Managing AWS Keys

This section describes how to manage AWS keys on CipherTrust Cloud Key Manager (CCKM). Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.

Source Types

For adding AWS keys, CCKM supports the following key material sources:

• Native: Create AWS key material directly with native AWS application. Refer to Creating Native Key Material for details.

• External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager (External), CipherTrust Manager (Local), or Vormetric Data Security Manager (DSM) as an external key source, or Decide Later.

• CloudHSM Key Store: Create a CloudHSM key from CCKM using key material from AWS CloudHSM, which is the key source.

• External Custom Key Store (HYOK): External Custom Key Store (Hold Your Own Key). Add an HYOK key tied to key material stored in a Luna HSM or a CipherTrust Manager depending on which key source you are using. AWS Key Management Services (KMS) communicates to CCKM, which uses the AWS HYOK key as an intermediary to the source key stored in a Luna HSM or CipherTrust Manager. Depending on which key source you are using, Luna or CipherTrust Manager executes the cryptographic operations. You can rotate the HYOK key, which associates a new key in the Luna HSM or associates a new version to the CipherTrust Manager key.

  Note

  CCKM doesn't support FM-enabled Luna HSM as a key source.

  There are different operations available for HYOK keys than for other key types. You can perform the following HYOK key operations:

  • Create an HYOK key

  • Linking HYOK keys

  • View HYOK key details

  • Apply a Key Rotation Schedule

  • Adding/Editing Policies

  • Enable and disable

  • Manually delete an Unlinked HYOK key

  • Scheduling Key Deletion

  • Manually rotate an HYOK Key

  • Block or unblock an HYOK key

Regionality

When creating an AWS Native key or External (BYOK) key, you can specify whether the key is a single-region key or a multi-region key.

• Single-Region Key: A single-region key cannot be replicated in other AWS regions.

• Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

  Note

  After a key is created, its regionality cannot be changed.

Creating Native Key Material

To create AWS key material directly with native AWS application:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

3. Select Native as the Origin Type.

4. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

5. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Under Select Key Type, select the desired key type. The options are:

   • Symmetric: One key does encryption and decryption.

   • Asymmetric: A key pair does encryption and decryption.

2. Under Select Key Usage, select the key usage:

   • Encrypt and Decrypt:

     • For symmetric keys, the key is used only to encrypt and decrypt the data.

     • For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.

   • (Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).

   • (Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.

3. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

4. (Optional) Provide a brief Description of the key.

5. Select the desired Key Algorithm from the drop-down list.

   Note

   The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.

6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

7. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.

Click the desired tab to view the instructions.

Based on the selection of the key type and key usage, the Add to Schedule screen or AWS Automatic Key Rotation screen is displayed. Click the desired tab to view the instructions.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES (or AWS AUTOMATIC KEY ROTATION) sections. For a multi-region key, the NATIVE KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES (or AWS AUTOMATIC KEY ROTATION) sections, and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Material Using External (BYOK) Source

To add key material using external BYOK as a key source:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

3. Select External (BYOK) as Origin Type.

4. Select the Source. The options are:

   • CipherTrust (External): Add key by creating or uploading an external CipherTrust key as the source key. Refer to Adding Key Using External CipherTrust as External (BYOK) Source for details.

   • CipherTrust (Local): Add key by creating or uploading a CipherTrust key as the source key. Refer to Adding Key Using Local CipherTrust as External (BYOK) Source for details.

   • Vormetric DSM: Add key by creating or uploading a Vormetric DSM key as the source key. Refer to Adding Key Using Vormetric DSM as External (BYOK) Source for details.

   • Luna HSM: Add key by creating or uploading a Luna HSM key as the source key. Refer to Adding Key Using Luna HSM as External (BYOK) Source for details.

     Note

     CCKM doesn't support FM-enabled Luna HSM as a key source.

   • Decide Later: Add key now, but decide the key source later. Refer to Deciding Key Material Later for details.

Adding Key Using External CipherTrust as External (BYOK) Source

To add a key by creating or uploading an external CipherTrust key as the source key:

Key Material Origin

1. Select CipherTrust (External) as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Configure CipherTrust (External) Key

1. Select the Source Key Material. You can select Create New Key or Copy Existing Key.

   Click the desired tab to view the instructions.

   Create New Key

   1. Click Create New Key.

   2. Select Key Type. The options are Symmetric and Asymmetric.

   3. Select a Domain.

   4. Enter the Key Name.

   5. Select Algorithm:

      • For Symmetric keys, the options are AES or HMAC.

      • For Asymmetric keys, the options are RSA or EC.

   6. Select the Key Size / Key Curve based on the algorithm:

      • For the HMAC algorithm, the options are 256, 384, and 512.

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

      Note

      Not applicable to the AES algorithm.

   Copy Existing Key

   1. Click Copy Existing Key.

   2. Select a Domain.

   3. Select Algorithm. The options are AES, HMAC, RSA, and EC.

   4. Select the Key Size / Key Curve based on the algorithm:

      • For the HMAC algorithm, the options are 256, 384, and 512.

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

      Note

      Not applicable to the AES algorithm.

   5. (Optional) Enable Fetch Latest Version Only.

   6. Select a CipherTrust (External) Key from the list.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.

2. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

3. (Optional) Provide a brief Description of the key.

4. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

5. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Local CipherTrust as External (BYOK) Source

To add a key by creating or uploading a CipherTrust key as the source key:

Key Material Origin

1. Select CipherTrust (Local) as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Configure CipherTrust (Local) Key screen is displayed.

