Managing AWS Keys

This section describes how to manage AWS keys on CipherTrust Cloud Key Manager (CCKM). Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.

Source Types

For adding AWS keys, CCKM supports the following key material sources:

• Native: Create AWS key material directly with native AWS application. Refer to Creating Native Key Material for details.

• External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager (External), CipherTrust Manager (Local), or Vormetric Data Security Manager (DSM) as an external key source, or Decide Later.

• CloudHSM Key Store: Create a CloudHSM key from CCKM using key material from AWS CloudHSM, which is the key source.

• External Custom Key Store (HYOK): External Custom Key Store (Hold Your Own Key). Add an HYOK key tied to key material stored in a Luna HSM or a CipherTrust Manager depending on which key source you are using. AWS Key Management Services (KMS) communicates to CCKM, which uses the AWS HYOK key as an intermediary to the source key stored in a Luna HSM or CipherTrust Manager. Depending on which key source you are using, Luna or CipherTrust Manager executes the cryptographic operations. You can rotate the HYOK key, which associates a new key in the Luna HSM or associates a new version to the CipherTrust Manager key.

  Note

  CCKM doesn't support FM-enabled Luna HSM as a key source.

  There are different operations available for HYOK keys than for other key types. You can perform the following HYOK key operations:

  • Create an HYOK key

  • Linking HYOK keys

  • View HYOK key details

  • Apply a Key Rotation Schedule

  • Adding/Editing Policies

  • Enable and disable

  • Manually delete an Unlinked HYOK key

  • Scheduling Key Deletion

  • Manually rotate an HYOK Key

  • Block or unblock an HYOK key

Regionality

When creating an AWS Native key or External (BYOK) key, you can specify whether the key is a single-region key or a multi-region key.

• Single-Region Key: A single-region key cannot be replicated in other AWS regions.

• Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

  Note

  After a key is created, its regionality cannot be changed.

Creating Native Key Material

To create AWS key material directly with native AWS application:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

3. Select Native as the Origin Type.

4. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

5. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Under Select Key Type, select the desired key type. The options are:

   • Symmetric: One key does encryption and decryption.

   • Asymmetric: A key pair does encryption and decryption.

2. Under Select Key Usage, select the key usage:

   • Encrypt and Decrypt:

     • For symmetric keys, the key is used only to encrypt and decrypt the data.

     • For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.

   • (Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).

   • (Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.

3. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

4. (Optional) Provide a brief Description of the key.

5. Select the desired Key Algorithm from the drop-down list.

   Note

   The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.

6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

7. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES sections. For a multi-region key, the NATIVE KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, KEY POLICY, NATIVE KEY sections, and KEY SCHEDULES, and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Material Using External (BYOK) Source

To add key material using external BYOK as a key source:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

3. Select External (BYOK) as Origin Type.

4. Select the Source. The options are:

   • CipherTrust (External): Add key by creating or uploading an external CipherTrust key as the source key. Refer to Adding Key Using External CipherTrust as External (BYOK) Source for details.

   • CipherTrust (Local): Add key by creating or uploading a CipherTrust key as the source key. Refer to Adding Key Using Local CipherTrust as External (BYOK) Source for details.

   • Vormetric DSM: Add key by creating or uploading a Vormetric DSM key as the source key. Refer to Adding Key Using Vormetric DSM as External (BYOK) Source for details.

   • Luna HSM: Add key by creating or uploading a Luna HSM key as the source key. Refer to Adding Key Using Luna HSM as External (BYOK) Source for details.

     Note

     CCKM doesn't support FM-enabled Luna HSM as a key source.

   • Decide Later: Add key now, but decide the key source later. Refer to Deciding Key Material Later for details.

Adding Key Using External CipherTrust as External (BYOK) Source

To add a key by creating or uploading an external CipherTrust key as the source key:

Key Material Origin

1. Select CipherTrust (External) as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Configure CipherTrust (External) Key

1. Select the Source Key Material. This specifies how to create the key. The options are:

   • Create New Key: Click to create a fresh key.

     1. Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

     2. Enter a Key Name.

   • Copy Existing Key: Click to create a new key by copying an existing key.

