Managing AWS Keys
This section describes how to manage AWS keys on CipherTrust Cloud Key Manager (CCKM). Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.
Note
AWS-managed keys can’t be managed by CCKM. Any key management operations on such keys from CCKM will not succeed.
Source Types
For adding AWS keys, CCKM supports the following key material sources:
Native: Create AWS key material directly with native AWS application. Refer to Creating Native Key Material for details.
External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager (External), CipherTrust Manager (Local), or Vormetric Data Security Manager (DSM) as an external key source, or Decide Later.
CloudHSM Key Store: Create a CloudHSM key from CCKM using key material from AWS CloudHSM, which is the key source.
External Custom Key Store (HYOK): External Custom Key Store (Hold Your Own Key). Add an HYOK key tied to key material stored in a Luna HSM or a CipherTrust Manager depending on which key source you are using. AWS Key Management Services (KMS) communicates to CCKM, which uses the AWS HYOK key as an intermediary to the source key stored in a Luna HSM or CipherTrust Manager. Depending on which key source you are using, Luna or CipherTrust Manager executes the cryptographic operations. You can rotate the HYOK key, which associates a new key in the Luna HSM or associates a new version to the CipherTrust Manager key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
There are different operations available for HYOK keys than for other key types. You can perform the following HYOK key operations:
Regionality
When creating an AWS Native key or External (BYOK) key, you can specify whether the key is a single-region key or a multi-region key.
Note
This functionality is applicable to Native and BYOK keys.
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Creating Native Key Material
To create AWS key material directly with native AWS application:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select Native as the Origin Type.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Under Select Key Type, select the desired key type. The options are:
Symmetric: One key does encryption and decryption.
Asymmetric: A key pair does encryption and decryption.
Under Select Key Usage, select the key usage:
Encrypt and Decrypt:
For symmetric keys, the key is used only to encrypt and decrypt the data.
For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.
(Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).
(Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired Key Algorithm from the drop-down list.
Note
The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
Based on the selection of the key type and key usage, the Add to Schedule screen or AWS Automatic Key Rotation screen is displayed. Click the desired tab to view the instructions.
Note
- If Asymmetric is selected as the Key Type when specifying the Destination Key details, the key cannot be scheduled.
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
- Select CipherTrust (CipherTrust Manager) as the Key Origin.
- Click Next.
The Review and Add Key screen is displayed.
Note
Automatic key rotation only applies to the AWS native keys that have the algorithm as SYMMETRIC_DEFAULT.
Automatically rotate AWS native keys after a specified time period. To enable automatic key rotation.
Enable automatic key rotation
Enter the Rotation period (in days).
Based on the entered rotation period, the next rotation date will be displayed. The default rotation period is 365 days.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES (or AWS AUTOMATIC KEY ROTATION) sections. For a multi-region key, the NATIVE KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, KEY POLICY, NATIVE KEY, and KEY SCHEDULES (or AWS AUTOMATIC KEY ROTATION) sections, and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Material Using External (BYOK) Source
To add key material using external BYOK as a key source:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select External (BYOK) as Origin Type.
Select the Source. The options are:
CipherTrust (External): Add key by creating or uploading an external CipherTrust key as the source key. Refer to Adding Key Using External CipherTrust as External (BYOK) Source for details.
CipherTrust (Local): Add key by creating or uploading a CipherTrust key as the source key. Refer to Adding Key Using Local CipherTrust as External (BYOK) Source for details.
Vormetric DSM: Add key by creating or uploading a Vormetric DSM key as the source key. Refer to Adding Key Using Vormetric DSM as External (BYOK) Source for details.
Luna HSM: Add key by creating or uploading a Luna HSM key as the source key. Refer to Adding Key Using Luna HSM as External (BYOK) Source for details.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Decide Later: Add key now, but decide the key source later. Refer to Deciding Key Material Later for details.
Adding Key Using External CipherTrust as External (BYOK) Source
To add a key by creating or uploading an external CipherTrust key as the source key:
Key Material Origin
Select CipherTrust (External) as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Configure CipherTrust (External) Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Select a Domain.
Enter the Key Name.
Select Algorithm:
For Symmetric keys, the options are AES or HMAC.
For Asymmetric keys, the options are RSA or EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select a Domain.
Select Algorithm. The options are AES, HMAC, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
(Optional) Enable Fetch Latest Version Only.
Select a CipherTrust (External) Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Local CipherTrust as External (BYOK) Source
To add a key by creating or uploading a CipherTrust key as the source key:
Key Material Origin
Select CipherTrust (Local) as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Configure CipherTrust (Local) Key screen is displayed.
Configure CipherTrust (Local) Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Enter the Key Name.
Select Algorithm:
For Symmetric keys, the options are AES or HMAC.
For Asymmetric keys, the options are RSA or EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select Algorithm. The options are AES, HMAC, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the HMAC algorithm, the options are 256, 384, and 512.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
(Optional) Enable Fetch Latest Version Only.
Select a CipherTrust (Local) Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, KEY POLICY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Vormetric DSM as External (BYOK) Source
To add a key by creating or uploading a Vormetric DSM key as the source key:
Key Material Origin
Select Vormetric DSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. You can select Create New Key or Copy Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Enter the DSM Key Name.
Select a DSM Domain.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Note
The by default selected Algorithm and Key Size options are AES and 256, respectively.
Select a DSM Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA Keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Luna HSM as External (BYOK) Source
To add a key by creating or uploading a Luna HSM key as the source key:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Key Material Origin
Select Luna HSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Click Create New Key.