Configure CipherTrust (Local) Key

1. Select the Source Key Material. You can select Create New Key or Copy Existing Key.

   Click the desired tab to view the instructions.

   Create New Key

   1. Click Create New Key.

   2. Select Key Type. The options are Symmetric and Asymmetric.

   3. Enter the Key Name.

   4. Select Algorithm:

      • For Symmetric keys, the options are AES or HMAC.

      • For Asymmetric keys, the options are RSA or EC.

   5. Select the Key Size / Key Curve based on the algorithm:

      • For the HMAC algorithm, the options are 256, 384, and 512.

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

      Note

      Not applicable to the AES algorithm.

   Copy Existing Key

   1. Click Copy Existing Key.

   2. Select Algorithm. The options are AES, HMAC, RSA, and EC.

   3. Select the Key Size / Key Curve based on the algorithm:

      • For the HMAC algorithm, the options are 256, 384, and 512.

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

      Note

      Not applicable to the AES algorithm.

   4. (Optional) Enable Fetch Latest Version Only.

   5. Select a CipherTrust (Local) Key from the list.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.

2. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

3. (Optional) Provide a brief Description of the key.

4. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

5. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Vormetric DSM as External (BYOK) Source

To add a key by creating or uploading a Vormetric DSM key as the source key:

Key Material Origin

1. Select Vormetric DSM as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Source Key

1. Select the Source Key Material. You can select Create New Key or Copy Existing Key.

   Click the desired tab to view the instructions.

   Create New Key

   1. Click Create New Key.

   2. Enter the DSM Key Name.

   3. Select a DSM Domain.

      Note

      Not applicable to the AES algorithm.

   Copy Existing Key

   1. Click Copy Existing Key.

      Note

      The by default selected Algorithm and Key Size options are AES and 256, respectively.

   2. Select a DSM Key from the list.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.

2. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

3. (Optional) Provide a brief Description of the key.

4. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

5. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Adding Key Using Luna HSM as External (BYOK) Source

To add a key by creating or uploading a Luna HSM key as the source key:

Key Material Origin

1. Select Luna HSM as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Source Key screen is displayed.

Source Key

1. Select the Source Key Material. This specifies how to create the key. The options are:

   Create New Key

   1. Click Create New Key.

   2. Select Key Type. The options are Symmetric and Asymmetric.

   3. Enter the Key Name.

   4. Select a Partition ID.

   5. Select Algorithm:

      • For Symmetric keys, the option is AES.

      • For Asymmetric keys, the options are RSA or EC.

   6. (Applicable to RSA algorithm only) Select a Mechanism. The options are CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN, and CKM_RSA_PKCS_KEY_PAIR_GEN.

      Note

      The mechanisms for the AES algorithm and EC algorithm are CKM_AES_KEY_GEN and CKM_EC_KEY_PAIR_GEN, respectively.

   7. Select the Key Size / Key Curve based on the algorithm:

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

      Note

      Not applicable to the AES algorithm.

   Copy Existing Key

   1. Click Copy Existing Key.

   2. Select Algorithm. The options are AES, RSA, and EC.

   3. Select the Key Size / Key Curve based on the algorithm:

      • For the AES algorithm, the option is 256.

      • For the RSA algorithm, the options are 2048, 3072, and 4096.

      • For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.

   4. Select a HSM Key from the list.

2. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. For RSA keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.

2. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

3. (Optional) Provide a brief Description of the key.

4. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

   3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

      To add a tag:

      1. Specify a tag name.

      2. Specify the tag value.

         CCKM allows the following characters in tag values:

         • Alphanumeric characters

         • Special characters ** _ . / = + - @ **

      3. Click the + button.

      Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

5. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Deciding Key Material Later

Add key now, but decide the key source later.

To add a new key without deciding the key material source:

Key Material Origin

1. Select Decide Later as the Source.

2. Select Regionality. The options are:

   • Single-Region Key: A single-region key cannot be replicated in other AWS regions.

   • Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.

     Note

     After a key is created, its regionality cannot be changed.

3. Click Next. The Destination (AWS) Key screen is displayed.

Destination (AWS) Key

1. Select Key Type. The options are Symmetric and Asymmetric.

2. Under Select Key Usage, select the key usage:

   • Encrypt and Decrypt:

     • For symmetric keys, the key is used only to encrypt and decrypt the data.

     • For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.

   • (Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).

   • (Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.

3. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

4. (Optional) Provide a brief Description of the key.

5. Select the desired Key Algorithm from the drop-down list.

   Note

   The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.

6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

7. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. From the Rotation drop-down list, select a schedule to apply.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.

3. Select the Key Origin from the available options. The key origin can be:

   • CipherTrust: CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

4. Click Next.

The Review and Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The KEY MATERIAL ORIGIN section shows the Source Type as External (BYOK) and Source as Decide Later.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys. The origin of the key is BYOK - External and the key state is PendingImport.

Creating CloudHSM Keys

Before you can create a CloudHSM key, you must ensure your CloudHSM key store is configured. For more information, see AWS CloudHSM Key Store Resources.

To create a CloudHSM key using CloudHSM Source

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select the desired Region from the drop-down list.

3. Select AWS CloudHSM Key Store from Origin Type.

4. Select the desired CloudHSm Key Store from the drop-down list.

5. Enter a user-friendly Alias for the key. This helps uniquely identify the key.

6. (Optional) Provide a brief Description of the key.

7. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

8. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

Review And Add Key

1. Review the key details, and click Add Key to create.

2. Once creation completes, click OK to close the dialog.

Creating HYOK Keys

You must prepare an external custom key store on CCKM before you can create an HYOK key.

