Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

OCI External Resources

Managing External Keys

Please Note:

Administration
CipherTrust Manager Administration
- Authentication
  - Authentication Settings for NAE, KMIP, and Web Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Secure Copy Protocol (SCP)
  - Microsoft Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure (OCI)
  - DSM Connection
  - OIDC
  - LDAP
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
Application Data Protection Administration
- Overview
- Interfaces
- Managing Applications
  - Defining Applications
  - Modifying Applications
  - Deleting Applications
  - Viewing Application Details
  - Viewing Registration Token
  - Cleaning Application
  - DPG Policies
- Managing Character Sets
  - Creating Character Sets
  - Deleting Character Sets
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing User Set
  - Viewing user set
  - Creating user set
  - Deleting user set
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Single Pane of Glass
- Heartbeat Configuration
- FPE/AES/UNICODE Cardinality Block-Size Table
- Auto Renewal of Client Certificates
- Fetch Latest Data from CipherTrust Manager
- Frequently Asked Questions
BDT Administration
- Protection Profiles
- BDT Policies
- BDT Containers
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Performance Summary
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - Prerequisites
  - High Level Architecture
  - Licensing
  - Communication with KACLS
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Migrate from CCKM Appliance
- Backup and Restore
- Key Material Export and Upload
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Concepts
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Local Data Stores
- Network Storage Data Stores
- Database Data Stores
- Big Data Data Stores
- Cloud Data Stores
- AWS S3
- Office365: Exchange Online
- G-Suite
- Server Data Stores
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management Administration
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM

CipherTrust Manager
Administration
CCKM Administration
OCI External Resources
Managing External Keys

Managing External Keys

This section describes how to manage external keys on CCKM. Before proceeding, you must have an external vault added to the CCKM. Refer to Managing External Vaults for details.

Adding External Keys
Viewing or Editing Details of External Keys
Adding a Key Version
Blocking External Keys
Unblocking External Keys
Deleting External Keys

Note

This section describes the operations specific to the external keys.
External keys do not support the enable key, disable key, schedule key deletion, move resource, and restore deleted keys operations.
All other operations that can be performed on external keys are similar to those for Oracle BYOK keys, as described in Managing Oracle Keys.
CCKM doesn't support FM-enabled Luna HSM as a key source.

Adding External Keys

To add an external key.

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click Add Key. The Key Material Origin screen of the Add Oracle Key wizard is displayed.

Key Material Origin

Select an external Vault from the drop-down list. The list shows available external and default vaults.
The Oracle Compartment field is unavailable (read-only) for external vaults.
Select Oracle External (HYOK) as the Origin Type.
Select CipherTrust (Local) as the Source. This is the only supported external key source.
Click Next. The Source Key screen is displayed.

Source Key

Select the Source Key Material. This specifies how to create the key. The options are:
- Create New Key: Click to create a fresh key. Specify an Oracle Key Name.
- Select Existing Key: Click to create a new key by selecting an existing key. Select an existing key from the Select a source key drop-down list.
Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on the Oracle cloud. This name helps uniquely identify an external key.
Enter a Rego policy to be associated with the external key.
Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, Source Key, and HYOK KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the Source Key and HYOK KEY sections and update the details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the HYOK KEY section becomes Complete and the Oracle Key ID link is displayed, the key is created successfully.
Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Viewing or Editing Details of External Keys

After a key is created, you can add tags to it, schedule their rotation, and view its versions.

In the edit view of a key, you can view all the key details such as its ID, compartment, vault, state, algorithm, and region etc.

To view or edit an external key:

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle. The list of available keys is displayed.
Click the overflow icon () corresponding to the desired key and click View/Edit Details. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
- GENERAL INFO: View and update the key name and policy. Refer to Updating Key Name and Policy for details.
- KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.
- KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.

Updating Key Name and Policy

To update the key name and policy.

Edit Key Name.
Edit Policy.
Click Update.

Adding or Changing Key Rotation Schedule

To add or update a key rotation schedule:

Expand the KEY SCHEDULE section.
From the Select Rotation Schedule drop-down list, select the desired schedule.
Select the Key Origin as CipherTrust (Local).
Click Update.

The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.

Disabling Key Rotation Schedule

To disable a key rotation schedule:

Expand the KEY SCHEDULE section.
Next to the Select Rotation Schedule drop-down list, click the close icon ().

Auto key rotation is disabled.

Viewing Key Version Details

To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed.

Adding a Key Version

To add a new key version:

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Add Version. The Add Version dialog box is displayed.
Select a Method, the options are Create New Key and Select Existing Key.
Click the desired tab to view the instructions.
Create New Key
1. Select Source as CipherTrust (Local).
2. Enter Key Name.
Select Existing Key
Select the desired Source Key from the drop-down list.
Note
It is not recommended to delete a source key that is being used for cryptographic operations.
Click Add Version.

Blocking Oracle Keys

You can block a key that belongs to external vaults. To block a key:

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Block. The Block Key dialog box is displayed.
Click Block Key to confirm the action.

The key is blocked. The state of the external key changes to Blocked.

Unblocking Oracle Keys

You can unblock a blocked key that belongs to external vaults. To unblock a key:

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Unblock. The Unblock Key dialog box is displayed.
Click Unblock Key to confirm the action.

The key is unblocked. The state of the external key changes to Unblocked.

Deleting External Keys

An external key (HYOK) resides on the CipherTrust Manager, it does not require a deletion schedule. The key can be deleted directly from the CipherTrust Manager.

Caution

Before deleting an external key, ensure that the key is not being referred to by the OCI KMS.

To delete an external key from the CipherTrust Manager:

Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the key to be deleted.
Click Remove Key. The Remove Key dialog box is displayed.
Click Remove Key to confirm the action.

A message stating that the key is removed successfully is displayed.

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com