Select Key Type. The options are Symmetric and Asymmetric.
Enter the Key Name.
Select a Partition ID.
Select Algorithm:
For Symmetric keys, the option is AES.
For Asymmetric keys, the options are RSA or EC.
(Applicable to RSA algorithm only) Select a Mechanism. The options are
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
,CKM_RSA_X9_31_KEY_PAIR_GEN
,CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
, andCKM_RSA_PKCS_KEY_PAIR_GEN
.Note
The mechanisms for the AES algorithm and EC algorithm are
CKM_AES_KEY_GEN
andCKM_EC_KEY_PAIR_GEN
, respectively.Select the Key Size / Key Curve based on the algorithm:
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Note
Not applicable to the AES algorithm.
Click Copy Existing Key.
Select Algorithm. The options are AES, RSA, and EC.
Select the Key Size / Key Curve based on the algorithm:
For the AES algorithm, the option is 256.
For the RSA algorithm, the options are 2048, 3072, and 4096.
For the EC algorithm, the options are secp384r1, secp521r1, and secp256k1.
Select a HSM Key from the list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
For RSA keys, Select Key Usage. You can select Encrypt and Decrypt or Sign and Verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the KEY POLICY, SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Deciding Key Material Later
Add key now, but decide the key source later.
To add a new key without deciding the key material source:
Key Material Origin
Select Decide Later as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Select Key Type. The options are Symmetric and Asymmetric.
Under Select Key Usage, select the key usage:
Encrypt and Decrypt:
For symmetric keys, the key is used only to encrypt and decrypt the data.
For asymmetric keys, the public key is used to encrypt while the private key is used to decrypt.
(Symmetric keys only) Generate and Verify MAC: The key is used only to generate and verify hash-based message authentication codes (HMACs).
(Asymmetric keys only) Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired Key Algorithm from the drop-down list.
Note
The Algorithm field is not displayed for symmetric keys when their Key Usage is selected as Encrypt and Decrypt.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
From the Rotation drop-down list, select a schedule to apply.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Specify whether to Disable Encrypt Permissions on Current Key. By default, the encrypt permissions are disabled on the current key. Clear the check box to enable permissions.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Next.
The Review and Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The KEY MATERIAL ORIGIN section shows the Source Type as External (BYOK) and Source as Decide Later.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, KEY POLICY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys. The origin of the key is BYOK - External
and the key state is PendingImport
.
Creating CloudHSM Keys
Before you can create a CloudHSM key, you must ensure your CloudHSM key store is configured. For more information, see AWS CloudHSM Key Store Resources.
To create a CloudHSM key using CloudHSM Source
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list.
Select AWS CloudHSM Key Store from Origin Type.
Select the desired CloudHSm Key Store from the drop-down list.
Enter a user-friendly Alias for the key. This helps uniquely identify the key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
The Review And Add Key screen is displayed.
Select the Select Existing Policy option.
Select a policy from the Saved Policies drop-down list.
To view the raw details of the selected policy, click View Policy (Raw). To hide the raw details, click Hide Policy (Raw).
Click Next.
The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Once creation completes, click OK to close the dialog.
Creating HYOK Keys
You must prepare an external custom key store on CCKM before you can create an HYOK key.
As part of creating an HYOK key, you create a new source key in either a Luna HSM partition or a CipherTrust Manager that is associated with the external custom key store. The source of the HYOK key must match the source of the external custom key store.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Configuration varies based on whether the HYOK is created in the linked or unlinked state.
If the HYOK key is created in the linked state, a KMS key is automatically created in the corresponding AWS KMS external key store.
If the HYOK key is created in the unlinked state, you must either link it to automatically create the corresponding KMS key on AWS KMS, or you must manually create the KMS key on AWS KMS. If you choose to manually create a KMS key, you can refresh keys to later detect and link the KMS key to its HYOK key on CCKM. Managing AWS policies associated with the HYOK key on CCKM is unsupported with unlinked keys.
Create a Linked HYOK Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select External Custom Key Store (HYOK) from Origin Type.
Select CipherTrust or Luna HSM from Source.
Select Linked Key from the Linked State.
Click Next. The Source Key screen is displayed.
Source Key
Select an External Key Store from the drop down.
Note
Only key stores hosted on the local CCKM, and matching the selected Source are available.
Select the Source Key Material. This specifies how to create the key.
Create New Key
Click to create a fresh key.
Specify the Source Key Name for the source key. This will be the name for the new key.
Note
For Luna HSM keys, key attributes are displayed. These values are not editable.
Copy Existing Key
Click to create a new key by copying an existing source key.
Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.
Valid source keys must have specific attributes, depending on the source type.
Source Type Required Attributes CipherTrust Manager • Not exportable
• Not deletable
• Usage Masks: Encrypt, Decrypt, Wrap, UnwrapLuna HSM • CKA_EXTRACTABLE = FALSE
• CKA_SENSITIVE = TRUE
• CKA_ENCRYPT = TRUE
• CKA_DECRYPT = TRUE
• CKA_WRAP = TRUE
• CKA_UNWRAP = TRUE
Click Next. The Destination (AWS key) screen is displayed.
Destination (AWS) Key
Add an Alias for the new KMS key.
Optionally add a Description and Tags, if desired.
Click Next The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy or select an existing policy.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Creation completes and an XKS ID is generated for the new HYOK key.
Click OK to close the dialog.
Create an Unlinked HYOK key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select External Custom Key Store (HYOK) from Origin Type.
Select CipherTrust or Luna HSM from Source.
Select Unlinked Key from the Linked State.