     1. Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

     2. Select a Key Name.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

1. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

2. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Local CipherTrust as External (BYOK) Source

To add a key by creating or uploading a CipherTrust key as the source key:

Key Material Origin

1. Select CipherTrust (Local) as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Configure CipherTrust (Local) Key screen is displayed.

Configure CipherTrust (Local) Key

1. Select the Source Key Material. This specifies how to create the key. The options are:

   • Create New Key: Click to create a fresh key. Specify the Key Name for the new key.

   • Copy Existing Key: Click to create a new key by copying an existing key. Select the existing Key from the drop-down list.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Vormetric DSM as External (BYOK) Source

To add a key by creating or uploading a Vormetric DSM key as the source key:

Key Material Origin

1. Select Vormetric DSM as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Source Key

1. Select the Source Key Material. This specifies how to create the key. The options are:

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the DSM Key Name for the new key.

     3. Select the desired DSM Domain for the key. This drop-down list shows the DSM domains based on the DSM connection added to the CipherTrust Manager.

   • Copy Existing Key

     1. Click to create a new key by copying an existing DSM key.

     2. Select the existing DSM Key from the drop-down list. This field shows the available keys based on the DSM connection added to the CipherTrust Manager.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

1. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

2. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Luna HSM as External (BYOK) Source

To add a key by creating or uploading a Luna HSM key as the source key:

Key Material Origin

1. Select Luna HSM as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Source Key

1. Select the Source Key Material. This specifies how to create the key. The options are:

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the Key Name for the new Luna HSM key.

     3. Select the desired Partition ID for the key. This drop-down list shows the Luna HSM partitions based on the Luna HSM connection added to the CipherTrust Manager.

     4. Select the desired Key Attributes.

   • Copy Existing Key

     1. Click to create a new key by copying an existing Luna HSM key.

     2. Select the existing Key from the drop-down list. This field shows the available keys based on the Luna HSM connection added to the CipherTrust Manager.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

1. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

2. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Deciding Key Material Later

Add key now, but decide the key source later.

To add a new key without deciding the key material source:

Key Material Origin

1. Select Decide Later as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. To enable permissions, clear the check box.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The KEY MATERIAL ORIGIN section shows the Source Type as External (BYOK) and Source as Decide Later.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys. The origin of the key is BYOK - External and the key state is PendingImport.

Creating CloudHSM Keys

Before you can create a CloudHSM key, you must ensure your CloudHSM key store is configured. For more information, see AWS CloudHSM Key Store Resources.

To create a CloudHSM key using CloudHSM Source

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list.

3. Select AWS CloudHSM Key Store from Origin Type.

4. Select the desired CloudHSm Key Store from the drop-down list.

5. Enter a user-friendly Alias for the key. This helps uniquely identify the key.

6. (Optional) Provide a brief Description of the key.

7. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

8. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

Review And Add Key

1. Review the key details, and click Add Key to create.

2. Once creation completes, click OK to close the dialog.

Creating HYOK Keys

You must prepare an external custom key store on CCKM before you can create an HYOK key.

As part of creating an HYOK key, you create a new source key in either a Luna HSM partition or a CipherTrust Manager that is associated with the external custom key store. The source of the HYOK key must match the source of the external custom key store.

Configuration varies based on whether the HYOK is created in the linked or unlinked state.

If the HYOK key is created in the linked state, a KMS key is automatically created in the corresponding AWS KMS external key store.

If the HYOK key is created in the unlinked state, you must either link it to automatically create the corresponding KMS key on AWS KMS, or you must manually create the KMS key on AWS KMS. If you choose to manually create a KMS key, you can refresh keys to later detect and link the KMS key to its HYOK key on CCKM. Managing AWS policies associated with the HYOK key on CCKM is unsupported with unlinked keys.

Create a Linked HYOK Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list.

3. Select External Custom Key Store (HYOK) from Origin Type.

4. Select CipherTrust or Luna HSM from Source.

5. Select Linked Key from the Linked State.

6. Click Next. The Source Key screen is displayed.

Source Key

1. Select an External Key Store from the drop down.

   Note

   Only key stores hosted on the local CCKM, and matching the selected Source are available.

