Managing AWS Keys
This section describes how to manage AWS keys on CipherTrust Cloud Key Manager (CCKM). Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.
Note
Management of AWS asymmetric and HMAC Bring Your Own Keys (BYOK) is not supported via the GUI, even though the keys are visible. Please manage them via the API.
AWS-managed keys can’t be managed by CCKM. Any key management operations on such keys from CCKM will not succeed.
Source Types
For adding AWS keys, CCKM supports the following key material sources:
Native: Create AWS key material directly with native AWS application. Refer to Creating Native Key Material for details.
External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager (External), CipherTrust Manager (Local), or Vormetric Data Security Manager (DSM) as an external key source, or Decide Later.
CloudHSM Key Store: Create a CloudHSM key from CCKM using key material from AWS CloudHSM, which is the key source.
External Custom Key Store (HYOK): External Custom Key Store (Hold Your Own Key). Add an HYOK key tied to key material stored in a Luna HSM or a CipherTrust Manager depending on which key source you are using. AWS Key Management Services (KMS) communicates to CCKM, which uses the AWS HYOK key as an intermediary to the source key stored in a Luna HSM or CipherTrust Manager. Depending on which key source you are using, Luna or CipherTrust Manager executes the cryptographic operations. You can rotate the HYOK key, which associates a new key in the Luna HSM or associates a new version to the CipherTrust Manager key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
There are different operations available for HYOK keys than for other key types. You can perform the following HYOK key operations:
Regionality
When creating an AWS Native key or External (BYOK) key, you can specify whether the key is a single-region key or a multi-region key.
Note
This functionality is applicable to Native and BYOK keys.
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Creating Native Key Material
To create AWS key material directly with native AWS application:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select Native as the Origin Type.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Under Select Key Type, select the desired key type. The options are:
Symmetric: One key does encryption and decryption.
Asymmetric: A key pair does encryption and decryption.
Under Select Key Usage, select the key usage:
Encrypt and Decrypt:
For symmetric keys, the key is used only to encrypt and decrypt the data.
For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.
(Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).
(Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired Key Algorithm from the drop-down list.
Note
The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Note
If Asymmetric is selected as the Key Type when specifying the Destination Key details, the key cannot be scheduled.
From the Rotation drop-down list, select a schedule to apply.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES sections. For a multi-region key, the NATIVE KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, KEY POLICY, NATIVE KEY sections, and KEY SCHEDULES, and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Material Using External (BYOK) Source
To add key material using external BYOK as a key source:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select External (BYOK) as Origin Type.
Select the Source. The options are:
CipherTrust (External): Add key by creating or uploading an external CipherTrust key as the source key. Refer to Adding Key Using External CipherTrust as External (BYOK) Source for details.
CipherTrust (Local): Add key by creating or uploading a CipherTrust key as the source key. Refer to Adding Key Using Local CipherTrust as External (BYOK) Source for details.
Vormetric DSM: Add key by creating or uploading a Vormetric DSM key as the source key. Refer to Adding Key Using Vormetric DSM as External (BYOK) Source for details.
Luna HSM: Add key by creating or uploading a Luna HSM key as the source key. Refer to Adding Key Using Luna HSM as External (BYOK) Source for details.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Decide Later: Add key now, but decide the key source later. Refer to Deciding Key Material Later for details.
Adding Key Using External CipherTrust as External (BYOK) Source
To add a key by creating or uploading an external CipherTrust key as the source key:
Key Material Origin
Select CipherTrust (External) as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Configure CipherTrust (External) Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Select a Domain.
Enter the Key Name.
Select Algorithm:
For Symmetric keys, the options are AES or HMAC.
For Asymmetric keys, the options are RSA or EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select a Domain.
Select Algorithm. The options are AES, HMAC, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
(Optional) Enable Fetch Latest Version Only.
Select a CipherTrust (External) Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Specify whether to Disable Encrypt Permissions on Current Key or Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Local CipherTrust as External (BYOK) Source
To add a key by creating or uploading a CipherTrust key as the source key:
Key Material Origin
Select CipherTrust (Local) as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Configure CipherTrust (Local) Key screen is displayed.
