Managing DKE Endpoints
This section describes how to manage DKE endpoints from CCKM.
Microsoft Double Key Encryption (DKE) service can access CipherTrust Cloud Key Manager (CCKM) after you meet some prerequisites. Refer to Microsoft Double Key Encryption (DKE) Resources for more information about Microsoft DKE and the prerequisites.
Part of the prerequisites is creating a DKE endpoint. After you have created a DKE endpoint, you can:
Note
Users of the CCKM Admins group can manage DKE endpoints, whereas the users of the CCKM Users group can only view the DKE endpoints.
Caution
Do not edit the KEK through the general CipherTrust Manager key management functions. Do not modify the KEK through the Keys menu in the GUI, ksctl keys
commands in the CLI, or the /v1/vault/keys2
endpoint in the REST API. This can result in the KEK becoming unavailable to the Microsoft DKE service unexpectedly.
Creating DKE Endpoints
From CCKM GUI, create a DKE endpoint to make it available to the Microsoft DKE service. You can either create a new key encryption key (KEK) or select an existing KEK for the getkey and decrypt operations. If you do not specify a key, CCKM will automatically create a CipherTrust Manager key for you.
Note
Ensure that you have already created an authorized tenant, refer to Managing DKE Authorized Tenants for details.
If you plan to use the authorization method of Role ID for the access settings of DKE keys, you are required to set up an Azure connection before creating a DKE endpoint. For more information on how to add an Azure connection, refer to Microsoft Azure Connection.
In the Microsoft Azure application, go to the API Permissions section and configure the Directory.Read.All permission. Ensure that the
Type
for this permission is Application.
To create a DKE endpoint from the CCKM GUI:
Log on to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.
Click Create Endpoint. The Add Double Key Encryption (DKE) Endpoint dialog box is displayed.
Under General Info, enter a unique Name and a description for the endpoint.
Click Next.
Under Endpoint Settings, provide the following settings:
Key URI Hostname. Enter the hostname at which CipherTrust Manager will be visible to Microsoft.
The Key URI Hostname will be used to construct the URL Microsoft will use to send requests to CipherTrust Manager.
The web interface of the CipherTrust Manager must have a valid TLS certificate signed by a trusted CA.
If the SSL termination takes place at the CipherTrust Manager, the Key URI Hostname must match the FQDN of the CipherTrust Manager. If the SSL termination takes place at the load balancer in front of the CipherTrust Manager, the Key URI Hostname must match the FQDN of the public-facing load balancer. Wildcard certificates are supported.
If you changed the web interface port within the {cm} from the default port (
443
) to another port (say8443
), add the same port when configuring the Key URI Hostname. Specify the new port number with the Key URI Hostname, for example,example.com:8443
.If you have a load balancer with SSL termination and mTLS disabled, the Key URI Hostname must match the FQDN of the public-facing load balancer.
If you have a load balancer without SSL termination, the Key URI Hostname must match
dke.
<load balancer hostname>.If you don't have a load balancer in front of CipherTrust Manager, the Key URI Hostname must match
dke.
<CipherTrust Manager hostname>.
Key Algorithm. The only option available for the DKE key algorithm is RSA_DECRYPT_OAEP_2048_SHA256. This box is greyed out.
Enable success audit events. Use this toggle to enable or disable audit recording of successful Microsoft DKE operations on this endpoint. This is optional. By default, this toggle is turned on.
Click Next.
Under Key Material, choose to either create a new key or copy an existing key.
Note
If you do not specify a key, CCKM will automatically create a CipherTrust Manager key for you.
If creating a new key, select Create New Key, enter the Key Name. If copying an existing key, select Copy Existing Key, select a key from the Key drop-down list.
Click Next.
Under Authorized Tenants, select the Authorized Tenant from the drop-down list.
Note
Select at least one authorized tenant. Multiple authorized tenants with the same issuer are not allowed.
