Migrate DSM Source Keys
This section provides instructions to migrate the DSM source keys from CCKM Appliance to the CipherTrust Manager. This section assumes that you have already migrated only the cloud keys to the CipherTrust Manager. Refer to Migrate Cloud Keys Only.
Note
The user who performs the migration becomes the owner of the migrated keys.
Steps
The high-level steps involved are:
The steps above apply to the root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Creating migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager. The public key is used to encrypt the data while the private key is used to decrypt the migrated data.
To generate an RSA key pair, run the ksctl keys create
command:
Here,
--name
: Name for RSA key pair.--alg
: Algorithm for the RSA key pair.--size
: Size for the key pair.
Example:
Output:
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1"
is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395"
under "links"
is the public key ID.
Create Migration Data
Create the migration data for the DSM key source. Specify --key-source
as dsm
.
Run the command:
Here,
--key-source
: Specifydsm
as the key source.
Example:
Output:
Get the uploadID
After you have initiated the creation of migration data for the DSM key source, get the uploadID
by running the ksctl migrations status
command.
Example:
Output:
Note down the "uploadID"
value, "f915a761-9fa8-449d-a969-122601ef244e"
. It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Migrate Complete Data).
Apply Migration Data
Note
In a clustered CipherTrust Manager environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
To apply the migration data, run the command:
Here,
--id
: uploadID returned in Check Status of uploadID.--private-key-id
: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.
Example:
Output:
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status
command.
Example:
Output:
In the sample output above, "overall_status": "Completed"
indicates that migration of DSM source keys from CCKM Appliance to CCKM Embedded is successful.