Configure CipherTrust (Local) Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Enter the Key Name.
Select Algorithm:
For Symmetric keys, the options are AES or HMAC.
For Asymmetric keys, the options are RSA or EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select Algorithm. The options are AES, HMAC, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
(Optional) Enable Fetch Latest Version Only.
Select a CipherTrust (Local) Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Specify whether to Disable Encrypt Permissions on Current Key or Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Vormetric DSM as External (BYOK) Source
To add a key by creating or uploading a Vormetric DSM key as the source key:
Key Material Origin
Select Vormetric DSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Enter the DSM Key Name.
Select a DSM Domain.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Note
The by default selected Algorithm and Key Size options are AES and 256, respectively.
Select a DSM Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Specify whether to Disable Encrypt Permissions on Current Key or Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Luna HSM as External (BYOK) Source
To add a key by creating or uploading a Luna HSM key as the source key:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Key Material Origin
Select Luna HSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Enter the Key Name.
Select a Partition ID.
Select Algorithm:
For Symmetric keys, the option is AES.
For Asymmetric keys, the options are RSA or EC.
(Applicable to RSA algorithm only) Select a Mechanism. The options are
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
,CKM_RSA_X9_31_KEY_PAIR_GEN
,CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
, andCKM_RSA_PKCS_KEY_PAIR_GEN
.Note
The mechanisms for the AES algorithm and EC algorithm are
CKM_AES_KEY_GEN
andCKM_EC_KEY_PAIR_GEN
, respectively.Select the Key Size / Key Curve based on the algorithm:
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select Algorithm. The options are AES, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the AES algorithm, the option is 256.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Select a HSM Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Specify whether to Disable Encrypt Permissions on Current Key or Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Deciding Key Material Later
Add key now, but decide the key source later.
To add a new key without deciding the key material source:
Key Material Origin
Select Decide Later as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Select Key Type. The options are Symmetric and Asymmetric.
Under Select Key Usage, select the key usage:
Encrypt and Decrypt:
For symmetric keys, the key is used only to encrypt and decrypt the data.
For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.
(Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).
(Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired Key Algorithm from the drop-down list.
Note
The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Specify whether to Disable Encrypt Permissions on Current Key or Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The KEY MATERIAL ORIGIN section shows the Source Type as External (BYOK) and Source as Decide Later.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys. The origin of the key is BYOK - External
and the key state is PendingImport
.
Creating CloudHSM Keys
Before you can create a CloudHSM key, you must ensure your CloudHSM key store is configured. For more information, see AWS CloudHSM Key Store Resources.
To create a CloudHSM key using CloudHSM Source
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list.
Select AWS CloudHSM Key Store from Origin Type.
Select the desired CloudHSm Key Store from the drop-down list.
Enter a user-friendly Alias for the key. This helps uniquely identify the key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
The Review And Add Key screen is displayed.
Select the Select Existing Policy option.
Select a policy from the Saved Policies drop-down list.
To view the raw details of the selected policy, click View Policy (Raw). To hide the raw details, click Hide Policy (Raw).
Click Next.
The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Once creation completes, click OK to close the dialog.
Creating HYOK Keys
You must prepare an external custom key store on CCKM before you can create an HYOK key.
As part of creating an HYOK key, you create a new source key in either a Luna HSM partition or a CipherTrust Manager that is associated with the external custom key store. The source of the HYOK key must match the source of the external custom key store.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Configuration varies based on whether the HYOK is created in the linked or unlinked state.
If the HYOK key is created in the linked state, a KMS key is automatically created in the corresponding AWS KMS external key store.
If the HYOK key is created in the unlinked state, you must either link it to automatically create the corresponding KMS key on AWS KMS, or you must manually create the KMS key on AWS KMS. If you choose to manually create a KMS key, you can refresh keys to later detect and link the KMS key to its HYOK key on CCKM. Managing AWS policies associated with the HYOK key on CCKM is unsupported with unlinked keys.