2. Select the Source Key Material. This specifies how to create the key.

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the Source Key Name for the source key. This will be the name for the new key.

        Note

        For Luna HSM keys, key attributes are displayed. These values are not editable.

   • Copy Existing Key

     1. Click to create a new key by copying an existing source key.

     2. Select the AES-256 key you wish to use from the Source Key drop-down list. For Luna HSM, this drop-down shows the available keys based on the Luna HSM connection.

        Valid source keys must have specific attributes, depending on the source type.

        Source Type	Required Attributes
        CipherTrust Manager	• Not exportable • Not deletable • Usage Masks: Encrypt, Decrypt, Wrap, Unwrap
        Luna HSM	• CKA_EXTRACTABLE = FALSE • CKA_SENSITIVE = TRUE • CKA_ENCRYPT = TRUE • CKA_DECRYPT = TRUE • CKA_WRAP = TRUE • CKA_UNWRAP = TRUE

3. Click Next. The Destination (AWS key) screen is displayed.

Destination (AWS) Key

1. Add an Alias for the new KMS key.

2. Optionally add a Description and Tags, if desired.

3. Click Next The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.

2. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

1. Review the key details, and click Add Key to create.

   Creation completes and an XKS ID is generated for the new HYOK key.

2. Click OK to close the dialog.

Create an Unlinked HYOK key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select External Custom Key Store (HYOK) from Origin Type.

3. Select the desired Region from the dropdown list.

4. Select CipherTrust or Luna HSM from Source.

5. Select Unlinked Key from the Linked State.

   This means that the corresponding key is not automatically created in AWS KMS, and you must either link the HYOK after creation, or manually create the KMS key in AWS KMS.

6. Click Next. The Source Key screen is displayed.

Source Key

1. Select an External Key Store from the drop down.

   Note

   Only local key stores matching the selected Source are available.

2. Select the Source Key Material. This specifies how to create the key. The source key must be a symmetric AES-256 key.

   For Luna source key stores, the CKA_SENSITIVE, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, and CKA_UNWRAP attributes must be enabled, and CKA_EXTRACTABLE must be disabled.

   The options are:

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the Source Key Name for the source key. This will be the name for the new key.

        Note

        For Luna HSM keys, key attributes are displayed. These values are not editable.

   • Copy Existing Key

     1. Click to create a new key by copying an existing source key.

     2. Select the key you wish to use from the Source Key drop-down list. For Luna HSM, this drop-down shows the available keys based on the Luna HSM connection.

3. Click Next. The Add to Schedule screen is displayed.

Add to Schedule

1. Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.

2. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

1. Review the key details, and click Add Key to create.

   Creation completes and an XKS ID is generated for the new HYOK key.

2. Click OK to close the dialog.

3. Create the corresponding KMS key. You can either:

   • Link the new HYOK key in CCKM.

   • Manually create the key in AWS KMS:

     1. In CCKM, retrieve the XKS ID value from the key details page.

     2. On AWS KMS, navigate to the external key store which corresponds to the CCKM external custom key store you selected for the HYOK key.

     3. Create the KMS key. Provide the XKS ID for any fields indicating an External key ID.

     4. Follow AWS documentation to associate the desired AWS services with the KMS key.

     5. If you want to later link the KMS key to its associated HYOK key, refresh all AWS keys.

   Encryption and decryption requests will now be executed with the source key.

   If the source key is a Luna HSM key, the cryptographic requests are executed inside the Luna HSM.

   If the source key is a CipherTrust Manager key, the cryptographic requests are executed inside the CipherTrust Manager.

Linking HYOK Keys

If you created an HYOK key in an unlinked state, you can link it after creation. Linking an HYOK key automatically creates a new corresponding KMS key in AWS KMS.

To link an HYOK key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Link.

   The Configure AWS Key screen of the Link AWS Key wizard is displayed.

4. Optionally provide an Alias and Tags for the new KMS key.

5. Click Next. The AWS Key Policy screen is displayed.

6. Click the desired tab to view the instructions.

   Create New Policy

   1. Select the Create New Policy option.

   2. Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.

      Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.

      In the Basic view, Key Admins is the default tab.

      1. On the Key Admins tab, select the desired key admins.

      2. Click the Key Users tab.

      3. Select the desired key users.

      4. Add external accounts in the Add Accounts field and click +.

         These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.

         To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.

         Note

         Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.

   3. Select Save this Key Policy and Enter Template Name.

   4. Click Next.

   Select Saved Policy

   1. Select the Select Saved Policy option.

   2. Select a policy from the Saved Policies drop-down list.

      You can also update the selected policy, and create a new policy using it.

      1. Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.

      2. Update the policy.

         Raw View

         Make the necessary changes in the policy.

         Basic View

         In the Basic View, Key Admins is the default tab.

         1. On the Key Admins tab, select the desired key admins.

         2. Click the Key Users tab.

         3. Select the desired key users.

         Note

         If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.

      3. Click Update. The Update Policy message is displayed.

         To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.

         Note

         If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.

      4. Click Apply.

      5. Click Next.

   Build From Template

   1. Select the Build From Template option.

   2. Select Template.

   3. (Optional) Make the necessary changes in the template.

   4. Click Next

   The Review and Add screen is displayed.

7. Review the AWS Key and AWS Key Policy details.

8. Click Link to accept, link the HYOK key, and create a new KMS key.

9. Click OK.

Viewing AWS Keys

To view an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:

   Field	Description
   Alias	Unique, user-friendly alias of the key. This is useful in searching for specific keys. The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.
   Key ID	Unique ID of the CipherTrust Manager key.
   Account	AWS account name.
   Region	AWS region.
   Algorithm	Name of the algorithm. Supported algorithms are: • SYMMETRIC_DEFAULT • RSA_2048 • RSA_3072 • RSA_4096 • ECC_NIST_P256 • ECC_NIST_P384 • ECC_NIST_P521 • ECC_SECG_P256K1
   Source Key	Name of the source key.
   Source Type	Source of the key. • CipherTrust (Local): Local CipherTrust Manager • DSM: Vormetric Data Security Manager • Luna: HSM Luna • CipherTrust (External): External CipherTrust Manager.
   Key State	State of the key. The state can be: • Enabled • Disabled • Deleted • PendingDeletion • PendingImport • Unavailable
   Creation Date	Time when the key is created.
   Origin	The origin of the key can be: • BYOK-CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • BYOK - External: Source of the key material is unknown. It is different than CCKM and the native cloud. •HYOK-CCKM: HYOK key exists on CCKM • HYOK-External: An external key from KMS, without the corresponding HYOK key on the local CCKM. This can mean that the HYOK key is present on a different CCKM not clustered with the local one, or that the HYOK key is present on another vendor's external key manager. NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.
   Expiration Date	Time when the key will expire. Expiration date is nonapplicable for some key types.
   Expiration State	State of the expiration.
   Regionality	Whether the key is a single-region key, multi-region primary key, or multi-region replica key.
   Cloud	Name of the AWS cloud.
   Key Usage	How the key is used - for example, to decrypt and encrypt or to sign and verify.
   Source Key Container	Container of the source key. A container can be the CipherTrust Manager, DSM, or Luna HSM.
   Key Store	(Applicable to HYOK keys) Name of the key store.

   Some of these fields are not populated for HYOK keys. The non-populated fields are Alias, Key ID, Key State, and Creation Date.

   The Regionality, Cloud, Key Usage, and Source Key Container columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK. The Key Usage column is not populated for HYOK keys.

Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

• Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.

• Connection is changed in AWS KMS. The new connection does not have permissions to access the keys.

• When AWS regions are changed or removed. The keys from the configured region are no longer accessible.

Creating Replica of Multi-Region Keys

A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.

To add a replica:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the alias of the desired multi-region primary key. The detail view of the key is displayed.

4. Scroll down to the REGIONALITY section.

5. Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.

Add Replica Region

1. From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The fields on the Add Labels screen display the current values of the primary key, but you can edit them at any time. AWS KMS does not synchronize any changes to these values.

1. Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.

Click the desired tab to view the instructions.

The Review screen is displayed.