As part of creating an HYOK key, you create a new source key in either a Luna HSM partition or a CipherTrust Manager that is associated with the external custom key store. The source of the HYOK key must match the source of the external custom key store.

Configuration varies based on whether the HYOK is created in the linked or unlinked state.

If the HYOK key is created in the linked state, a KMS key is automatically created in the corresponding AWS KMS external key store.

If the HYOK key is created in the unlinked state, you must either link it to automatically create the corresponding KMS key on AWS KMS, or you must manually create the KMS key on AWS KMS. If you choose to manually create a KMS key, you can refresh keys to later detect and link the KMS key to its HYOK key on CCKM. Managing AWS policies associated with the HYOK key on CCKM is unsupported with unlinked keys.

Create a Linked HYOK Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select External Custom Key Store (HYOK) from Origin Type.

3. Select CipherTrust or Luna HSM from Source.

4. Select Linked Key from the Linked State.

5. Click Next. The Source Key screen is displayed.

Source Key

1. Select an External Key Store from the drop down.

   Note

   Only key stores hosted on the local CCKM, and matching the selected Source are available.

2. Select the Source Key Material. This specifies how to create the key.

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the Source Key Name for the source key. This will be the name for the new key.

        Note

        For Luna HSM keys, key attributes are displayed. These values are not editable.

   • Copy Existing Key

     1. Click to create a new key by copying an existing source key.

     2. Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.

        Valid source keys must have specific attributes, depending on the source type.

        Source Type	Required Attributes
        CipherTrust Manager	• Not exportable • Not deletable • Usage Masks: Encrypt, Decrypt, Wrap, Unwrap
        Luna HSM	• CKA_EXTRACTABLE = FALSE • CKA_SENSITIVE = TRUE • CKA_ENCRYPT = TRUE • CKA_DECRYPT = TRUE • CKA_WRAP = TRUE • CKA_UNWRAP = TRUE

3. Click Next. The Destination (AWS key) screen is displayed.

Destination (AWS) Key

1. Add an Alias for the new KMS key.

2. Optionally add a Description and Tags, if desired.

3. Click Next The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy or select an existing policy.

Click the desired tab to view the instructions.

The Add to Schedule screen is displayed.

Add to Schedule

1. Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

1. Review the key details, and click Add Key to create.

   Creation completes and an XKS ID is generated for the new HYOK key.

2. Click OK to close the dialog.

Create an Unlinked HYOK key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.

Key Material Origin

1. Select the desired AWS Account from the drop-down list.

2. Select External Custom Key Store (HYOK) from Origin Type.

3. Select CipherTrust or Luna HSM from Source.

4. Select Unlinked Key from the Linked State.

   This means that the corresponding key is not automatically created in AWS KMS, and you must either link the HYOK after creation, or manually create the KMS key in AWS KMS.

5. Click Next. The Source Key screen is displayed.

Source Key

1. Select an External Key Store from the drop down.

   Note

   Only local key stores matching the selected Source are available.

2. Select the Source Key Material. This specifies how to create the key. The source key must be a symmetric AES-256 key.

   For Luna source key stores, the CKA_SENSITIVE, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, and CKA_UNWRAP attributes must be enabled, and CKA_EXTRACTABLE must be disabled.

   The options are:

   • Create New Key

     1. Click to create a fresh key.

     2. Specify the Source Key Name for the source key. This will be the name for the new key.

        Note

        For Luna HSM keys, key attributes are displayed. These values are not editable.

   • Copy Existing Key

     1. Click to create a new key by copying an existing source key.

     2. Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.

3. Click Next. The Add to Schedule screen is displayed.

Add to Schedule

1. Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.

   Note

   If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.

2. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

1. Review the key details, and click Add Key to create.

   Creation completes and an XKS ID is generated for the new HYOK key.

2. Click OK to close the dialog.

3. Create the corresponding KMS key. You can either:

   • Link the new HYOK key in CCKM.

   • Manually create the key in AWS KMS:

     1. In CCKM, retrieve the XKS ID value from the key details page.

     2. On AWS KMS, navigate to the external key store which corresponds to the CCKM external custom key store you selected for the HYOK key.

     3. Create the KMS key. Provide the XKS ID for any fields indicating an External key ID.

     4. Follow AWS documentation to associate the desired AWS services with the KMS key.

     5. If you want to later link the KMS key to its associated HYOK key, refresh all AWS keys.

   Encryption and decryption requests will now be executed with the source key.

   If the source key is a Luna HSM key, the cryptographic requests are executed inside the Luna HSM.

   If the source key is a CipherTrust Manager key, the cryptographic requests are executed inside the CipherTrust Manager.

Linking HYOK Keys

If you created an HYOK key in an unlinked state, you can link it after creation. Linking an HYOK key automatically creates a new corresponding KMS key in AWS KMS.

To link an HYOK key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Link.

   The Configure AWS Key screen of the Link AWS Key wizard is displayed.

4. Optionally provide an Alias and Tags for the new KMS key.

5. Click Next. The AWS Key Policy screen is displayed.

6. Click the desired tab to view the instructions.

   Create New Policy

   1. Select the Create New Policy option.

   2. Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.

      Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.

      In the Basic view, Key Admins is the default tab.

      1. On the Key Admins tab, select the desired key admins.

      2. Click the Key Users tab.

      3. Select the desired key users.

      4. Add external accounts in the Add Accounts field and click +.

         These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.

         To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.

         Note

         Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.

   3. Select Save this Key Policy and Enter Template Name.

   4. Click Next.

   Select Saved Policy

   1. Select the Select Saved Policy option.

   2. Select a policy from the Saved Policies drop-down list.

      You can also update the selected policy, and create a new policy using it.