Create a Linked HYOK Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select External Custom Key Store (HYOK) from Origin Type.
Select CipherTrust or Luna HSM from Source.
Select Linked Key from the Linked State.
Click Next. The Source Key screen is displayed.
Source Key
Select an External Key Store from the drop down.
Note
Only key stores hosted on the local CCKM, and matching the selected Source are available.
Select the Source Key Material. This specifies how to create the key.
Create New Key
Click to create a fresh key.
Specify the Source Key Name for the source key. This will be the name for the new key.
Note
For Luna HSM keys, key attributes are displayed. These values are not editable.
Copy Existing Key
Click to create a new key by copying an existing source key.
Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.
Valid source keys must have specific attributes, depending on the source type.
Source Type Required Attributes CipherTrust Manager • Not exportable
• Not deletable
• Usage Masks: Encrypt, Decrypt, Wrap, UnwrapLuna HSM • CKA_EXTRACTABLE = FALSE
• CKA_SENSITIVE = TRUE
• CKA_ENCRYPT = TRUE
• CKA_DECRYPT = TRUE
• CKA_WRAP = TRUE
• CKA_UNWRAP = TRUE
Click Next. The Destination (AWS key) screen is displayed.
Destination (AWS) Key
Add an Alias for the new KMS key.
Optionally add a Description and Tags, if desired.
Click Next The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Creation completes and an XKS ID is generated for the new HYOK key.
Click OK to close the dialog.
Create an Unlinked HYOK key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select External Custom Key Store (HYOK) from Origin Type.
Select CipherTrust or Luna HSM from Source.
Select Unlinked Key from the Linked State.
This means that the corresponding key is not automatically created in AWS KMS, and you must either link the HYOK after creation, or manually create the KMS key in AWS KMS.
Click Next. The Source Key screen is displayed.
Source Key
Select an External Key Store from the drop down.
Note
Only local key stores matching the selected Source are available.
Select the Source Key Material. This specifies how to create the key. The source key must be a symmetric AES-256 key.
For Luna source key stores, the CKA_SENSITIVE, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, and CKA_UNWRAP attributes must be enabled, and CKA_EXTRACTABLE must be disabled.
The options are:
Create New Key
Click to create a fresh key.
Specify the Source Key Name for the source key. This will be the name for the new key.
Note
For Luna HSM keys, key attributes are displayed. These values are not editable.
Copy Existing Key
Click to create a new key by copying an existing source key.
Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Creation completes and an XKS ID is generated for the new HYOK key.
Click OK to close the dialog.
Create the corresponding KMS key. You can either:
Link the new HYOK key in CCKM.
Manually create the key in AWS KMS:
In CCKM, retrieve the XKS ID value from the key details page.
On AWS KMS, navigate to the external key store which corresponds to the CCKM external custom key store you selected for the HYOK key.
Create the KMS key. Provide the XKS ID for any fields indicating an External key ID.
Follow AWS documentation to associate the desired AWS services with the KMS key.
If you want to later link the KMS key to its associated HYOK key, refresh all AWS keys.
Encryption and decryption requests will now be executed with the source key.
If the source key is a Luna HSM key, the cryptographic requests are executed inside the Luna HSM.
If the source key is a CipherTrust Manager key, the cryptographic requests are executed inside the CipherTrust Manager.
Linking HYOK Keys
If you created an HYOK key in an unlinked state, you can link it after creation. Linking an HYOK key automatically creates a new corresponding KMS key in AWS KMS.
Note
To link an existing KMS key, refresh all the keys.
To link an HYOK key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon () corresponding to the desired key and click Link.
The Configure AWS Key screen of the Link AWS Key wizard is displayed.
Optionally provide an Alias and Tags for the new KMS key.
Click Next. The AWS Key Policy screen is displayed.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Review and Add screen is displayed.
Review the AWS Key and AWS Key Policy details.
Click Link to accept, link the HYOK key, and create a new KMS key.
