Secrets Management Administration
CipherTrust Manager partners with Akeyless to offer Akeyless Vault Platform application secrets, protected with optional HSM root-of-trust hierarchy.
Akeyless secrets are used for a variety of data protection objectives and stored on an Akeyless Vault Platform account. We support the following secret types:
Encryption Key
Static Secret
Rotated Secret
Dynamic Secret
SSH Cert Issuer
PKI Cert Issuer
Certificate
Akeyless Customer Fragment
CipherTrust Manager allows for the use of a customer fragment to encrypt Akeyless Vault Platform secrets. The CipherTrust Manager customer fragment is used to create protection keys that can be leveraged to encrypt and decrypt Akeyless secrets. As Akeyless Vault Platform cannot access the CipherTrust Manager customer fragment or construct the full encryption key, Akeyless has no access to any secrets material.
As all access requests to secrets must go through CipherTrust Manager in this scenario, use of secrets is assured to be consistent with access, security, and networking rules for a variety of deployment environments. Whether the secrets are used in on-premises, private cloud, or public cloud environments, CipherTrust Manager fulfills these rules for private networks and VPC connections to public cloud networks.
An Akeyless Gateway service running directly on CipherTrust Manager mediates authentication between the CipherTrust Manager customer key fragment database storage and the Akeyless Vault Platform. Users connect to Akeyless Gateway through the Akeyless Console, Client, or SDK to manage secrets stored on Akeyless Vault Platform. This management includes configuring the CipherTrust Manager customer fragment to protect secrets.
Root of Trust Protection
The CipherTrust Manager customer fragment is protected by the same root of trust key hierarchy that protects all keys originating from CipherTrust Manager. You can rotate the Master Key Encryption Keys (MKEKs) for additional assurance.
If a Hardware Security Module (HSM) is used as root of trust, there is even more assurance and control over the customer fragment protection. For every HSM type, there is the ability to rotate the Root of Trust (RoT) key itself. Some compatible HSMs are FIPS-140-2 Level 3 certified.
Authentication
CipherTrust Manager users authenticate to an Akeyless Vault Platform account via Single Sign On (SSO), mediated through the Akeyless Gateway service running within CipherTrust Manager software.
A CipherTrust Manager application administrator establishes a connection between CipherTrust Manager and Akeyless Vault Platform using Akeyless Gateway Admin account credentials. There is one Akeyless connection, and therefore one Akeyless Gateway Admin account, per CipherTrust Manager cluster, in the root domain. The Akeyless Vault registers the CipherTrust Manager connection as a client associated to the Akeyless account.
All subsequent logins from CipherTrust Manager to Akeyless Vault Platform use JSON Web Tokens (JWTs). The CipherTrust Manager administrator establishes an Elliptic Curve signing key pair to sign CipherTrust Manager JWTs, and exports the public key to Akeyless Vault Platform. When CipherTrust Manager makes requests to Akeyless Vault Platform, the CipherTrust Manager JWT is exchanged for a short-lived Akeyless token, which protects CipherTrust Manager user access to Akeyless secrets stored on Akeyless Platform Vault.
Akeyless Interfaces
Users interact with the Akeyless Gateway Console and the Akeyless Gateway Configuration Manager for initial Gateway connection configuration. You can optionally perform some of this configuration through the Akeyless REST API if desired; consult Akeyless documentation for reference. Once the Gateway is configured, secrets management is available in the Akeyless Gateway Console, through the Akeyless REST API, or the Akeyless CLI.
Interface | Location |
---|---|
Gateway Configuration Manager | https://<ciphertrust_manager_hostname>/akeyless/ |
Gateway Console | https://<ciphertrust_manager_hostname>/akeyless-console/ |
Akeyless v1 REST API | https://<ciphertrust_manager_hostname>/akeyless-api/ |
Akeyless v2 REST API | https://<ciphertrust_manager_hostname>/akeyless-api/v2/ |
Akeyless CLI | Download with cURL. |
HashiCorp Vault Proxy (HVP) | https://<ciphertrust_manager_hostname/akeyless-hvp/ |
High Level Integration Process
These are the high level steps to manage secrets on a deployed CipherTrust Manager.
Ensure that there is public network connectivity to Akeyless SaaS Core Services.
Configure the Akeyless Gateway connection and authentication on CipherTrust Manager and Akeyless Console.
Create a default encryption key which uses the CipherTrust Manager customer fragment.
Begin managing secrets in the Akeyless Gateway Console.