      1. Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.

      2. Update the policy.

         Raw View

         Make the necessary changes in the policy.

         Basic View

         In the Basic View, Key Admins is the default tab.

         1. On the Key Admins tab, select the desired key admins.

         2. Click the Key Users tab.

         3. Select the desired key users.

         Note

         If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.

      3. Click Update. The Update Policy message is displayed.

         To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.

         Note

         If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.

      4. Click Apply.

      5. Click Next.

   Build From Template

   1. Select the Build From Template option.

   2. Select Template.

   3. (Optional) Make the necessary changes in the template.

   4. Click Next.

   The Review and Add screen is displayed.

7. Review the AWS Key and AWS Key Policy details.

8. Click Link to accept, link the HYOK key, and create a new KMS key.

9. Click OK.

Viewing AWS Keys

To view an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:

   Field	Description
   Alias	Unique, user-friendly alias of the key. This is useful in searching for specific keys. The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.
   Key ID	Unique ID of the CipherTrust Manager key.
   Account	AWS account name.
   Region	AWS region.
   Algorithm	Name of the algorithm. Supported algorithms are: • SYMMETRIC_DEFAULT • RSA_2048 • RSA_3072 • RSA_4096 • ECC_NIST_P256 • ECC_NIST_P384 • ECC_NIST_P521 • ECC_SECG_P256K1
   Source Key	Name of the source key.
   Source Type	Source of the key. • CipherTrust (Local): Local CipherTrust Manager • DSM: Vormetric Data Security Manager • Luna: HSM Luna • CipherTrust (External): External CipherTrust Manager.
   Key State	State of the key. The state can be: • Enabled • Disabled • Deleted • PendingDeletion • PendingImport • Unavailable
   Creation Date	Time when the key is created.
   Origin	The origin of the key can be: • BYOK-CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • BYOK - External: Source of the key material is unknown. It is different than CCKM and the native cloud. •HYOK-CCKM: HYOK key exists on CCKM • HYOK-External: An external key from KMS, without the corresponding HYOK key on the local CCKM. This can mean that the HYOK key is present on a different CCKM not clustered with the local one, or that the HYOK key is present on another vendor's external key manager. NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.
   Expiration Date	Time when the key will expire. Expiration date is nonapplicable for some key types.
   Expiration State	State of the expiration.
   Regionality	Whether the key is a single-region key, multi-region primary key, or multi-region replica key.
   Cloud	Name of the AWS cloud.
   Key Usage	How the key is used - for example, to decrypt and encrypt or to sign and verify.
   Source Key Container	Container of the source key. A container can be the CipherTrust Manager, DSM, or Luna HSM.
   Key Store	(Applicable to HYOK keys) Name of the key store.

   Some of these fields are not populated for HYOK keys. The non-populated fields are Alias, Key ID, Key State, and Creation Date.

   The Regionality, Cloud, Key Usage, and Source Key Container columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK. The Key Usage column is not populated for HYOK keys.

Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

• Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.

• Connection is changed in AWS KMS. The new connection does not have permissions to access the keys.

• When AWS regions are changed or removed. The keys from the configured region are no longer accessible.

Creating Replica of Multi-Region Keys

A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.

To add a replica:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the alias of the desired multi-region primary key. The detail view of the key is displayed.

4. Scroll down to the REGIONALITY section.

5. Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.

Add Replica Region

1. From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The fields on the Add Labels screen display the current values of the primary key, but you can edit them at any time. AWS KMS does not synchronize any changes to these values.

1. Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

      CCKM allows the following characters in tag values:

      • Alphanumeric characters

      • Special characters ** _ . / = + - @ **

   3. Click the + button.

   Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

4. Click Next. The Key Policy screen is displayed.

On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.

Key Policy

Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.

Click the desired tab to view the instructions.

The Review screen is displayed.

Review

This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, AWS KEY POLICY, and CONFIRMATION sections.

Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.

3. Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.

4. Click Close. The Add Replica Keys wizard is closed.

The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.

Viewing Replicas of a Multi-Region Key

To view the replicas of a multi-region key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the alias of the desired multi-region primary key. The detail view of the key is displayed. To view or edit an AWS key:

4. Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:

   Field	Description
   Region	Region where the replica is created.
   Key ARN	Amazon Resource Name (ARN) of the AWS replica.
   Alias	Alias of the replica key.
   State	State of the replica key.
   Regionality	Regionality of the replica key is REPLICA.
   Creation Date	Date and time when the replica is created.

Viewing or Editing AWS Key Details

To view or edit an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. For HYOK keys, you can obtain the following additional values:

   • The XKS ID. You can copy this value using the copy button, if you want to manually create a corresponding KMS key. In AWS, this value is called the External key ID.

   • The Source. This is a link to the CCKM-managed source key stored within either Luna HSM or CipherTrust Manager (depending on which key source you are using). This is important if you want to perform any key functions using either Luna key functions or CipherTrust Manager key functions.

   Note

   You can view but not edit details for unlinked HYOK keys.

5. For Native, linked HYOK keys, and BYOK Keys, edit or configure the following fields and click Update:

   • POLICY: Grant access to external accounts, key administrators, and key users. Refer to Adding/Editing Policies for details.

   • ALIASES: Add or delete aliases of the key.

   • LABELS: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.

   • SCHEDULES: Applies rotation schedule to the key. Refer to Apply Key Rotation Schedule for details.

     Note

     • You can only view and remove the schedule if you have assigned it to the existing AWS native key that has an algorithm as SYMMETRIC_DEFAULT. After you remove the schedule, this section will be hidden.