Click OK.
Viewing AWS Keys
To view an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:
Field Description Alias Unique, user-friendly alias of the key. This is useful in searching for specific keys. The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode. Key ID Unique ID of the CipherTrust Manager key. Account AWS account name. Region AWS region. Algorithm Name of the algorithm. Supported algorithms are:
• SYMMETRIC_DEFAULT
• RSA_2048
• RSA_3072
• RSA_4096
• ECC_NIST_P256
• ECC_NIST_P384
• ECC_NIST_P521
• ECC_SECG_P256K1Source Key Name of the source key. Source Type Source of the key.
• CipherTrust (Local): Local CipherTrust Manager
• DSM: Vormetric Data Security Manager
• Luna: HSM Luna
• CipherTrust (External): External CipherTrust Manager.Key State State of the key. The state can be:
• Enabled
• Disabled
• Deleted
• PendingDeletion
• PendingImport
• UnavailableCreation Date Time when the key is created. Origin The origin of the key can be:
• BYOK-CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• BYOK - External: Source of the key material is unknown. It is different than CCKM and the native cloud.
•HYOK-CCKM: HYOK key exists on CCKM
• HYOK-External: An external key from KMS, without the corresponding HYOK key on the local CCKM. This can mean that the HYOK key is present on a different CCKM not clustered with the local one, or that the HYOK key is present on another vendor's external key manager. NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.Expiration Date Time when the key will expire. Expiration date is nonapplicable for some key types. Expiration State State of the expiration. Regionality Whether the key is a single-region key, multi-region primary key, or multi-region replica key. Cloud Name of the AWS cloud. Key Usage How the key is used - for example, to decrypt and encrypt or to sign and verify. Source Key Container Container of the source key. A container can be the CipherTrust Manager, DSM, or Luna HSM. Key Store (Applicable to HYOK keys) Name of the key store. Some of these fields are not populated for HYOK keys. The non-populated fields are Alias, Key ID, Key State, and Creation Date.
The Regionality, Cloud, Key Usage, and Source Key Container columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK. The Key Usage column is not populated for HYOK keys.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.
Connection is changed in AWS KMS. The new connection does not have permissions to access the keys.
When AWS regions are changed or removed. The keys from the configured region are no longer accessible.
Creating Replica of Multi-Region Keys
Note
This functionality is applicable to Native and BYOK keys.
A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.
Note
Only one replica of a primary key can be created in one AWS Region. Moreover, a replica of a replica key cannot be created.
To add a replica:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section.
Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.
Add Replica Region
From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.
Click Next. The Add Labels screen is displayed.
The fields on the Add Labels screen display the current values of the primary key, but you can edit them at any time. AWS KMS does not synchronize any changes to these values.
Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
Click View Policy (Raw) to view the policy in source JSON.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Review screen is displayed.
Review
This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, AWS KEY POLICY, and CONFIRMATION sections.
Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.
Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.
Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.
Click Close. The Add Replica Keys wizard is closed.
The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.
Viewing Replicas of a Multi-Region Key
Note
This functionality is applicable to Native and BYOK keys.
To view the replicas of a multi-region key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed. To view or edit an AWS key:
Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:
Field Description Region Region where the replica is created. Key ARN Amazon Resource Name (ARN) of the AWS replica. Alias Alias of the replica key. State State of the replica key. Regionality Regionality of the replica key is REPLICA. Creation Date Date and time when the replica is created.
Viewing or Editing AWS Key Details
To view or edit an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
For HYOK keys, you can obtain the following additional values:
The XKS ID. You can copy this value using the copy button, if you want to manually create a corresponding KMS key. In AWS, this value is called the External key ID.
The Source. This is a link to the CCKM-managed source key stored within either Luna HSM or CipherTrust Manager (depending on which key source you are using). This is important if you want to perform any key functions using either Luna key functions or CipherTrust Manager key functions.
Note
You can view but not edit details for unlinked HYOK keys.
