Managing AWS Keys
This section describes how to manage AWS keys on CCKM. Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.
Adding AWS Keys
This section describes different types of keys and how to create/use these keys. CCKM allows you to:
Create new local key material on the CipherTrust Manager. Refer to Uploading New Local Keys for details.
Create new AWS native keys. The key material is created by the AWS. Refer to Creating AWS Native Keys for details.
Use existing local keys available on the CipherTrust Manager. Refer to Creating Keys by Using Key Material of Existing Local Key for details.
Import key material later (using the local source only). Refer to Creating Keys and Importing Key Material Later for details.
Uploading New Local Keys
To create a new local AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Select Material Origin
Select Upload New Local Key. The CipherTrust Manager will create a new key material locally.
Click Next. The Create CipherTrust Key screen is displayed.
** Create CipherTrust Key**
Enter a Key name.
Click Create Key next to the Key name field. A CipherTrust key is created and displayed on the screen. The Enable Key Expiration toggle is displayed.
(Optional) Enable expiration of the key.
Turn on the Enable Key Expiration toggle.
Specify an Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.- To select a specific time, click Time, and select hours and minutes, from the GUI.
Click Next. The Add Labels screen is displayed.
Add Labels
Select the desired AWS Account.
Select an AWS Region for the key.
Enter a user-friendly alias for the key. This helps in uniquely identifying a key.
(Optional) Describe the key in a maximum of 250 characters.
Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags.
Click Save.
The newly created key is displayed in the list of AWS keys.
The origin of the key is CCKM
.
Creating AWS Native Keys
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Select Material Origin
Select Create AWS Native Key. The AWS will create a native key material.
Click Next. The Add Labels screen is displayed.
Add Labels
Select the desired AWS Account.
Select an AWS Region for the key.
Enter a user-friendly alias for the key. This helps in uniquely identifying a key.
(Optional) Describe the key in a maximum of 250 characters.
Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags.
Click Save.
The newly created key is displayed in the list of AWS keys.
The origin of the key is Native
.
Creating Keys by Using Key Material of Existing Local Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Select Material Origin
Select Use Existing Local Key. The already existing CipherTrust key material will be used.
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust Key
Select an existing CipherTrust key from the Key name drop-down list. The Enable Key Expiration toggle is displayed.
(Optional) Enable expiration of the key.
Turn on the Enable Key Expiration toggle.
Specify an Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.- To select a specific time, click Time, and select hours and minutes, from the GUI.
Click Next. The Add Labels screen is displayed.
Add Labels
Select the desired AWS Account.
Select an AWS Region for the key.
Enter a user-friendly alias for the key. This helps in uniquely identifying a key.
(Optional) Describe the key in a maximum of 250 characters.
Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags.
Click Save.
The newly created key is displayed in the list of AWS keys.
The origin of the key is CCKM
.
Creating Keys and Importing Key Material Later
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Select Material Origin
Select Decide Later. A key is created with state PendingImport. A CipherTrust key material can be imported at a later date.
Click Next.
Add Labels
Select the desired AWS Account.
Select an AWS Region for the key.
Enter a user-friendly alias for the key. This helps in uniquely identifying a key.
(Optional) Describe the key in a maximum of 250 characters.
Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and an optional value.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags.
Click Save.
The newly created key is displayed in the list of AWS keys.
The origin of the key is External (Unknown)
.
Viewing AWS Keys
To view an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:
Field Description Alias Unique, user-friendly alias of the key. This is useful in searching for specific keys. Key ID Unique ID of the CipherTrust Manager key. Account AWS account name. Cloud Name of the cloud. Supported clouds are:
• aws
• aws-us-gov
• aws-cnRegion AWS region. Algorithm Name of the algorithm. Supported algorithms are:
• SYMMETRIC_DEFAULT
• RSA_2048
• RSA_3072
• RSA_4096
• ECC_NIST_P256
• ECC_NIST_P384
• ECC_NIST_P521
• ECC_SECG_P256K1Key State State of the key. The state can be:
• Enabled
• Disabled
• Deleted
• PendingImport
• PendingDeletion
• UnavailableCreation Date Time when the key is created. Origin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
When AWS regions are changed or removed. The keys from the configured region are no longer accessible.
Editing AWS Keys
To view or edit an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Edit or configure the following fields and click Update:
Description: Update description of the key.
Tags: Add tags to the key.
SCHEDULES: Applies rotation schedule to the key.
AWS AUTO-ROTATE: Automatically rotates AWS native key every year.
Policies: Grant access to external accounts, key administrators, and key users.
Adding/Editing Policies
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies. The Add/Edit Policies screen is displayed. It contains two options to edit policies:
Basic: Select this option and grant the desired permissions. The permission can be granted for the following roles:
Role Description External Accounts AWS accounts that can use this key. Key Administrators IAM users who can administer this key. Key Users IAM users who can use this key in cryptographic operations. Raw: Select this option to edit the AWS policy under Raw Policy. Refer to "Using key policies in AWS KMS" for details.
Click Save.
Refreshing AWS Keys
Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all KMS accounts at once.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.
Disabling Keys
To disable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Disable.
On the Disable AWS key screen, click Disable Key.
A message Key <key_name> disabled is displayed on the screen.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key.
Enabling Keys
To enable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Enable.
On the Enable AWS key screen, click Yes, Enable Key.
A message Key <key_name> enabled is displayed on the screen.
Importing Key Material
You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.
Note
You can only import AES keys to the AWS KMS.
To import key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Import Material.
Select Key Material Origin. Either select a new CipherTrust key or use an existing CipherTrust key.
Create New Local Key
Enter Key Name.
Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled.
Use Existing Local Key
Select an existing CipherTrust key from the Source Key drop-down list.
Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled.
Deleting Key Material
To delete key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete Material.
On the Delete Key Material screen, select I wish to delete key material.
Click Delete Key Material.
A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport
.
Warning
Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.
Scheduling Key Deletion
Schedule key deletion permanently removes the key from the AWS KMS at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.
To schedule key deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.
On the Schedule Key Deletion screen:
Select I wish to delete this key.
Select the Waiting period after which the key will be deleted.
Click Schedule Deletion.
A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to
PendingDeletion
.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.
Canceling Scheduled Deletion
To cancel scheduled deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.
A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key if you want to use this key in the cryptographic operations.
Rotating Keys
Key rotation allows you to create a new cryptographic material for the keys.
To rotate a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Key.
Select Key Material Origin. You can either create a new local key or use an existing local key.
Key Material Origin: New Local Key
In the Select Key Material Origin section, select Create New Local Key.
Specify a unique New Key Name for the key.
Enter description in the New Key Description field.
Specify a Key Material Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.Turn on the Disable Encrypt permission on current key toggle.
Click Rotate Key.
In this scenario, the CipherTrust Manager first creates a key material and then this key material is utilized in rotating the key.
A message Successfully rotate key is displayed on the screen.
Key Material Origin: Existing Local Key
In the Select Key Material Origin section, select Use Existing Local Key.
From the Source key drop-down list, select an existing key.
Enter description in the New Key Description field.
Specify a Key Material Expiration Date. Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.Turn on the Disable Encrypt permission on current key toggle.
Click Rotate Key.
In this scenario, an already existing CipherTrust Manager's key is used in rotating the key.
A message Successfully rotate key is displayed on the screen.