Review

This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, AWS KEY POLICY, and CONFIRMATION sections.

Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.

3. Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.

4. Click Close. The Add Replica Keys wizard is closed.

The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.

Viewing Replicas of a Multi-Region Key

To view the replicas of a multi-region key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the alias of the desired multi-region primary key. The detail view of the key is displayed. To view or edit an AWS key:

4. Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:

   Field	Description
   Region	Region where the replica is created.
   Key ARN	Amazon Resource Name (ARN) of the AWS replica.
   Alias	Alias of the replica key.
   State	State of the replica key.
   Regionality	Regionality of the replica key is REPLICA.
   Creation Date	Date and time when the replica is created.

Viewing or Editing AWS Key Details

To view or edit an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. For HYOK keys, you can obtain the following additional values:

   • The XKS ID. You can copy this value using the copy button, if you want to manually create a corresponding KMS key. In AWS, this value is called the External key ID.

   • The Source. This is a link to the CCKM-managed source key stored within either Luna HSM or CipherTrust Manager (depending on which key source you are using). This is important if you want to perform any key functions using either Luna key functions or CipherTrust Manager key functions.

   Note

   You can view but not edit details for unlinked HYOK keys.

5. For Native, linked HYOK keys, and BYOK Keys, edit or configure the following fields and click Update:

   • ALIASES: Add or delete aliases of the key.

   • LABELS: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.

   • SCHEDULES: Applies rotation schedule to the key. Refer to Apply Key Rotation Schedule for details.

   • AWS AUTO-ROTATE: Automatically rotates AWS native key every year.

     Note

     This is not applicable for HYOK keys.

   • POLICY: Grant access to external accounts, key administrators, and key users. Refer to Adding/Editing Policies for details.

Adding or Deleting Aliases

To add a new alias to the key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under ALIASES, click Add Alias.

5. Enter an Alias Name.

6. Click Save. The new alias is added to the key.

The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.

To delete an alias of the key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under Aliases, click the overflow icon () corresponding to the desired alias.

5. Click Delete. The alias is deleted.

Apply Key Rotation Schedule

To apply a key rotation schedule to an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under SCHEDULES, from the Rotation drop-down list, select a schedule to apply. If applying a schedule to a CloudHSM key or linked HYOK key, proceed to step 7.

5. For BYOK or Native keys grant or deny decrypt permissions to the current key. Select Disable Encrypt Permissions on Current Key to grant, clear to deny.

6. For BYOK or Native keys, select the Key Origin from the available options. The key origin can be:

   • CipherTrust (External): External CipherTrust Manager.

   • CipherTrust (Local): Local CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

7. Click Update.

Adding/Editing Policies

You can apply a new policy or edit the policy attached to an AWS key on the list view or the details view of the AWS Keys page.

On the list view of the AWS Keys page

To add or edit key policy:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies.

   The Add/Edit Policies dialog box displays the attached policy, if any. Under Unsaved Policy, you can either:

   • Update the policy locally. These are local changes only. They do not affect the original policy.

     Alternatively, you can save the changes as a new policy. Click Save to Policy List, specify a Policy Name, and click Save. The newly created policy will be available as a saved policy for selection.

   • Attach a new saved policy. Click Select Saved Policy, select a saved policy from the drop-down list, and click Apply.

   • Select a template and use it to create a key policy. Click Build from Template, select a template from the drop-down list, and click Apply.

4. Click Save.

On the details view of the AWS Keys page

To add or edit key policy:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the Alias link of the key.

4. Navigate to the POLICY section.

5. Add or update the policy, as described above.

6. Click Update.

Refreshing AWS Keys

Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all AWS KMS accounts at once.

Refreshing keys also refreshes AWS CloudHSM key stores and external custom key stores.

Refreshing all keys can set unlinked HYOK keys to a linked state. This happens when CCKM detects a corresponding KMS key for an local unlinked HYOK key. As well, this operation can set unlinked external custom key stores to a linked state. This happens when CCKM detects a corresponding KMS external key store for an local unlinked external custom key store.

To refresh keys:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.

3. Click Refresh All. The This may take a while... message is displayed.

   Note

   Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?

4. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.

The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.

Disabling Keys

To disable the key(s):

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Select the keys to be enabled from the list.

4. Click Disable. The Disable Key(s) dialog box is displayed.

5. Click Disable. The Job Created dialog box is displayed. A job is created to track the disabling of the keys.

6. Click OK.

You can check the job status on the Bulk Operations tab.

Enabling Keys

To enable the key(s):

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Select the keys to be enabled from the list.

4. Click Enable. The Enable Key(s) dialog box is displayed.

5. Click Enable. The Job Created dialog box is displayed. A job is created to track the enabling of the keys.

6. Click OK.

You can check the job status on the Bulk Operations tab.

Downloading Keys

Asymmetric keys can be downloaded to your local machines. Symmetric keys cannot be downloaded.

To download an asymmetric key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Download Key. The key is downloaded.

Importing Key Material

You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.

To import key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Material dialog box is displayed.

4. Select Import Type (the desired key material source). The options are:

   • Import Using CipherTrust (External)

   • Import Using CipherTrust (Local)

   • Import Using Vormetric DSM

   • Import Using Luna HSM

Import Using CipherTrust (External)

When importing the key material from an external CipherTrust Manager, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, the external CipherTrust Manager creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter Key Name.

4. Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

9. Click OK.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing external CipherTrust Manager key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

4. Select an existing CipherTrust key from the Source Key drop-down list.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

9. Click OK.

In this scenario, the existing key material of the external CipherTrust Manager is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using CipherTrust (Local)

When importing the key material from CipherTrust, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, CipherTrust Manager creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter Key Name.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

8. Click OK.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing CipherTrust Manager key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select an existing CipherTrust key from the Source Key drop-down list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using Vormetric DSM

When importing the key material from Vormetric DSM, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, DSM creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter a DSM Key Name.

4. Select the desired DSM Domain.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

9. Click OK.

In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing DSM key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select an existing DSM key from the DSM Key Name drop-down list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using Luna HSM

When importing the key material from Luna HSM, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, Luna HSM creates the new key material locally.

1. Select Create New Key.

2. Click Next. The Add Key Details page is disabled.

3. Enter a Key Name.

4. Select the desired Partition ID.

5. Select the desired Key Attributes.

6. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

7. Click Next. The Review Key Details screen is displayed.

8. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

9. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

10. Click OK.

In this scenario, the Luna HSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing Luna HSM key is used.

1. Select Use Existing Key.

2. Click Next. The Add Key Details page is disabled.

3. Select an existing Luna HSM key from the Key drop-down list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing Luna HSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Deleting Key Material

To delete key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.

4. Select I wish to delete key material.

5. Click Delete Key Material.

A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport.

Scheduling Key Deletion

Scheduled key deletion permanently removes the key from the AWS KMS (if a Native, linked HYOK, or BYOK key) or from the AWS CloudHSM (if a CloudHSM key) at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.

For linked HYOK keys, scheduling deletion removes the local CCKM HYOK key, and the remote KMS key at the specified time. Unlinked HYOK keys can only be deleted manually, not at a scheduled time. Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager. You can later create a new HYOK key using the source key.

To schedule key deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.

4. On the Schedule Key Deletion screen:

   1. Select I wish to delete this key.

   2. Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.

   3. Click Schedule Deletion.

   A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to PendingDeletion.

Canceling Scheduled Deletion

This functionality is applicable to Native, BYOK, and CloudHSM keys.

To cancel scheduled deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.

A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key, if you wish to use this key in the cryptographic operations.

Deleting Unlinked HYOK Keys

Deleting an unlinked HYOK Key deletes the XKS ID that is associated to a KMS key in AWS KMS. The corresponding KMS key is not deleted, but it can no longer perform cryptographic operations. For linked HYOK keys, you can schedule a key deletion to delete both the HYOK key on CCKM and the KMS key in AWS KMS.

Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager). You can later create a new HYOK key using the source key. Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.

To delete an unlinked HYOK key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: CCKM-HYOK to display only HYOK keys.

3. Click the overflow icon () corresponding to the desired alias and click Delete. The Delete Key dialog box is displayed.