For Native, linked HYOK keys, and BYOK Keys, edit or configure the following fields and click Update:
ALIASES: Add or delete aliases of the key.
LABELS: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.
SCHEDULES: Applies rotation schedule to the key. Refer to Apply Key Rotation Schedule for details.
AWS AUTO-ROTATE: Automatically rotates AWS native key every year.
Note
This is not applicable for HYOK keys.
POLICY: Grant access to external accounts, key administrators, and key users. Refer to Adding/Editing Policies for details.
Adding or Deleting Aliases
Note
This functionality is applicable to Native, BYOK, and CloudHSM keys. For HYOK keys, this functionality is applicable to linked keys only.
To add a new alias to the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under ALIASES, click Add Alias.
Enter an Alias Name.
Click Save. The new alias is added to the key.
The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.
To delete an alias of the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under Aliases, click the overflow icon () corresponding to the desired alias.
Click Delete. The alias is deleted.
Apply Key Rotation Schedule
Note
For HYOK keys, this functionality is applicable to linked keys only.
To apply a key rotation schedule to an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under SCHEDULES, from the Rotation drop-down list, select a schedule to apply. If applying a schedule to a CloudHSM key or linked HYOK key, proceed to step 7.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
For BYOK or Native keys, select the Key Origin from the available options. The key origin can be:
CipherTrust (External): External CipherTrust Manager.
CipherTrust (Local): Local CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Note
If the algorithm of the key is RSA, EC, or HMAC, you can only select CipherTrust (Local) as the Key Origin.
Click Update.
Note
A scheduled key rotation always creates a new key with a randomly generated UUID name.
Adding/Editing Policies
You can apply a new policy or edit the policy attached to an AWS key on the list view or the details view of the AWS Keys page.
On the list view of the AWS Keys page
Note
This functionality is applicable to all Native and BYOK keys. For HYOK keys, this functionality is applicable to linked keys only.
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies.
The Add/Edit Policies dialog box displays the attached policy, if any. Under Unsaved Policy, you can either:
Update the policy locally. These are local changes only. They do not affect the original policy.
Alternatively, you can save the changes as a new policy. Click Save to Policy List, specify a Policy Name, and click Save. The newly created policy will be available as a saved policy for selection.
Attach a new saved policy. Click Select Saved Policy, select a saved policy from the drop-down list, and click Apply.
Select a template and use it to create a key policy. Click Build from Template, select a template from the drop-down list, and click Apply.
Click Save.
On the details view of the AWS Keys page
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the Alias link of the key.
Navigate to the POLICY section.
Add or update the policy, as described above.
Click Update.
Refreshing AWS Keys
Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all AWS KMS accounts at once.
Refreshing keys also refreshes AWS CloudHSM key stores and external custom key stores.
Refreshing all keys can set unlinked HYOK keys to a linked state. This happens when CCKM detects a corresponding KMS key for an local unlinked HYOK key. As well, this operation can set unlinked external custom key stores to a linked state. This happens when CCKM detects a corresponding KMS external key store for an local unlinked external custom key store.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.
Disabling Keys
Note
This functionality is applicable to all Native, BYOK, and Cloud HSM keys. For HYOK keys, this functionality is applicable to linked keys only.
For HYOK keys, disabling has the same practical effect of disallowing cryptographic operations as blocking does. However, disabling changes the external key state on AWS KMS and blocking does not.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
To disable the key(s):
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Select the keys to be enabled from the list.
Click Disable. The Disable Key(s) dialog box is displayed.
Click Disable. The Job Created dialog box is displayed. A job is created to track the disabling of the keys.
Click OK.
You can check the job status on the Bulk Operations tab.
Enabling Keys
Note
This functionality is applicable to all Native, BYOK, and Cloud HSM keys. For HYOK keys, this functionality is applicable to linked keys only.
For HYOK keys, enabling has the same practical effect of allowing cryptographic operations as unblocking does. However, enabling changes the external key state on AWS KMS and unblocking does not.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
To enable the key(s):
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Select the keys to be enabled from the list.