Click Next.
Under Review and Add, review the details you provided for the new endpoint. These details are divided into GENERAL INFO, ENDPOINT SETTINGS, KEY MATERIAL, and AUTHORIZED TENANTS sections.
Note
After the endpoint is added, KEY MATERIAL will no longer be editable.
Click Add Endpoint.
The endpoint creation starts. A Create Endpoint In Progress message is displayed on the screen. Leave the window open until the process is completed.
Click Close. The Add Double Key Encryption (DKE) Endpoint wizard is closed.
The newly created endpoint is displayed in the list of Microsoft DKE endpoints.
Viewing DKE endpoints
The Microsoft Double Key Encryption (DKE) page shows the list of existing DKE endpoints residing within a given URI hostname. Search for endpoints by endpoint name or key URI.
To view the list of DKE endpoints available on CCKM:
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed. The list of DKE endpoints added to CCKM is displayed. The page displays the following details:
Field Description Name Name of the DKE endpoint. Key URI Hostname Base url hostname for KeyURI. Status State of the key. The status can be:
• Enabled
• DisabledKEK Name Name of KEK. Key Version Version of the key. Algorithm DKE key algorithm. The only option currently supported is RSA_DECRYPT_OAEP_2048_SHA256, which is the default value. Authorization Method Authorization type for DKE key: Email or Role ID. Creation Date Time when the endpoint was created. Last Modified Date and time the DKE endpoint was modified. Timestamp in format Day-Month-Year time in 24-hour notation. Description Description for the endpoint.
To view the custom columns, click the Customize View () icon, select the desired option(s), and click OK to display the column(s).
Viewing and editing details of a DKE endpoint
After an endpoint is created, you can view and modify the endpoint details, such as the endpoint name and authorization parameters.
This section describes how to view the details of a DKE endpoint and update details relating to GENERAL INFO, ENDPOINT SETTINGS, and AUTHORIZATION PARAMETERS as needed.
To view and edit the details of Microsoft DKE endpoints on CCKM:
Log on to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed. The list of DKE endpoints added to CCKM is displayed.
Click the Name link of the desired DKE endpoint.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click View/Edit.
The edit view of the Microsoft Double Key Encryption (DKE) page is displayed.
Under VERSIONS
(Optional) Click Rotate to create a new version of the endpoint's encryption key. The Rotate Endpoint dialog box will open.
Click Rotate.
Under GENERAL INFORMATION
(Optional) Update the description of the DKE endpoint in the Description field.
Click Update.
Under ENDPOINT SETTINGS
(Optional) Enter a new Key URI hostname to use a different URI hostname.
(Optional) Depending on current setting, set the Enable success audit events toggle to enable or disable audit recording of successful operations related to Microsoft DKE operations on this endpoint.
Click Update.
Under AUTHORIZED TENANTS
(Optional) Add Authorized Tenants
Click Add Authorized Tenants to add multiple authorized tenants. The Add Authorized Tenants wizard will open.
Select the desired Authorized Tenant(s) from the list.
Click Add Authorized Tenants.
(Optional) Remove Authorized Tenants
Click the overflow icon () corresponding to the desired authorized tenant, and click Remove.
(Optional) View or Edit Authorized Tenants
Click the overflow icon () corresponding to the desired authorized tenant, and click View/Edit. Refer to Managing DKE Authorized Tenants.
Under KEY SCHEDULE
(Optional) Select a Rotation from the drop-down list.
Click Update.
Enabling a DKE endpoint
From the Microsoft Double Key Encryption (DKE) page, you can enable a DKE endpoint. Enabling a DKE endpoint allows the getkey and decrypt/unwrap operations for the given Microsoft DKE endpoint.
To enable a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to enable.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the Actions drop-down menu, select Enable. The Enable Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Enable. The Enable Endpoint dialog box displays.