4. Click Delete Key to confirm.

Rotating Keys

Key rotation allows you to create new cryptographic material for the keys, while retaining the IDs that AWS needs to communicate. Regularly rotating keys is a security best practice.

To rotate a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Rotate Key (for a Native, BYOK, or CloudHSM key) or Add Version (Rotate) (for an HYOK key). If rotating a CloudHSM key, proceed to Rotate CloudHSM Key.

   Note

   You cannot rotate the key that has Origin Type as Native and Key Usage as Generate and Verify Mac.

4. On the Select Material Origin screen.

   The options for Native and BYOK keys are:

   • Upload New CipherTrust (External) Key

   • Upload Existing CipherTrust (External) Key

   • Upload New CipherTrust (Local) Key

   • Upload Existing CipherTrust (Local) Key

   • Upload New Vormetric DSM Key

   • Upload Existing Vormetric DSM Key

   • Upload New Luna HSM Key

   • Upload Existing Luna HSM Key

   The options for HYOK keys are:

   • Create a New Luna HSM Key for HYOK Keys

   • Use Existing Luna HSM Key for HYOK Keys

   • Create New CipherTrust Manager Key Version for HYOK keys

Upload New CipherTrust (External) Key

In this method, upload the key material using an external CipherTrust Manager to configure source key. In this scenario, the key material of an external CipherTrust Manager key is uploaded and then used for key rotation.

1. On the Select Material Origin screen, select Upload New CipherTrust (External) Key.

2. Click Next. The Create CipherTrust Key (External) screen is displayed.

Create CipherTrust (External) Key

1. Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

2. Specify a unique Key Name.

3. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing CipherTrust (External) Key

In this method, use the key material of an existing external CipherTrust Manager key for key rotation.

1. On the Select Material Origin screen, select Upload Existing CipherTrust (External) Key.

2. Click Next. The Select CipherTrust (External) Key screen is displayed.

Select CipherTrust (External) Key

1. Select the desired key from the Key drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key rotation is displayed on the screen.

Upload New Local Key

In this method, the CipherTrust Manager first creates a key material and then uses this key material for key rotation.

1. On the Select Material Origin screen, select Upload New CipherTrust (Local) Key.

2. Click Next. The Configure CipherTrust (Local) Key screen is displayed.

Configure CipherTrust (Local) Key

1. Specify a unique Key Name.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing CipherTrust (Local) Key

In this method, use the key material of an existing CipherTrust Manager key for key rotation.

1. On the Select Material Origin screen, select Use Existing Local Key.

2. Click Next. The Select CipherTrust (Local) Key screen is displayed.

Select CipherTrust (Local) Key

1. Select the desired key from the Key Name from drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key rotation is displayed on the screen.

Upload New Vormetric DSM Key

In this method, upload the key material using Vormetric DSM to configure source key. In this scenario, the key material of a DSM key is uploaded and then used for key rotation.

1. On the Select Material Origin screen, select Upload New Vormetric DSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Specify a unique DSM Key Name for the key.

2. Select the desired DSM Domain from the drop-down list.

3. Click Next. The Configure Destination (AWS) Key screen is displayed.

Configure Destination (AWS) Key

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing Vormetric DSM Key

In this method, use the key material of an existing Vormetric DSM key.

1. On the Select Material Origin screen, select Use Existing Vormetric DSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired key from the DSM Key Name from drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key rotation is displayed on the screen.

Upload New Luna HSM Key for Native and BYOK keys

In this method, upload the key material using Luna HSM to configure source key. In this scenario, the key material of a Luna HSM key is uploaded and then used for key rotation.

1. On the Select Material Origin screen, select Upload New Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Specify a unique Key Name for the key.

2. Select the desired Partition ID from the drop-down list.

3. Select the desired Key Attributes.

4. Click Next. The Configure Destination (AWS) Key screen is displayed.

Configure Destination (AWS) Key

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

3. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

4. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing Luna HSM Key

In this method, use the key material of an existing Luna HSM key.

1. On the Select Material Origin screen, select Use Existing Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired key from the Key from drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

3. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

4. Click Save.

A message stating successful key rotation is displayed on the screen.