     • If a new AWS native key is created that has an algorithm as SYMMETRIC_DEFAULT, the key will not have the SCHEDULES section.

   • AWS AUTOMATIC KEY ROTATION: Automatically rotates AWS native key after a specified time period. To automatically rotate the key, enable automatic key rotation and enter the Rotation period (in days).

     Based on the entered rotation period, the next rotation date will be displayed.

     Note

     • The default rotation period is 365 days.

     • Automatic key rotation only applies to the AWS native keys that have the algorithm as SYMMETRIC_DEFAULT.

     • If the next rotation date is not displayed, click the Refresh icon.

   • ROTATION HISTORY: Rotate the key. Refer to Rotation History for details.

Adding or Deleting Aliases

To add a new alias to the key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under ALIASES, click Add Alias.

5. Enter an Alias Name.

6. Click Save. The new alias is added to the key.

The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.

To delete an alias of the key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under Aliases, click the overflow icon () corresponding to the desired alias.

5. Click Delete. The alias is deleted.

Apply Key Rotation Schedule

To apply a key rotation schedule to an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Under SCHEDULES, from the Rotation drop-down list, select a schedule to apply. If applying a schedule to a CloudHSM key or linked HYOK key, proceed to step 7.

   Note

   If the selected scheduled rotation has Rotate Key Material (Imported AES Keys) enabled, you will see it alongside the rotation name.

5. (Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:

   • Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.

   • Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.

6. For BYOK or Native keys, select the Key Origin from the available options. The key origin can be:

   • CipherTrust (External): External CipherTrust Manager.

   • CipherTrust (Local): Local CipherTrust Manager.

   • Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.

   • DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.

   Note

   If the algorithm of the key is RSA, EC, or HMAC, you can only select CipherTrust (Local) as the Key Origin.

7. Click Update.

Rotation History

You can view the details and perform a new rotation for Native and BYOK keys using the SYMMETRIC_DEFAULT algorithm.

• Native keys with the SYMMETRIC_DEFAULT algorithm: You can view the Key Material ID, Date, State, and Type of the key rotation.

  To perform a new rotation:

  1. Click Rotate Key, the AWS On-Demand Key Rotation dialog box is displayed.

  2. Click Rotate.

     Warning

     As of now, you can only initiate AWS On-Demand Key Rotation 10 times by default.

     Note

     • On-demand key rotation applies to the AWS native keys that have the algorithm as SYMMETRIC_DEFAULT.

     • If the latest rotation history details are not displayed, click the Refresh icon.

• BYOK keys with the SYMMETRIC_DEFAULT algorithm: You can view the Key Material ID, Rotation Date, Key Material State, Import State, Source Type, Origin, Expiration Date, and Key Material Description of the key rotation.

  To perform a new rotation, refer to the Rotating Keys section.

  For BYOK keys, you can also promote a key material to current, re-import it, or delete it.

  Promote to Current: To promote a key material to current:

  1. Click the overflow icon () next to the desired key rotation and select Promote to Current. The Promote to Current dialog box is displayed.

  2. Click Rotate.

  3. Click OK.

     Note

     You can promote a key material to current only when it's first in the list and its state is Pending Rotation.

  Re-Import: To re-import a key material.

  1. Click the overflow icon () next to the desired key rotation and select Re-Import Key Material. The Re-Import Key Material dialog box is displayed.

  2. Click Re-Import Key Material.

  3. Click Next.

  4. (Optional) Select Key Material Expiration Date.

  5. (Optional) Enter Description.

  6. Click Next.

  7. Click Import.

  8. Click OK.

     Note

     You can only re-import a deleted key material.

  Delete: To delete a key material.

  1. Click the overflow icon () next to the desired key rotation and select Delete Key Material. The Delete Key Material dialog box is displayed.

  2. Click Delete Key Material.

     Note

     You can delete the imported key material.

Adding/Editing Policies

You can apply a new policy or edit the policy attached to an AWS key on the list view or the details view of the AWS Keys page.

On the list view of the AWS Keys page

To add or edit key policy:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies.

   The Add/Edit Policies dialog box displays the attached policy, if any. Under Unsaved Policy, you can either:

   • Update the policy locally. These are local changes only. They do not affect the original policy.

     Alternatively, you can save the changes as a new policy. Click Save to Policy List, specify a Policy Name, and click Save. The newly created policy will be available as a saved policy for selection.

   • Attach a new saved policy. Click Select Saved Policy, select a saved policy from the drop-down list, and click Apply.

   • Select a template and use it to create a key policy. Click Build from Template, select a template from the drop-down list, and click Apply.

4. Click Save.

On the details view of the AWS Keys page

To add or edit key policy:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the Alias link of the key.

4. Navigate to the POLICY section.

5. Add or update the policy, as described above.

6. Click Update.

Refreshing AWS Keys

Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all AWS KMS accounts at once.

Refreshing keys also refreshes AWS CloudHSM key stores and external custom key stores.

Refreshing all keys can set unlinked HYOK keys to a linked state. This happens when CCKM detects a corresponding KMS key for an local unlinked HYOK key. As well, this operation can set unlinked external custom key stores to a linked state. This happens when CCKM detects a corresponding KMS external key store for an local unlinked external custom key store.

To refresh keys:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.

3. Click Refresh All. The This may take a while... message is displayed.

   Note

   Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?

4. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.

The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.

Disabling Keys

To disable the key(s):

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Select the keys to be enabled from the list.