Click Enable. The Enable Key(s) dialog box is displayed.
Click Enable. The Job Created dialog box is displayed. A job is created to track the enabling of the keys.
Click OK.
You can check the job status on the Bulk Operations tab.
Downloading Keys
Note
This functionality is applicable to asymmetric keys.
Asymmetric keys can be downloaded to your local machines. Symmetric keys cannot be downloaded.
To download an asymmetric key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Download Key. The key is downloaded.
Importing Key Material
Note
This functionality is applicable to Native and BYOK keys.
You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.
Note
You can only import AES keys with status PendingImport
to the AWS KMS.
To import key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Material dialog box is displayed.
Select Import Type (the desired key material source). The options are:
Note
The Vormetric DSM key option will be available only for the keys that have the algorithm as SYMMETRIC_DEFAULT (AES).
Import Using CipherTrust (External)
When importing the key material from an external CipherTrust Manager, Select Key Material Origin. The options are:
Create New Key
In this method, the external CipherTrust Manager creates the new key material locally.
Select Create New Key.
Click Next.
Enter Key Name.
Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing external CipherTrust Manager key is used.
Select Use Existing Key.
Click Next.
Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.
Select a CipherTrust (External) Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing key material of the external CipherTrust Manager is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using CipherTrust (Local)
When importing the key material from CipherTrust, Select Key Material Origin. The options are:
Create New Key
In this method, CipherTrust Manager creates the new key material locally.
Select Create New Key.
Click Next.
Enter Key Name.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing CipherTrust Manager key is used.
Select Use Existing Key.
Click Next.
Select a CipherTrust (Local) Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Vormetric DSM
When importing the key material from Vormetric DSM, Select Key Material Origin. The options are:
Create New Key
In this method, DSM creates the new key material locally.
Select Create New Key.
Click Next.
Enter a DSM Key Name.
Select the desired DSM Domain.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing DSM key is used.
Select Use Existing Key.
Click Next.
Select a DSM Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Luna HSM
When importing the key material from Luna HSM, Select Key Material Origin. The options are:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Create New Key
In this method, Luna HSM creates the new key material locally.
Select Create New Key.
Click Next. The Add Key Details page is disabled.
Enter a Key Name.
Select the desired Partition ID.
Select the desired Key Attributes.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the Luna HSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing Luna HSM key is used.
Select Use Existing Key.
Click Next. The Add Key Details page is disabled.
Select an HSM Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing Luna HSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Deleting Key Material
Note
This functionality is applicable for BYOK keys, not HYOK keys. You can delete unlinked HYOK keys or schedule key deletion for linked HYOK keys through AWS menus, but not their source key material.
For HYOK keys, Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.
To delete key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.
Select I wish to delete key material.
Click Delete Key Material.
A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport
.
Warning
Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.
Scheduling Key Deletion
Note
This functionality is applicable to all Native, BYOK, HYOK keys and CloudHSM keys. For HYOK keys, this functionality is applicable to linked keys only.
Scheduled key deletion permanently removes the key from the AWS KMS (if a Native, linked HYOK, or BYOK key) or from the AWS CloudHSM (if a CloudHSM key) at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.
For linked HYOK keys, scheduling deletion removes the local CCKM HYOK key, and the remote KMS key at the specified time. Unlinked HYOK keys can only be deleted manually, not at a scheduled time. Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager. You can later create a new HYOK key using the source key.
Note
In regards to Native and BYOK keys, schedule key deletion is not allowed for multi-region primary keys that have replicas. To schedule deletion of such a key, delete its replica keys first.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS or from the AWS CloudHSM (if a CloudHSM key), it cannot be restored and the data encrypted with this key will be unrecoverable.
For HYOK keys, if you want to temporarily suspend AWS KMS access, you can instead block the HYOK key.
To schedule key deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.
On the Schedule Key Deletion screen:
Select I wish to delete this key.
Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.
Click Schedule Deletion.
A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to
PendingDeletion
.