Rotate CloudHSM Key

To rotate a CloudHSM key

1. (Optional) On the Rotate Key screen, provide a Description of the key to be rotated.

2. (Optional) Select the Disable Encrypt Permissions on Current Key checkbox, if you wish to disable encryption on the key.

3. (Optional) Select the Apply Gravestone Alias on Current Key checkbox, if you wish to retain the key alias with a timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

4. Click Save.

A message stating successful key rotation is displayed on the screen.

Create a New Luna HSM Key for HYOK Keys

During HYOK rotation, you can create an additional Luna HSM source key associated with the HYOK. After rotation, the HYOK key is associated with multiple source keys, and can accept AWS KMS requests to any of the source keys. Future encrypt operations will use the new (rotated) key version. Decrypt operations performed on data encrypted before the key rotation will use the previous versions of the source key.

Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:

• Blocking the HYOK key.

  This causes a temporary interruption which is reversible.

• Deleting the HYOK key.

  Warning

  Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

• Deleting the older source key through Luna key management menus or CipherTrust Manager key management menus.

  Warning

  Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

To rotate an HYOK key by using key material from a newly created Luna HSM key

1. On the Select Material Origin screen, select Create New Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

3. Provide a new Source Key Name.

   Note

   Key attributes are displayed. These values are not editable.

4. Click Next to proceed to the Review and Rotate Key screen.

5. Review the key details and click Rotate to confirm.

6. Leave the dialog open until the rotation operation completes successfully.

Use Existing Luna HSM Key for HYOK Keys

In this method, use the key material of an existing Luna HSM key for the key rotation.

After rotation, the HYOK key is associated with multiple source keys, and can accept AWS KMS requests to any of the source keys. Future encrypt operations will use the rotated source key. Decrypt operations performed on data encrypted before the key rotation will use the previous source key.

Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:

• Blocking the HYOK key.

  This causes a temporary interruption which is reversible.

• Deleting the HYOK key.

  Warning

  Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

• Deleting the older source key through Luna key management menus.

  Warning

  Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

To rotate an HYOK key by using key material from an existing Luna HSM key

1. On the Select Material Origin screen, select Use Existing Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

3. Select the desired key from the Select Luna Key drop-down list.

   Valid source keys must be AES-256 and have the following attributes:

   • CKA_EXTRACTABLE = FALSE

   • CKA_SENSITIVE = TRUE

   • CKA_ENCRYPT = TRUE

   • CKA_DECRYPT = TRUE

   • CKA_WRAP = TRUE

   • CKA_UNWRAP = TRUE

4. Click Next to proceed to the Review and Rotate Key screen.

5. Review the key details and click Rotate to confirm.

6. Leave the dialog open until the rotation operation completes successfully.

Create New CipherTrust Manager Key Version for HYOK keys

In this method, create a new version of the existing CipherTrust Manager source key for the key rotation.

After rotation, the HYOK key is associated with multiple source key versions, and can accept AWS KMS requests to any of the source key versions. Future encrypt operations will use the new (rotated) key version. Decrypt operations performed on data encrypted before the key rotation will use the previous versions of the source key.

Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:

• Blocking the HYOK key.

  This causes a temporary interruption which is reversible.

• Deleting the HYOK key.

  Warning

  Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

• Deleting the older source key through CipherTrust Manager key management menus.

  Warning

  Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.

To rotate an HYOK key by using key material from an existing CipherTrust Manager key

1. From the Add Version (Rotate) Key screen, click Rotate Key to confirm.

2. Leave the dialog open until the rotation operation completes successfully.

Blocking and Unblocking HYOK Keys

Blocking and unblocking an HYOK key is a way to temporarily suspend and restore AWS KMS's access to the HYOK key and its source key. This way, you do not permanently delete the HYOK key and the XKS ID which AWS KMS needs to communicate to the HYOK and source key.

Block a Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Block Key.

4. Confirm you wish to block the key by clicking Block in the Block Key dialog.

Unblock a Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Unblock Key.

4. Confirm you wish to unblock the key by clicking Unblock in the Block Key dialog.