4. Click Disable. The Disable Key(s) dialog box is displayed.

5. Click Disable. The Job Created dialog box is displayed. A job is created to track the disabling of the keys.

6. Click OK.

You can check the job status on the Bulk Operations tab.

Enabling Keys

To enable the key(s):

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Select the keys to be enabled from the list.

4. Click Enable. The Enable Key(s) dialog box is displayed.

5. Click Enable. The Job Created dialog box is displayed. A job is created to track the enabling of the keys.

6. Click OK.

You can check the job status on the Bulk Operations tab.

Downloading Keys

Asymmetric keys can be downloaded to your local machines. Symmetric keys cannot be downloaded.

To download an asymmetric key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Download Key. The key is downloaded.

Importing Key Material

You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.

To import key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Material dialog box is displayed.

4. Select Import Type (the desired key material source). The options are:

   • Import Using CipherTrust (External)

   • Import Using CipherTrust (Local)

   • Import Using Vormetric DSM

   • Import Using Luna HSM

     Note

     The Vormetric DSM key option will be available only for the keys that have the algorithm as SYMMETRIC_DEFAULT (AES).

Import Using CipherTrust (External)

When importing the key material from an external CipherTrust Manager, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, the external CipherTrust Manager creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter Key Name.

4. Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

9. Click OK.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing external CipherTrust Manager key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.

4. Select a CipherTrust (External) Key from the list.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

9. Click OK.

In this scenario, the existing key material of the external CipherTrust Manager is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using CipherTrust (Local)

When importing the key material from CipherTrust, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, CipherTrust Manager creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter Key Name.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

8. Click OK.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing CipherTrust Manager key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select a CipherTrust (Local) Key from the list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using Vormetric DSM

When importing the key material from Vormetric DSM, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, DSM creates the new key material locally.

1. Select Create New Key.

2. Click Next.

3. Enter a DSM Key Name.

4. Select the desired DSM Domain.

5. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

6. Click Next. The Review Key Details screen is displayed.

7. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

8. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

9. Click OK.

In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing DSM key is used.

1. Select Use Existing Key.

2. Click Next.

3. Select a DSM Key from the list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import Using Luna HSM

When importing the key material from Luna HSM, Select Key Material Origin. The options are:

• Create New Key

• Use Existing Key

Create New Key

In this method, Luna HSM creates the new key material locally.

1. Select Create New Key.

2. Click Next. The Add Key Details page is disabled.

3. Enter a Key Name.

4. Select the desired Partition ID.

5. Select the desired Key Attributes.

6. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

7. Click Next. The Review Key Details screen is displayed.

8. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

9. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.

10. Click OK.

In this scenario, the Luna HSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Key

In this method, the key material of an existing Luna HSM key is used.

1. Select Use Existing Key.

2. Click Next. The Add Key Details page is disabled.

3. Select an HSM Key from the list.

4. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

5. Click Next. The Review Key Details screen is displayed.

6. Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.

7. Click Import.

   The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.

8. Click OK.

In this scenario, the existing Luna HSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Deleting Key Material

To delete key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.

4. Select I wish to delete key material.

5. Click Delete Key Material.

A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport.

Scheduling Key Deletion

Scheduled key deletion permanently removes the key from the AWS KMS (if a Native, linked HYOK, or BYOK key) or from the AWS CloudHSM (if a CloudHSM key) at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.

For linked HYOK keys, scheduling deletion removes the local CCKM HYOK key, and the remote KMS key at the specified time. Unlinked HYOK keys can only be deleted manually, not at a scheduled time. Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager. You can later create a new HYOK key using the source key.

To schedule key deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.

4. On the Schedule Key Deletion screen:

   1. Select I wish to delete this key.

   2. Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.

   3. Click Schedule Deletion.

   A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to PendingDeletion.

Canceling Scheduled Deletion

This functionality is applicable to Native, BYOK, and CloudHSM keys.

To cancel scheduled deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.

A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key, if you wish to use this key in the cryptographic operations.

Deleting Unlinked HYOK Keys

Deleting an unlinked HYOK Key deletes the XKS ID that is associated to a KMS key in AWS KMS. The corresponding KMS key is not deleted, but it can no longer perform cryptographic operations. For linked HYOK keys, you can schedule a key deletion to delete both the HYOK key on CCKM and the KMS key in AWS KMS.

Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager). You can later create a new HYOK key using the source key. Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.

To delete an unlinked HYOK key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: CCKM-HYOK to display only HYOK keys.

3. Click the overflow icon () corresponding to the desired alias and click Delete. The Delete Key dialog box is displayed.

4. Click Delete Key to confirm.

Rotating Keys

Key rotation is a critical security best practice that involves updating the cryptographic material used by your keys. CCKM offers several ways to manage key rotation for your AWS keys.

Understanding Key Rotation Mechanisms in CCKM

CCKM supports different approaches to key rotation depending on the key type and origin:

• Material Rotation (Retaining Key ID and ARN): This is the primary rotation method facilitated by CCKM's "Rotate Key" feature for symmetric single-region BYOK keys and Native AWS keys, where algorithm is SYMMETRIC_DEFAULT. It involves associating new cryptographic material with the existing AWS KMS Key ID and ARN. The key's identity in AWS remains the same, but the underlying material changes. This is particularly relevant for BYOK symmetric keys.

• AWS-Managed Automatic Rotation: For Native AWS keys using the SYMMETRIC_DEFAULT algorithm, AWS KMS can automatically rotate the key material. CCKM allows you to enable and manage this feature.