This means that the corresponding key is not automatically created in AWS KMS, and you must either link the HYOK after creation, or manually create the KMS key in AWS KMS.
Click Next. The Source Key screen is displayed.
Source Key
Select an External Key Store from the drop down.
Note
Only local key stores matching the selected Source are available.
Select the Source Key Material. This specifies how to create the key. The source key must be a symmetric AES-256 key.
For Luna source key stores, the CKA_SENSITIVE, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, and CKA_UNWRAP attributes must be enabled, and CKA_EXTRACTABLE must be disabled.
The options are:
Create New Key
Click to create a fresh key.
Specify the Source Key Name for the source key. This will be the name for the new key.
Note
For Luna HSM keys, key attributes are displayed. These values are not editable.
Copy Existing Key
Click to create a new key by copying an existing source key.
Select a CipherTrust (Local) Key from the list. For Luna HSM, the list shows the available keys based on the Luna HSM connection.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select the desired Rotation schedule to apply to the key from the drop-down list. This is an optional step.
Note
If you're creating an imported AES symmetric key and the selected schedule has "Rotate Material (imported AES keys)" enabled, the key material will be rotated automatically when the schedule runs. For all other cases (including schedules without this option enabled), a new key will be created on rotation, and the alias will be reassigned to the new key.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
Review the key details, and click Add Key to create.
Creation completes and an XKS ID is generated for the new HYOK key.
Click OK to close the dialog.
Create the corresponding KMS key. You can either:
Link the new HYOK key in CCKM.
Manually create the key in AWS KMS:
In CCKM, retrieve the XKS ID value from the key details page.
On AWS KMS, navigate to the external key store which corresponds to the CCKM external custom key store you selected for the HYOK key.
Create the KMS key. Provide the XKS ID for any fields indicating an External key ID.
Follow AWS documentation to associate the desired AWS services with the KMS key.
If you want to later link the KMS key to its associated HYOK key, refresh all AWS keys.
Encryption and decryption requests will now be executed with the source key.
If the source key is a Luna HSM key, the cryptographic requests are executed inside the Luna HSM.
If the source key is a CipherTrust Manager key, the cryptographic requests are executed inside the CipherTrust Manager.
Linking HYOK Keys
If you created an HYOK key in an unlinked state, you can link it after creation. Linking an HYOK key automatically creates a new corresponding KMS key in AWS KMS.
Note
To link an existing KMS key, refresh all the keys.
To link an HYOK key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon (
) corresponding to the desired key and click Link.
The Configure AWS Key screen of the Link AWS Key wizard is displayed.
Optionally provide an Alias and Tags for the new KMS key.
Click Next. The AWS Key Policy screen is displayed.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Template Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
You can also update the selected policy, and create a new policy using it.
Select the policy view, you can select Raw View or Basic View. By default, the policy will open in the Raw View.
Update the policy.
Raw View
Make the necessary changes in the policy.
Basic View
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter the New Policy name.
Note
If the selected policy is Unverified, the Update Policy message will not be displayed, a new policy will not be created.
Click Apply.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Review and Add screen is displayed.
Review the AWS Key and AWS Key Policy details.
Click Link to accept, link the HYOK key, and create a new KMS key.
Click OK.
Viewing AWS Keys
To view an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:
Field Description Alias Unique, user-friendly alias of the key. This is useful in searching for specific keys. The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode. Key ID Unique ID of the CipherTrust Manager key. Account AWS account name. Region AWS region. Algorithm Name of the algorithm. Supported algorithms are:
• SYMMETRIC_DEFAULT
• RSA_2048
• RSA_3072
• RSA_4096
• ECC_NIST_P256
• ECC_NIST_P384
• ECC_NIST_P521
• ECC_SECG_P256K1Source Key Name of the source key. Source Type Source of the key.
• CipherTrust (Local): Local CipherTrust Manager
• DSM: Vormetric Data Security Manager
• Luna: HSM Luna
• CipherTrust (External): External CipherTrust Manager.Key State State of the key. The state can be:
• Enabled
• Disabled
• Deleted
• PendingDeletion
• PendingImport
• UnavailableCreation Date Time when the key is created. Origin The origin of the key can be:
• BYOK-CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• BYOK - External: Source of the key material is unknown. It is different than CCKM and the native cloud.
•HYOK-CCKM: HYOK key exists on CCKM
• HYOK-External: An external key from KMS, without the corresponding HYOK key on the local CCKM. This can mean that the HYOK key is present on a different CCKM not clustered with the local one, or that the HYOK key is present on another vendor's external key manager. NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.Expiration Date Time when the key will expire. Expiration date is nonapplicable for some key types. Expiration State State of the expiration. Regionality Whether the key is a single-region key, multi-region primary key, or multi-region replica key. Cloud Name of the AWS cloud. Key Usage How the key is used - for example, to decrypt and encrypt or to sign and verify. Source Key Container Container of the source key. A container can be the CipherTrust Manager, DSM, or Luna HSM. Key Store (Applicable to HYOK keys) Name of the key store. Some of these fields are not populated for HYOK keys. The non-populated fields are Alias, Key ID, Key State, and Creation Date.
The Regionality, Cloud, Key Usage, and Source Key Container columns are hidden by default. To show/hide a column, click the custom view icon (
), select/clear the desired column, and click OK. The Key Usage column is not populated for HYOK keys.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.
Connection is changed in AWS KMS. The new connection does not have permissions to access the keys.
When AWS regions are changed or removed. The keys from the configured region are no longer accessible.
