloud keys.
CCKM Components
The CCKM solution comprises the following components:
CCKM GUI on the CipherTrust Manager for administrators and users
At least, one of the supported clouds
A supported trusted key source
A supported Internet browser
The product is delivered as a licensed component of the CipherTrust Manager appliance that can be installed on any one of the supported deployment methods.
Supported Clouds
AWS China
AWS GovCloud
Supported Cloud Services
- AWS Customer Managed CMKs
Supported Key Sources
CCKM uses the CipherTrust Manager as the trusted key source for the encryption keys employed within the supported clouds. CipherTrust Manager supports all clouds that CCKM supports. The CipherTrust Manager stores its own keys and the backup keys from the supported clouds.
Supported Deployment Methods
The CCKM is delivered as part of the CipherTrust Manager appliance. So, CCKM can be automatically deployed with the deployment of the CipherTrust Manager in the following supported environments:
Amazon Web Services
Oracle Cloud
Microsoft Azure
Google Cloud Platform
Private Clouds - VMware vSphere and Microsoft Hyper-V
Physical Appliances
Refer to the CipherTrust Manager Deployment Guide for details.
Supported Internet Browsers
The CCKM supports the following Internet browsers:
Chrome 51.0.2704 (64-bit) or later
Firefox 45.0 or later
Internet Explorer 11 or later
Note
Internet Explorer is not supported for CipherTrust Manager version 2.5 or higher.
CCKM Functionality
The CCKM provides following functionalities for the supported cloud services:
Life cycle management of keys, key versions, and attributes:
View Keys
Update Keys
Upload Keys
Rotate Keys
Delete Keys
Disaster recovery of keys:
Backup Keys
Restore Keys
Hybrid key management of keys:
On-premise keys storage
Management of both keys originating from trusted key sources and cloud-provider-sourced keys
Key synchronization
Compliance Management:
On-premise key storage with up to FIPS 140-2 Level 3 certification (CipherTrust Manager K570 with K7 card, Luna Network HSM, DSM)
Key storage in public or private clouds, inaccessible to cloud services with FIPS 140-2 Level 1 (Luna Network HSM, DSM)
Key visibility reporting (Beta):
Combined Key Activity Reconciliation Report: Track and reconcile key activities between CCKM and a cloud service.
Key Activity Report: Insight into who, what, and when keys were accessed, created, and deleted across PaaS.
Key Aging Report: Insight into who owns the keys and when keys expire.
Key Service Usage Report: Insight into applications consuming the keys across IaaS/PaaS/SaaS.
Cloud Key Manager User Action Report: Insight into aggregated user activities, such as delete or create keys.
User Roles
CCKM has the following users with different responsibilities in administering and using the AWS resources.
CCKM Admins
There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators.
A CCKM Administrator is responsible for creating and managing the following resources:
AWS Accounts
AWS Keys
CCKM Schedules
CCKM Users
There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the CCKM Users need:
The Key Admins permissions to perform the AWS key operations
(Optional) The Audit Admins permissions to view the log messages
Proxy Configuration
If you plan to run the CipherTrust Manager appliance behind a proxy, you must configure the proxy as described in this section.
Prerequisites
Make sure that:
The root access is enabled. Contact Thales Customer Suport to enable the root access.
DNS is already configured on the CipherTrust Manager if you want to use the hostname of the proxy server.
Steps
To configure the proxy:
SSH to the CipherTrust Manager appliance.
Go to
/opt/keysecure/optional-services.Open
docker-compose.citrus.ymlanddocker-compose.cckm.ymlfiles in an editor (for example, the vi editor).Add the following two lines under the
environmentsection in both the files.- https_proxy=172.14.3.4:3128/ - NO_PROXY=localhost,127.0.0.1Note
Make sure that indentation is proper.