Canceling Scheduled Deletion
This functionality is applicable to Native, BYOK, and CloudHSM keys.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.
To cancel scheduled deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.
A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key, if you wish to use this key in the cryptographic operations.
Deleting Unlinked HYOK Keys
Deleting an unlinked HYOK Key deletes the XKS ID that is associated to a KMS key in AWS KMS. The corresponding KMS key is not deleted, but it can no longer perform cryptographic operations. For linked HYOK keys, you can schedule a key deletion to delete both the HYOK key on CCKM and the KMS key in AWS KMS.
Warning
Deleting an HYOK key permanently breaks the association between the corresponding KMS key and this particular XKS ID so that KMS key can no longer perform cryptographic operations. Any data encrypted with the KMS key cannot be decrypted. To temporarily suspend AWS KMS access to the HYOK key and its XKS ID, you can instead block the HYOK key.
Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager). You can later create a new HYOK key using the source key. Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.
To delete an unlinked HYOK key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: CCKM-HYOK to display only HYOK keys.
Click the overflow icon () corresponding to the desired alias and click Delete. The Delete Key dialog box is displayed.
Click Delete Key to confirm.
Rotating Keys
Key rotation allows you to create new cryptographic material for the keys, while retaining the IDs that AWS needs to communicate. Regularly rotating keys is a security best practice.
To rotate a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Key (for a Native, BYOK, or CloudHSM key) or Add Version (Rotate) (for an HYOK key). If rotating a CloudHSM key, proceed to Rotate CloudHSM Key.
Note
You cannot rotate the key that has Origin Type as Native and Key Usage as Generate and Verify Mac.
On the Select Material Origin screen.
The options for Native and BYOK keys are:
Note
The Vormetric DSM key option will be available only for the keys that have the algorithm as SYMMETRIC_DEFAULT (AES).
The options for HYOK keys are:
Upload New CipherTrust (External) Key
In this method, upload the key material using an external CipherTrust Manager to configure source key. In this scenario, the key material of an external CipherTrust Manager key is uploaded and then used for key rotation.
On the Select Material Origin screen, select Upload New CipherTrust (External) Key.
Click Next. The Create CipherTrust Key (External) screen is displayed.
Create CipherTrust (External) Key
Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.
Specify a unique Key Name.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing CipherTrust (External) Key
In this method, use the key material of an existing external CipherTrust Manager key for key rotation.
On the Select Material Origin screen, select Upload Existing CipherTrust (External) Key.
Click Next. The Select CipherTrust (External) Key screen is displayed.
Select CipherTrust (External) Key
Select the desired CipherTrust (External) Key from the list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Local Key
In this method, the CipherTrust Manager first creates a key material and then uses this key material for key rotation.
On the Select Material Origin screen, select Upload New CipherTrust (Local) Key.
Click Next. The Configure CipherTrust (Local) Key screen is displayed.
Configure CipherTrust (Local) Key
Specify a unique Key Name.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing CipherTrust (Local) Key
In this method, use the key material of an existing CipherTrust Manager key for key rotation.
On the Select Material Origin screen, select Use Existing Local Key.
Click Next. The Select CipherTrust (Local) Key screen is displayed.
Select CipherTrust (Local) Key
Select the desired CipherTrust (Local) Key from the list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Vormetric DSM Key
In this method, upload the key material using Vormetric DSM to configure source key. In this scenario, the key material of a DSM key is uploaded and then used for key rotation.
On the Select Material Origin screen, select Upload New Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Specify a unique DSM Key Name for the key.
Select the desired DSM Domain from the drop-down list.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Vormetric DSM Key
In this method, use the key material of an existing Vormetric DSM key.
On the Select Material Origin screen, select Use Existing Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired DSM Key from the list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Luna HSM Key for Native and BYOK keys
In this method, upload the key material using Luna HSM to configure source key. In this scenario, the key material of a Luna HSM key is uploaded and then used for key rotation.
Note
This process is different than creating a new Luna key for HYOK keys as there are more settings required for Native and BYOK keys.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
On the Select Material Origin screen, select Upload New Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Specify a unique Key Name for the key.