Creating Replica of Multi-Region Keys
Note
This functionality is applicable to Native and BYOK keys.
A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.
Note
Only one replica of a primary key can be created in one AWS Region. Moreover, a replica of a replica key cannot be created.
To add a replica:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section.
Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.
Add Replica Region
From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.
Click Next. The Add Labels screen is displayed.
The fields on the Add Labels screen display the current values of the primary key, but you can edit them at any time. AWS KMS does not synchronize any changes to these values.
Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Key Policy screen is displayed.
On the Key Policy screen, you can specify a policy for the key. If you skip the Key Policy screen by clicking Next, a default policy will be applied to the key.
Key Policy
Specify a policy for the key. You can create a new policy, select a saved policy, and build from template.
Click the desired tab to view the instructions.
Select the Create New Policy option.
Select a policy view. You can select either the Basic view or Raw view. The default view is Basic.
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Select Save this Key Policy and Enter Name.
Click Next.
Select the Select Saved Policy option.
Select a policy from the Saved Policies drop-down list.
Click View Policy (Raw) to view the policy in source JSON.
Click Next.
Select the Build From Template option.
Select Template.
(Optional) Make the necessary changes in the template.
Click Next.
The Review screen is displayed.
Review
This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, AWS KEY POLICY, and CONFIRMATION sections.
Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.
Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.
Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.
Click Close. The Add Replica Keys wizard is closed.
The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.
Viewing Replicas of a Multi-Region Key
Note
This functionality is applicable to Native and BYOK keys.
To view the replicas of a multi-region key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed. To view or edit an AWS key:
Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:
Field Description Region Region where the replica is created. Key ARN Amazon Resource Name (ARN) of the AWS replica. Alias Alias of the replica key. State State of the replica key. Regionality Regionality of the replica key is REPLICA. Creation Date Date and time when the replica is created.
Viewing or Editing AWS Key Details
To view or edit an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click View/Edit.
For HYOK keys, you can obtain the following additional values:
The XKS ID. You can copy this value using the copy button, if you want to manually create a corresponding KMS key. In AWS, this value is called the External key ID.
The Source. This is a link to the CCKM-managed source key stored within either Luna HSM or CipherTrust Manager (depending on which key source you are using). This is important if you want to perform any key functions using either Luna key functions or CipherTrust Manager key functions.
Note
You can view but not edit details for unlinked HYOK keys.
For Native, linked HYOK keys, and BYOK Keys, edit or configure the following fields and click Update:
POLICY: Grant access to external accounts, key administrators, and key users. Refer to Adding/Editing Policies for details.
ALIASES: Add or delete aliases of the key.
LABELS: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.
SCHEDULES: Applies rotation schedule to the key. Refer to Apply Key Rotation Schedule for details.
Note
You can only view and remove the schedule if you have assigned it to the existing AWS native key that has an algorithm as SYMMETRIC_DEFAULT. After you remove the schedule, this section will be hidden.
If a new AWS native key is created that has an algorithm as SYMMETRIC_DEFAULT, the key will not have the SCHEDULES section.
AWS AUTOMATIC KEY ROTATION: Automatically rotates AWS native key after a specified time period. To automatically rotate the key, enable automatic key rotation and enter the Rotation period (in days).
Based on the entered rotation period, the next rotation date will be displayed.
Note
The default rotation period is 365 days.
Automatic key rotation only applies to the AWS native keys that have the algorithm as SYMMETRIC_DEFAULT.
If the next rotation date is not displayed, click the Refresh icon.
ROTATION HISTORY: Rotate the key. Refer to Rotation History for details.
Adding or Deleting Aliases
Note
This functionality is applicable to Native, BYOK, and CloudHSM keys. For HYOK keys, this functionality is applicable to linked keys only.
To add a new alias to the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click View/Edit.
Under ALIASES, click Add Alias.
Enter an Alias Name.
Click Save. The new alias is added to the key.
The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.
To delete an alias of the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click View/Edit.
Under Aliases, click the overflow icon (
) corresponding to the desired alias.
Click Delete. The alias is deleted.
Apply Key Rotation Schedule
Note
For HYOK keys, this functionality is applicable to linked keys only.
To apply a key rotation schedule to an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click View/Edit.
Under SCHEDULES, from the Rotation drop-down list, select a schedule to apply. If applying a schedule to a CloudHSM key or linked HYOK key, proceed to step 7.
Note
If the selected scheduled rotation has Rotate Key Material (Imported AES Keys) enabled, you will see it alongside the rotation name.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
For BYOK or Native keys, select the Key Origin from the available options. The key origin can be:
CipherTrust (External): External CipherTrust Manager.
CipherTrust (Local): Local CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Note
If the algorithm of the key is RSA, EC, or HMAC, you can only select CipherTrust (Local) as the Key Origin.
Click Update.
Note
A scheduled key rotation always creates a new key with a randomly generated UUID name.
Rotation History
You can view the details and perform a new rotation for Native and BYOK keys using the SYMMETRIC_DEFAULT algorithm.
Native keys with the SYMMETRIC_DEFAULT algorithm: You can view the Key Material ID, Date, State, and Type of the key rotation.
To perform a new rotation:
Click Rotate Key, the AWS On-Demand Key Rotation dialog box is displayed.
Click Rotate.
Warning
As of now, you can only initiate AWS On-Demand Key Rotation 10 times by default.
Note
On-demand key rotation applies to the AWS native keys that have the algorithm as SYMMETRIC_DEFAULT.
If the latest rotation history details are not displayed, click the Refresh icon.