• HYOK Key Versioning: For HYOK keys, rotation (termed "Add Version (Rotate)") involves associating a new version of the source key (from CipherTrust Manager or a new Luna HSM key) with the existing HYOK entity in CCKM. The HYOK key in AWS KMS then uses this new material for future operations.

• CloudHSM Key Rotation: For keys stored in an AWS CloudHSM custom key store, CCKM triggers a rotation command that instructs AWS CloudHSM to generate new key material for the existing key within the HSM.

• Manual Alias-Based Rotation (New Key ID and ARN): As a general key management strategy, for any key type, you can manually achieve a form of rotation by:

  1. Creating an entirely new AWS key with fresh key material (see Creating Native Key Material or Adding Key Material Using External (BYOK) Source).

  2. Removing the alias from the old key.

  3. Adding that alias to the newly created key.

  This method results in a new AWS KMS Key ID and ARN. It's a manual process and distinct from CCKM's "Rotate Key" feature which often aims to retain the existing Key ID.

General Steps to Initiate Key Rotation via CCKM UI

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Locate the key you wish to rotate. Click the overflow icon () corresponding to its alias.

   • For Native, BYOK, or CloudHSM keys, click Rotate Key.

   • For HYOK keys, click Add Version (Rotate).

The subsequent steps depend on the type of key you are rotating, as detailed in the sections below.

Rotating Native AWS Keys

The process for rotating Native AWS keys varies based on their configuration.

1. Native Keys with SYMMETRIC_DEFAULT Algorithm (AWS-Managed Rotation)

If you are rotating an AWS native key that uses the SYMMETRIC_DEFAULT algorithm, CCKM can initiate an AWS on-demand key rotation or manage AWS's automatic rotation schedule.

• On-Demand Rotation

  • After clicking Rotate Key, an "AWS On-Demand Key Rotation" dialog box may appear.

  • Click Rotate in the dialog, then OK to confirm.

  • Alternatively, this option might be available in the key's "View/Edit" screen under "ROTATION HISTORY". Refer to ROTATION HISTORY for details.

    Warning

    AWS KMS may have a default limit on how many times you can initiate on-demand key rotation (for example, 10 times by default). Consult AWS documentation for the most current information.

• Scheduled Automatic Rotation: You can enable AWS automatic key rotation and set a rotation period via the key's "View/Edit" screen under "AWS AUTOMATIC KEY ROTATION".

  Note

  For these AWS-managed rotations, you do not select new key material from an external source like CipherTrust Manager; AWS manages the generation of the new key material.

2. Native Asymmetric Keys or Other Native Key Types

For other types of Native AWS keys (such as asymmetric keys, HMAC keys, etc.), key rotation will create a new BYOK key and reassign the alias from the existing Native AWS key to the newly created BYOK key. Follow the instructions for Material Rotation (BYOK and applicable Native Keys) below.

Rotate BYOK Keys

The process for rotating AWS BYOK keys varies based on their configuration.

1. Single region BYOK keys with SYMMETRIC_DEFAULT Algorithm

When you rotate BYOK keys, CCKM’s Rotate Key feature helps update the cryptographic material for the existing AWS Key ID and ARN. You provide new key material from a supported source. Follow the instructions for Material Rotation (BYOK and applicable Native Keys) below.

Alternatively, this option might be available in the key's "View/Edit" screen under "ROTATION HISTORY". Refer to ROTATION HISTORY for details.

2. Other BYOK Keys

For other types of BYOK keys (such as asymmetric keys, multi-region symmetric keys, or HMAC keys), key rotation creates a new BYOK key and moves the alias from the existing key to the new one.

Steps for Material Rotation (BYOK and applicable Native Keys)

1. After clicking Rotate Key (as described in General Steps to Initiate Key Rotation), the Select Material Origin screen appears.

2. Choose the source for the new key material. Options typically include:

   • Upload New CipherTrust (External) Key: Create a new key on an external CipherTrust Manager.

   • Upload Existing CipherTrust (External) Key: Use an existing key from an external CipherTrust Manager.

   • Upload New Vormetric DSM Key: Create a new key on a Vormetric DSM. (Available for SYMMETRIC_DEFAULT/AES keys)

   • Upload Existing Vormetric DSM Key: Use an existing key from a Vormetric DSM. (Available for SYMMETRIC_DEFAULT/AES keys)

   • Upload New Luna HSM Key: Create a new key on a Luna HSM.

   • Upload Existing Luna HSM Key: Use an existing key from a Luna HSM.

   • Upload New CipherTrust (Local) Key: Create a new key on the local CipherTrust Manager.

   • Upload Existing CipherTrust (Local) Key: Use an existing key from the local CipherTrust Manager.

   Select your desired option and click Next.

3. Configure source key details. The next screen will prompt you to either create a new source key or select an existing one, based on your choice.

   • If you selected Upload New ... Key:

     • For CipherTrust (External) Key:

       1. Select Domain from the drop-down list.

       2. Specify a unique Key Name for the new source key.

     • For CipherTrust (Local) Key: Specify a unique Key Name for the new source key.

     • For Vormetric DSM Key:

       1. Specify a unique DSM Key Name.

       2. Select the desired DSM Domain.

     • For Luna HSM Key:

       Note

       CCKM doesn't support FM-enabled Luna HSM as a key source.

       1. Specify a unique Key Name for the new source key.

       2. Select the desired Partition ID.

       3. Review the displayed Key Attributes.

   • If you selected Upload Existing ... Key:

     • For CipherTrust (External) Key: Select the desired CipherTrust (External) Key from the list.

     • For CipherTrust (Local) Key: Select the desired CipherTrust (Local) Key from the list.

     • For Vormetric DSM Key: Select the desired DSM Key from the list.