Click Enable to proceed. After the endpoint is successfully enabled, a message displays indicating "Successfully enabled Microsoft DKE endpoint".
Disabling a DKE endpoint
From the Microsoft Double Key Encryption (DKE) page, you can disable a DKE endpoint. Disabling a DKE endpoint disallows the getkey and decrypt/unwrap operations for the given Microsoft DKE endpoint.
To disable a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to disable.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the Actions drop-down menu, select Disable. The Disable Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Disable. The Disable Endpoint dialog box displays.
Click Disable to proceed. After the endpoint is successfully disabled, a message displays indicating "Successfully disabled Microsoft DKE endpoint".
Rotating a DKE endpoint
From the Microsoft Double Key Encryption (DKE) page, you can rotate a DKE endpoint, which adds a new KEK version to this endpoint. Subsequent encrypt/wrap operations this endpoint performs will use the new version of the key. Decrypt/Unwrap operations will use whichever version of the key was originally used to encrypt/wrap.
Rotating a DKE endpoint's KEK can be done even if the endpoint is disabled. Rotating the KEK regularly is a security best practice.
To rotate a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to rotate.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the VERSIONS, click Rotate. The Rotate Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Rotate. The Rotate Endpoint dialog box displays.Click Rotate to proceed. After the endpoint is successfully rotated, a message displays indicating "Successfully rotated Microsoft DKE endpoint". The new key version displays in list of key versions under the VERSIONS of the edit view of the Microsoft Double Key Encryption (DKE) page.
Deleting a DKE Endpoint
From the Microsoft Double Key Encryption (DKE) page, you can delete a DKE endpoint. The getkey and decrypt operations associated with this endpoint are also deleted from the database as part of the deletion. Essentially, the record of this endpoint is deleted from the database and CCKM. A deleted endpoint is no longer included in the list DKE endpoints displayed on the Microsoft Double Key Encryption (DKE) page.
Note
Before deleting a DKE endpoint, you must first archive it.
To delete a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to delete.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the Actions drop-down menu, select Delete. The Delete Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Delete. The Delete Endpoint dialog box displays.
Enable the I wish to delete this endpoint checkbox and click Delete. After the endpoint is successfully deleted, a message displays indicating "Successfully deleted Microsoft DKE endpoint".
Archiving a DKE Endpoint
From the Microsoft Double Key Encryption (DKE) page, you can archive a DKE endpoint. Archiving allows you preserve a record of this endpoint in “Archived” state, which can be recovered thereafter.
Note
An archived DKE endpoint does not consume a CCKM license.
When a key is in archived state, it can be viewed, recovered, or deleted. It is included in the list of DKE endpoints on the Microsoft Double Key Encryption (DKE) page.
A new KEK version cannot be added to an Archived DKE endpoint as this endpoint cannot be rotated.
To archive a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to archive.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the Actions drop-down menu, select Archive. The Archive Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Archive. The Archive Endpoint dialog box displays.
Enable the I wish to archive this endpoint checkbox and click Archive. After the endpoint is successfully archived, a message displays indicating "Successfully archived Microsoft DKE endpoint".
Recovering a DKE Endpoint
From the Microsoft Double Key Encryption (DKE) page, you can recover a DKE endpoint. Recovering a DKE endpoint in an archived state allows you enable the endpoint thereby allowing subsequent requests for the getkey and decrypt/unwrap operations for the endpoint.
Note
An recovered DKE endpoint consumes a CCKM license.
To recover a DKE endpoint on CCKM:
Click the Name link of the desired DKE endpoint you wish to recover from an archived state.
The edit view of the Microsoft Double Key Encryption (DKE) page displays.Under the Actions drop-down menu, select Recover. The Recover Endpoint dialog box displays.
Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Recover. The Recover Endpoint dialog box displays.
Enable the I wish to recover this endpoint checkbox and click Recover. After the endpoint is successfully recovered, a message displays indicating "Successfully recovered Microsoft DKE endpoint".