BYOK keys with the SYMMETRIC_DEFAULT algorithm: You can view the Key Material ID, Rotation Date, Key Material State, Import State, Source Type, Origin, Expiration Date, and Key Material Description of the key rotation.
To perform a new rotation, refer to the Rotating Keys section.
For BYOK keys, you can also promote a key material to current, re-import it, or delete it.
Promote to Current: To promote a key material to current:
Click the overflow icon (
) next to the desired key rotation and select Promote to Current. The Promote to Current dialog box is displayed.
Click Rotate.
Click OK.
Note
You can promote a key material to current only when it's first in the list and its state is Pending Rotation.
Re-Import: To re-import a key material.
Click the overflow icon (
) next to the desired key rotation and select Re-Import Key Material. The Re-Import Key Material dialog box is displayed.
Click Re-Import Key Material.
Click Next.
(Optional) Select Key Material Expiration Date.
(Optional) Enter Description.
Click Next.
Click Import.
Click OK.
Note
You can only re-import a deleted key material.
Delete: To delete a key material.
Click the overflow icon (
) next to the desired key rotation and select Delete Key Material. The Delete Key Material dialog box is displayed.
Click Delete Key Material.
Note
You can delete the imported key material.
Adding/Editing Policies
You can apply a new policy or edit the policy attached to an AWS key on the list view or the details view of the AWS Keys page.
On the list view of the AWS Keys page
Note
This functionality is applicable to all Native and BYOK keys. For HYOK keys, this functionality is applicable to linked keys only.
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Add/Edit Policies.
The Add/Edit Policies dialog box displays the attached policy, if any. Under Unsaved Policy, you can either:
Update the policy locally. These are local changes only. They do not affect the original policy.
Alternatively, you can save the changes as a new policy. Click Save to Policy List, specify a Policy Name, and click Save. The newly created policy will be available as a saved policy for selection.
Attach a new saved policy. Click Select Saved Policy, select a saved policy from the drop-down list, and click Apply.
Select a template and use it to create a key policy. Click Build from Template, select a template from the drop-down list, and click Apply.
Click Save.
On the details view of the AWS Keys page
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the Alias link of the key.
Navigate to the POLICY section.
Add or update the policy, as described above.
Click Update.
Refreshing AWS Keys
Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all AWS KMS accounts at once.
Refreshing keys also refreshes AWS CloudHSM key stores and external custom key stores.
Refreshing all keys can set unlinked HYOK keys to a linked state. This happens when CCKM detects a corresponding KMS key for an local unlinked HYOK key. As well, this operation can set unlinked external custom key stores to a linked state. This happens when CCKM detects a corresponding KMS external key store for an local unlinked external custom key store.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.
Disabling Keys
Note
This functionality is applicable to all Native, BYOK, and Cloud HSM keys. For HYOK keys, this functionality is applicable to linked keys only.
For HYOK keys, disabling has the same practical effect of disallowing cryptographic operations as blocking does. However, disabling changes the external key state on AWS KMS and blocking does not.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
To disable the key(s):
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Select the keys to be enabled from the list.
Click Disable. The Disable Key(s) dialog box is displayed.
Click Disable. The Job Created dialog box is displayed. A job is created to track the disabling of the keys.
Click OK.
You can check the job status on the Bulk Operations tab.
Enabling Keys
Note
This functionality is applicable to all Native, BYOK, and Cloud HSM keys. For HYOK keys, this functionality is applicable to linked keys only.
For HYOK keys, enabling has the same practical effect of allowing cryptographic operations as unblocking does. However, enabling changes the external key state on AWS KMS and unblocking does not.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
To enable the key(s):
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Select the keys to be enabled from the list.
Click Enable. The Enable Key(s) dialog box is displayed.
Click Enable. The Job Created dialog box is displayed. A job is created to track the enabling of the keys.
Click OK.
You can check the job status on the Bulk Operations tab.
Downloading Keys
Note
This functionality is applicable to asymmetric keys.
Asymmetric keys can be downloaded to your local machines. Symmetric keys cannot be downloaded.
To download an asymmetric key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Download Key. The key is downloaded.
Importing Key Material
Note
This functionality is applicable to Native and BYOK keys.
You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.
Note
You can only import AES keys with status PendingImport
to the AWS KMS.
To import key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Import Material. The Import Material dialog box is displayed.
Select Import Type (the desired key material source). The options are:
Note
The Vormetric DSM key option will be available only for the keys that have the algorithm as SYMMETRIC_DEFAULT (AES).
Import Using CipherTrust (External)
When importing the key material from an external CipherTrust Manager, Select Key Material Origin. The options are:
Create New Key
In this method, the external CipherTrust Manager creates the new key material locally.
Select Create New Key.
Click Next.
Enter Key Name.
Select Domain for the key. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing external CipherTrust Manager key is used.
Select Use Existing Key.
Click Next.
Select Domain from the drop-down list. The drop-down list shows the domains of the external CipherTrust Manager linked with the configured connection.
Select a CipherTrust (External) Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing key material of the external CipherTrust Manager is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using CipherTrust (Local)
When importing the key material from CipherTrust, Select Key Material Origin. The options are:
Create New Key
In this method, CipherTrust Manager creates the new key material locally.
Select Create New Key.
Click Next.
Enter Key Name.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing CipherTrust Manager key is used.
Select Use Existing Key.
Click Next.
Select a CipherTrust (Local) Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Vormetric DSM
When importing the key material from Vormetric DSM, Select Key Material Origin. The options are:
Create New Key
In this method, DSM creates the new key material locally.