     • For Luna HSM Key:

       Note

       CCKM doesn't support FM-enabled Luna HSM as a key source.

       Select the desired HSM Key from the list.

   Click Next.

4. Configure destination key properties (Add Labels screen).

5. Click the desired tab to view the instructions.

   Single-region BYOK keys with the SYMMETRIC_DEFAULT algorithm

   1. (Optional) Provide a Description for this rotation instance or update the key's description.

   2. (Optional) Set or update a key Expiration Date for the new material:

      1. Select the Expiration Date check box.

      2. Enter the date and time (for example, MM/DD/YYYY HH:MM) or use the calendar.

   3. Click Next.

   4. Review and update the rotate key metarial details that you have provided. These details are divided into MATERIAL ORIGIN and CONFIGURATION sections.

   5. Before rotating the key, review all details. After the key is rotated, certain features will no longer be editable.

   6. Click Rotate.

   7. Click OK. The Rotate Key Material wizard is closed.

   Other BYOK Keys

   The Alias of the current AWS key being rotated is pre-populated.

   1. (Optional) Provide a Description for this rotation instance or update the key's description.

   2. (Optional) Set or update a key Expiration Date for the new material:

      1. Select the Expiration Date check box.

      2. Enter the date and time (for example, MM/DD/YYYY HH:MM) or use the calendar.

   3. (Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:

      • Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.

      • Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.

   4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the current key's alias (with a timestamp) on the archived key material/version after rotation. If not selected, the alias is not retained on the old key version.

   5. Click Save. A message will confirm successful key material creation (if applicable) and key rotation for the AWS key.

Rotating CloudHSM Keys

Rotating a CloudHSM key involves CCKM instructing AWS CloudHSM to generate new key material for the existing key within the CloudHSM cluster. The Key ID in AWS KMS remains the same.

1. After clicking Rotate Key (as described in General Steps to Initiate Key Rotation), the Rotate Key screen (or a similar confirmation screen) appears.

2. (Optional) Provide a Description for this rotation instance.

3. Disable encrypt permissions on the current key (old material).

   1. (Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:

   2. Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.

   3. Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.

   By default, encrypt permissions are disabled on the current (old) key material after rotation. Clear the check box to keep them enabled on the old material.

4. (Optional) Select the Apply Gravestone Alias on Current Key checkbox if you wish to retain the key alias (with a timestamp) on the archived key material after rotation. If not selected, the alias is not retained on the old key version.

5. Click Save (or Rotate). A message will confirm successful key rotation.

Rotating HYOK Keys (Add Version / Rotate)

Rotating a Hold Your Own Key (HYOK) involves associating new cryptographic material (either a new source key or a new version of an existing source key from your CipherTrust Manager or Luna HSM) with the HYOK entity in CCKM. This new material will be used for future encryption operations by the corresponding AWS KMS key. Decryption operations on data encrypted with previous key material will continue to use the older material.

Steps

After clicking Add Version (Rotate) (as described in General Steps to Initiate Key Rotation), the Select Material Origin screen (or a direct confirmation for CM key versioning) appears.

Option 1: Create New CipherTrust Manager Key Version (for CipherTrust Manager sourced HYOK keys)

If your HYOK key's source is a CipherTrust Manager key, rotation typically involves creating a new version of that existing source key.

1. From the "Add Version (Rotate) Key" screen (this might be a direct confirmation dialog if only this option is available for the key), click Rotate Key (or similar confirmation) to proceed.

2. Leave the dialog open until the rotation operation completes successfully.

Option 2: Create a New Luna HSM Key (for Luna HSM sourced HYOK keys)

You can create an entirely new source key in your Luna HSM to associate with the HYOK.

1. On the Select Material Origin screen, select Create New Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

3. Provide a new Source Key Name for the key to be created in the Luna HSM.

   Note

   Key attributes for the new Luna HSM key will be displayed and are typically not editable, ensuring they meet HYOK requirements.

4. Click Next to proceed to the Review and Rotate Key screen.

5. Review the key details and click Rotate to confirm.

6. Leave the dialog open until the rotation operation completes successfully.

Option 3: Use Existing Luna HSM Key (for Luna HSM sourced HYOK keys)

You can use another existing AES-256 key from your Luna HSM as the new cryptographic material for the HYOK.

1. On the Select Material Origin screen, select Use Existing Luna HSM Key.

2. Click Next. The Configure Source Key screen is displayed.

3. Select the desired key from the Select Luna Key drop-down list.

   Note

   The existing Luna HSM key must be AES-256 and have the following attributes:

   • CKA_EXTRACTABLE = FALSE

   • CKA_SENSITIVE = TRUE

   • CKA_ENCRYPT = TRUE

   • CKA_DECRYPT = TRUE

   • CKA_WRAP = TRUE

   • CKA_UNWRAP = TRUE

4. Click Next to proceed to the Review and Rotate Key screen.

5. Review the key details and click Rotate to confirm.

6. Leave the dialog open until the rotation operation completes successfully.

Blocking and Unblocking HYOK Keys

Blocking and unblocking an HYOK key is a way to temporarily suspend and restore AWS KMS's access to the HYOK key and its source key. This way, you do not permanently delete the HYOK key and the XKS ID which AWS KMS needs to communicate to the HYOK and source key.

Block a Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Block Key.

4. Confirm you wish to block the key by clicking Block in the Block Key dialog.

Unblock a Key

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

   You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.

3. Click the overflow icon () corresponding to the desired key and click Unblock Key.

4. Confirm you wish to unblock the key by clicking Unblock in the Block Key dialog.