For example, the updated content should look similar to the following:
services: citrus: image: 647496772601.dkr.ecr.us-east-1.amazonaws.com/ncryptify/citrus:latest depends_on: - fluentd - pg - doorway restart: unless-stopped environment: - PORT=8080 - YUGOLOG - DEBUG_RESPONSES - ENABLE_DEBUG_METRICS - DATABASE_URL=postgres://postgres:postgres@/kylo?sslmode=disable&host=/var/run/postgresql&search_path=citrus,extensions - DATABASE_MAX_OPEN_CONNS=20 - DATABASE_MAX_IDLE_CONNS=20 - CLERK_URL=http://clerk:8084 - MINERVA_URL=http://minerva:8082 - ENIGMA_URL=http://enigma:8083 - DBMGR_URL=http://dbmgr:9080 - SALLYPORT_URL=http://sallyport:8081 - RANDOM_SOURCE=PIPE - RANDOM_PIPE_NAME=/dev/urandom - TOKEN_PARTITION=ca1a7049-ca97-4473-b611-97a056c42246 - NC_PUB_KEY=SERVICE - DARKSTAR_URL=http://citrus:@darkstar:8080 - PRODUCTS=cckm,cte,data discovery - CLIENT_CREDENTIAL_PARTITION=edf4facc-4ccd-46dd-8aa3-b8538eef26d7 - CLIENT_CREDENTIAL_ID_NAME=clientID - CLIENT_CREDENTIAL_SECRET_NAME=clientSecret - HOST_DAEMON_NTP_URL=/host-daemon/host-daemon.sock - DOORWAY_URL=http://doorway:8080 volumes: - pg_sockets:/var/run/postgresql - ./csprng/rand:/dev/urandom - ./host-daemon:/host-daemon logging: driver: fluentd options: tag: ciSimilarly, you can use the authenticated proxy. For example, add the following lines to the files:
- https_proxy=pxuser:Vormetric123!@ip-172-31-16-234.ap-south-1.compute.internal:3128/ - NO_PROXY=localhost,127.0.0.1Go to
/opt/keysecure.Run
./up.sh.In a different console, monitor the following:
tail -f /opt/keysecure/logs/keysecure.system.log | grep "citrus" tail -f /opt/keysecure/logs/keysecure.system.log | grep "navic"Make sure no errors related to the services are displayed. If any errors are reported, fix them.
Now, you should be able to connect CCKM with the cloud through the proxy.
URLs to Whitelist for Running CipherTrust Manager Behind Proxy
The following URLs must be whitelisted before you run the CipherTrust Manager behind a proxy.
Amazon Web Services
| Service | URL | Purpose |
|---|---|---|
| EC2 | ec2.amazonaws.com | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| EC2 | ec2.us-east-1.amazonaws.com | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| IAM | iam.amazonaws.com | Manage access to AWS services and resources securely. |
| KMS | kms.<region-name>.amazonaws.com | Communicate with AWS KMS for key management. |
| STS | sts.amazonaws.com | Authenticate AWS users. |
| AWS | aws.amazon.com | Redirects to service URLs. |
AWS GovCloud
| Service | URL | Purpose |
|---|---|---|
| EC2 | ec2.amazonaws.com | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| EC2 | ec2.us-gov-east-1.amazonaws.com | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| IAM | iam.amazonaws.com | Manage access to AWS services and resources securely. |
| KMS | kms.<region-name>.amazonaws.com | Communicate with AWS KMS for key management. |
| STS | sts.us-gov-east-1.amazonaws.com | Authenticate AWS users. |
AWS China Cloud
| Service | URL | Purpose |
|---|---|---|
| EC2 | ec2.amazonaws.com.cn | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| EC2 | ec2.cn-north-1.amazonaws.com.cn | Required to fetch AWS regions. After all the regions are fetched, the service is no longer needed. |
| IAM | iam.amazonaws.com.cn | Manage access to AWS services and resources securely. |
| KMS | kms.<region-name>.amazonaws.com.cn | Communicate with AWS KMS for key management. |
| STS | sts.cn-north-1.amazonaws.com.cn | Authenticate AWS users. |
Connecting CCKM in Amazon Virtual Private Cloud (VPC)
When AWS KMS is in Amazon VPC, CCKM cannot connect with the EC2, KMS, and STS services using public IP addresses. You cannot add AWS connections and AWS keys on the CipherTrust Manager. For successful connection, add the IP addresses of VPC endpoints for these services for your AWS regions to the DNS hosts on the CipherTrust Manager.
For example, you need to add the IP addresses of VPC endpoints of sts.amazonaws.com, ec2.us-east-1.amazonaws.com, and kms.us-east-1.amazonaws.com service URLs to the DNS hosts list.
To add the IP address of a VPC endpoint:
On AWS Console
Create the VPC endpoint for a service.
Copy the DNS name of the service.
Ping the DNS name to find out the associated IP address.
Copy the IP address.
On CipherTrust Manager
Log on to the CipherTrust Manager GUI.
In the left pane, click Admin Settings > DNS Hosts.
Click Add DNS Host.
In the Hostname field, enter the service URL, for example,
sts.amazonaws.com.In the IP Address field, paste the copied IP address.
Click Save.
Similarly, add the DNS host entries for all three services, for all your AWS regions.