Select Create New Key.
Click Next.
Enter a DSM Key Name.
Select the desired DSM Domain.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing DSM key is used.
Select Use Existing Key.
Click Next.
Select a DSM Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Luna HSM
When importing the key material from Luna HSM, Select Key Material Origin. The options are:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Create New Key
In this method, Luna HSM creates the new key material locally.
Select Create New Key.
Click Next. The Add Key Details page is disabled.
Enter a Key Name.
Select the desired Partition ID.
Select the desired Key Attributes.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the Luna HSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing Luna HSM key is used.
Select Use Existing Key.
Click Next. The Add Key Details page is disabled.
Select an HSM Key from the list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. An Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing Luna HSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Deleting Key Material
Note
This functionality is applicable for BYOK keys, not HYOK keys. You can delete unlinked HYOK keys or schedule key deletion for linked HYOK keys through AWS menus, but not their source key material.
For HYOK keys, Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.
To delete key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.
Select I wish to delete key material.
Click Delete Key Material.
A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport
.
Warning
Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.
Scheduling Key Deletion
Note
This functionality is applicable to all Native, BYOK, HYOK keys and CloudHSM keys. For HYOK keys, this functionality is applicable to linked keys only.
Scheduled key deletion permanently removes the key from the AWS KMS (if a Native, linked HYOK, or BYOK key) or from the AWS CloudHSM (if a CloudHSM key) at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.
For linked HYOK keys, scheduling deletion removes the local CCKM HYOK key, and the remote KMS key at the specified time. Unlinked HYOK keys can only be deleted manually, not at a scheduled time. Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager. You can later create a new HYOK key using the source key.
Note
In regards to Native and BYOK keys, schedule key deletion is not allowed for multi-region primary keys that have replicas. To schedule deletion of such a key, delete its replica keys first.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS or from the AWS CloudHSM (if a CloudHSM key), it cannot be restored and the data encrypted with this key will be unrecoverable.
For HYOK keys, if you want to temporarily suspend AWS KMS access, you can instead block the HYOK key.
To schedule key deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Schedule Key Deletion.
On the Schedule Key Deletion screen:
Select I wish to delete this key.
Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.
Click Schedule Deletion.
A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to
PendingDeletion
.
Canceling Scheduled Deletion
This functionality is applicable to Native, BYOK, and CloudHSM keys.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.
To cancel scheduled deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon (
) corresponding to the desired alias and click Cancel Deletion.
A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key, if you wish to use this key in the cryptographic operations.
Deleting Unlinked HYOK Keys
Deleting an unlinked HYOK Key deletes the XKS ID that is associated to a KMS key in AWS KMS. The corresponding KMS key is not deleted, but it can no longer perform cryptographic operations. For linked HYOK keys, you can schedule a key deletion to delete both the HYOK key on CCKM and the KMS key in AWS KMS.
Warning
Deleting an HYOK key permanently breaks the association between the corresponding KMS key and this particular XKS ID so that KMS key can no longer perform cryptographic operations. Any data encrypted with the KMS key cannot be decrypted. To temporarily suspend AWS KMS access to the HYOK key and its XKS ID, you can instead block the HYOK key.
Deleting an HYOK key does not delete the source key (stored in either an Luna HSM or CipherTrust Manager). You can later create a new HYOK key using the source key. Luna source keys are managed through CCKM Luna key functions, and CipherTrust Manager source keys are managed through CipherTrust Manager key management menus.
To delete an unlinked HYOK key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: CCKM-HYOK to display only HYOK keys.
Click the overflow icon (
) corresponding to the desired alias and click Delete. The Delete Key dialog box is displayed.
Click Delete Key to confirm.
Rotating Keys
Key rotation is a critical security best practice that involves updating the cryptographic material used by your keys. CCKM offers several ways to manage key rotation for your AWS keys.
Understanding Key Rotation Mechanisms in CCKM
CCKM supports different approaches to key rotation depending on the key type and origin:
Material Rotation (Retaining Key ID and ARN): This is the primary rotation method facilitated by CCKM's "Rotate Key" feature for symmetric single-region BYOK keys and Native AWS keys, where algorithm is SYMMETRIC_DEFAULT. It involves associating new cryptographic material with the existing AWS KMS Key ID and ARN. The key's identity in AWS remains the same, but the underlying material changes. This is particularly relevant for BYOK symmetric keys.
AWS-Managed Automatic Rotation: For Native AWS keys using the
SYMMETRIC_DEFAULT
algorithm, AWS KMS can automatically rotate the key material. CCKM allows you to enable and manage this feature.HYOK Key Versioning: For HYOK keys, rotation (termed "Add Version (Rotate)") involves associating a new version of the source key (from CipherTrust Manager or a new Luna HSM key) with the existing HYOK entity in CCKM. The HYOK key in AWS KMS then uses this new material for future operations.
CloudHSM Key Rotation: For keys stored in an AWS CloudHSM custom key store, CCKM triggers a rotation command that instructs AWS CloudHSM to generate new key material for the existing key within the HSM.
Manual Alias-Based Rotation (New Key ID and ARN): As a general key management strategy, for any key type, you can manually achieve a form of rotation by:
Creating an entirely new AWS key with fresh key material (see Creating Native Key Material or Adding Key Material Using External (BYOK) Source).
Removing the alias from the old key.
Adding that alias to the newly created key.
This method results in a new AWS KMS Key ID and ARN. It's a manual process and distinct from CCKM's "Rotate Key" feature which often aims to retain the existing Key ID.