Select the desired Partition ID from the drop-down list.
Select the desired Key Attributes.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Luna HSM Key
In this method, use the key material of an existing Luna HSM key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
On the Select Material Origin screen, select Use Existing Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired HSM Key from the list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Rotate CloudHSM Key
To rotate a CloudHSM key
(Optional) On the Rotate Key screen, provide a Description of the key to be rotated.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key checkbox, if you wish to retain the key alias with a timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Create a New Luna HSM Key for HYOK Keys
During HYOK rotation, you can create an additional Luna HSM source key associated with the HYOK. After rotation, the HYOK key is associated with multiple source keys, and can accept AWS KMS requests to any of the source keys. Future encrypt operations will use the new (rotated) key version. Decrypt operations performed on data encrypted before the key rotation will use the previous versions of the source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:
This causes a temporary interruption which is reversible.
Warning
Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
Deleting the older source key through Luna key management menus or CipherTrust Manager key management menus.
Warning
Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
To rotate an HYOK key by using key material from a newly created Luna HSM key
On the Select Material Origin screen, select Create New Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Provide a new Source Key Name.
Note
Key attributes are displayed. These values are not editable.
Click Next to proceed to the Review and Rotate Key screen.
Review the key details and click Rotate to confirm.
Leave the dialog open until the rotation operation completes successfully.
Use Existing Luna HSM Key for HYOK Keys
In this method, use the key material of an existing Luna HSM key for the key rotation.
After rotation, the HYOK key is associated with multiple source keys, and can accept AWS KMS requests to any of the source keys. Future encrypt operations will use the rotated source key. Decrypt operations performed on data encrypted before the key rotation will use the previous source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:
This causes a temporary interruption which is reversible.
Warning
Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
Deleting the older source key through Luna key management menus.
Warning
Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
To rotate an HYOK key by using key material from an existing Luna HSM key
On the Select Material Origin screen, select Use Existing Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Select the desired key from the Select Luna Key drop-down list.
Valid source keys must be AES-256 and have the following attributes:
CKA_EXTRACTABLE = FALSE
CKA_SENSITIVE = TRUE
CKA_ENCRYPT = TRUE
CKA_DECRYPT = TRUE
CKA_WRAP = TRUE
CKA_UNWRAP = TRUE
Click Next to proceed to the Review and Rotate Key screen.
Review the key details and click Rotate to confirm.
Leave the dialog open until the rotation operation completes successfully.
Create New CipherTrust Manager Key Version for HYOK keys
In this method, create a new version of the existing CipherTrust Manager source key for the key rotation.
After rotation, the HYOK key is associated with multiple source key versions, and can accept AWS KMS requests to any of the source key versions. Future encrypt operations will use the new (rotated) key version. Decrypt operations performed on data encrypted before the key rotation will use the previous versions of the source key.
Only the following operations would stop AWS KMS requests to the HYOK and its existing source key:
This causes a temporary interruption which is reversible.
Warning
Deleting an HYOK key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
Deleting the older source key through CipherTrust Manager key management menus.
Warning
Deleting a source key associated with a KMS key can result in encrypted data becoming permanently impossible to decrypt.
To rotate an HYOK key by using key material from an existing CipherTrust Manager key
From the Add Version (Rotate) Key screen, click Rotate Key to confirm.
Leave the dialog open until the rotation operation completes successfully.
Blocking and Unblocking HYOK Keys
Blocking and unblocking an HYOK key is a way to temporarily suspend and restore AWS KMS's access to the HYOK key and its source key. This way, you do not permanently delete the HYOK key and the XKS ID which AWS KMS needs to communicate to the HYOK and source key.
Block a Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon () corresponding to the desired key and click Block Key.
Confirm you wish to block the key by clicking Block in the Block Key dialog.
Unblock a Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon () corresponding to the desired key and click Unblock Key.
Confirm you wish to unblock the key by clicking Unblock in the Block Key dialog.