General Steps to Initiate Key Rotation via CCKM UI
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Locate the key you wish to rotate. Click the overflow icon (
) corresponding to its alias.
For Native, BYOK, or CloudHSM keys, click Rotate Key.
For HYOK keys, click Add Version (Rotate).
The subsequent steps depend on the type of key you are rotating, as detailed in the sections below.
Rotating Native AWS Keys
The process for rotating Native AWS keys varies based on their configuration.
1. Native Keys with SYMMETRIC_DEFAULT Algorithm (AWS-Managed Rotation)
If you are rotating an AWS native key that uses the SYMMETRIC_DEFAULT
algorithm, CCKM can initiate an AWS on-demand key rotation or manage AWS's automatic rotation schedule.
On-Demand Rotation
After clicking Rotate Key, an "AWS On-Demand Key Rotation" dialog box may appear.
Click Rotate in the dialog, then OK to confirm.
Alternatively, this option might be available in the key's "View/Edit" screen under "ROTATION HISTORY". Refer to ROTATION HISTORY for details.
Warning
AWS KMS may have a default limit on how many times you can initiate on-demand key rotation (for example, 10 times by default). Consult AWS documentation for the most current information.
Scheduled Automatic Rotation: You can enable AWS automatic key rotation and set a rotation period via the key's "View/Edit" screen under "AWS AUTOMATIC KEY ROTATION".
Note
For these AWS-managed rotations, you do not select new key material from an external source like CipherTrust Manager; AWS manages the generation of the new key material.
2. Native Asymmetric Keys or Other Native Key Types
For other types of Native AWS keys (such as asymmetric keys, HMAC keys, etc.), key rotation will create a new BYOK key and reassign the alias from the existing Native AWS key to the newly created BYOK key. Follow the instructions for Material Rotation (BYOK and applicable Native Keys) below.
Rotate BYOK Keys
The process for rotating AWS BYOK keys varies based on their configuration.
1. Single region BYOK keys with SYMMETRIC_DEFAULT Algorithm
When you rotate BYOK keys, CCKM’s Rotate Key feature helps update the cryptographic material for the existing AWS Key ID and ARN. You provide new key material from a supported source. Follow the instructions for Material Rotation (BYOK and applicable Native Keys) below.
Alternatively, this option might be available in the key's "View/Edit" screen under "ROTATION HISTORY". Refer to ROTATION HISTORY for details.
Warning
AWS KMS may have a default limit on how many times you can initiate on-demand key rotation (for example, 10 times by default). Consult AWS documentation for the most current information.
Note
Key Material Requirement: The new key material you upload (whether created as a new source key in CipherTrust Manager/HSM or by selecting an existing source key from these systems) must not have been previously imported or associated with this specific AWS KMS key. Each rotation requires distinct cryptographic material for the target AWS KMS key.
If you prefer the traditional method of creating an entirely new key with a new ID/ARN, or if specific configurations necessitate it, you can achieve rotation manually as described in Understanding Key Rotation Mechanisms in CCKM under "Manual Alias-Based Rotation".
2. Other BYOK Keys
For other types of BYOK keys (such as asymmetric keys, multi-region symmetric keys, or HMAC keys), key rotation creates a new BYOK key and moves the alias from the existing key to the new one.
Steps for Material Rotation (BYOK and applicable Native Keys)
After clicking Rotate Key (as described in General Steps to Initiate Key Rotation), the Select Material Origin screen appears.
Choose the source for the new key material. Options typically include:
Upload New CipherTrust (External) Key: Create a new key on an external CipherTrust Manager.
Upload Existing CipherTrust (External) Key: Use an existing key from an external CipherTrust Manager.
Upload New Vormetric DSM Key: Create a new key on a Vormetric DSM. (Available for SYMMETRIC_DEFAULT/AES keys)
Upload Existing Vormetric DSM Key: Use an existing key from a Vormetric DSM. (Available for SYMMETRIC_DEFAULT/AES keys)
Upload New Luna HSM Key: Create a new key on a Luna HSM.
Upload Existing Luna HSM Key: Use an existing key from a Luna HSM.
Upload New CipherTrust (Local) Key: Create a new key on the local CipherTrust Manager.
Upload Existing CipherTrust (Local) Key: Use an existing key from the local CipherTrust Manager.
Select your desired option and click Next.
Configure source key details. The next screen will prompt you to either create a new source key or select an existing one, based on your choice.
If you selected Upload New ... Key:
For CipherTrust (External) Key:
Select Domain from the drop-down list.
Specify a unique Key Name for the new source key.
For CipherTrust (Local) Key: Specify a unique Key Name for the new source key.
For Vormetric DSM Key:
Specify a unique DSM Key Name.
Select the desired DSM Domain.
For Luna HSM Key:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Specify a unique Key Name for the new source key.
Select the desired Partition ID.
Review the displayed Key Attributes.
If you selected Upload Existing ... Key:
For CipherTrust (External) Key: Select the desired CipherTrust (External) Key from the list.
For CipherTrust (Local) Key: Select the desired CipherTrust (Local) Key from the list.
For Vormetric DSM Key: Select the desired DSM Key from the list.
For Luna HSM Key:
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select the desired HSM Key from the list.
Click Next.
Configure destination key properties (Add Labels screen).
Click the desired tab to view the instructions.
(Optional) Provide a Description for this rotation instance or update the key's description.
(Optional) Set or update a key Expiration Date for the new material:
Select the Expiration Date check box.
Enter the date and time (for example,
MM/DD/YYYY HH:MM
) or use the calendar.
Click Next.
Review and update the rotate key metarial details that you have provided. These details are divided into MATERIAL ORIGIN and CONFIGURATION sections.
Before rotating the key, review all details. After the key is rotated, certain features will no longer be editable.
Click Rotate.
Click OK. The Rotate Key Material wizard is closed.
The Alias of the current AWS key being rotated is pre-populated.
(Optional) Provide a Description for this rotation instance or update the key's description.
(Optional) Set or update a key Expiration Date for the new material:
Select the Expiration Date check box.
Enter the date and time (for example,
MM/DD/YYYY HH:MM
) or use the calendar.
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the current key's alias (with a timestamp) on the archived key material/version after rotation. If not selected, the alias is not retained on the old key version.
Click Save. A message will confirm successful key material creation (if applicable) and key rotation for the AWS key.
Rotating CloudHSM Keys
Rotating a CloudHSM key involves CCKM instructing AWS CloudHSM to generate new key material for the existing key within the CloudHSM cluster. The Key ID in AWS KMS remains the same.
After clicking Rotate Key (as described in General Steps to Initiate Key Rotation), the Rotate Key screen (or a similar confirmation screen) appears.
(Optional) Provide a Description for this rotation instance.
Disable encrypt permissions on the current key (old material).
(Optional) For BYOK or Native keys, you can grant or deny the encrypt permission to the key policy in the AWS account where the key is created in OR to the key policy in all accounts the key is shared in:
Select Disable Encrypt Permissions on Current Key to deny the encrypt permission to the key policy in the AWS account where the key is created in. Clear the check box to grant the encrypt permission. By default, Disable Encrypt Permissions on Current Key is selected, that is, the encrypt permission is denied to the current key.
Select Disable Encrypt Permissions on All Accounts to deny the encrypt permission to the key policy in all the AWS accounts the key is shared in. Clear the check box to grant the encrypt permission.
By default, encrypt permissions are disabled on the current (old) key material after rotation. Clear the check box to keep them enabled on the old material.
(Optional) Select the Apply Gravestone Alias on Current Key checkbox if you wish to retain the key alias (with a timestamp) on the archived key material after rotation. If not selected, the alias is not retained on the old key version.
Click Save (or Rotate). A message will confirm successful key rotation.
Rotating HYOK Keys (Add Version / Rotate)
Rotating a Hold Your Own Key (HYOK) involves associating new cryptographic material (either a new source key or a new version of an existing source key from your CipherTrust Manager or Luna HSM) with the HYOK entity in CCKM. This new material will be used for future encryption operations by the corresponding AWS KMS key. Decryption operations on data encrypted with previous key material will continue to use the older material.
Note
After rotation, the HYOK key in CCKM (and by extension, the AWS KMS key) is associated with multiple source keys/versions.
New Encrypt Operations: Will use the newly rotated (latest) key material.
Decrypt Operations: Will use the key material version that originally encrypted the data.
Warning
Blocking/Unblocking: To temporarily suspend AWS KMS access to an HYOK and its source key(s), block the HYOK key. This is reversible.
Deleting HYOK Key in CCKM: Deleting the HYOK key in CCKM or scheduling its deletion can make data encrypted with the corresponding AWS KMS key unrecoverable.
Deleting Source Key: Deleting the underlying source key directly in Luna HSM or CipherTrust Manager will also render data unrecoverable. Manage source keys via their respective management interfaces (Luna HSM keys or CipherTrust Manager keys).
Steps
After clicking Add Version (Rotate) (as described in General Steps to Initiate Key Rotation), the Select Material Origin screen (or a direct confirmation for CM key versioning) appears.
Option 1: Create New CipherTrust Manager Key Version (for CipherTrust Manager sourced HYOK keys)
If your HYOK key's source is a CipherTrust Manager key, rotation typically involves creating a new version of that existing source key.
From the "Add Version (Rotate) Key" screen (this might be a direct confirmation dialog if only this option is available for the key), click Rotate Key (or similar confirmation) to proceed.
Leave the dialog open until the rotation operation completes successfully.
Option 2: Create a New Luna HSM Key (for Luna HSM sourced HYOK keys)
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
You can create an entirely new source key in your Luna HSM to associate with the HYOK.
On the Select Material Origin screen, select Create New Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Provide a new Source Key Name for the key to be created in the Luna HSM.
Note
Key attributes for the new Luna HSM key will be displayed and are typically not editable, ensuring they meet HYOK requirements.
Click Next to proceed to the Review and Rotate Key screen.
Review the key details and click Rotate to confirm.
Leave the dialog open until the rotation operation completes successfully.
Option 3: Use Existing Luna HSM Key (for Luna HSM sourced HYOK keys)
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
You can use another existing AES-256 key from your Luna HSM as the new cryptographic material for the HYOK.
On the Select Material Origin screen, select Use Existing Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Select the desired key from the Select Luna Key drop-down list.
Note
The existing Luna HSM key must be AES-256 and have the following attributes:
CKA_EXTRACTABLE = FALSE
CKA_SENSITIVE = TRUE
CKA_ENCRYPT = TRUE
CKA_DECRYPT = TRUE
CKA_WRAP = TRUE
CKA_UNWRAP = TRUE
Click Next to proceed to the Review and Rotate Key screen.
Review the key details and click Rotate to confirm.
Leave the dialog open until the rotation operation completes successfully.
Blocking and Unblocking HYOK Keys
Blocking and unblocking an HYOK key is a way to temporarily suspend and restore AWS KMS's access to the HYOK key and its source key. This way, you do not permanently delete the HYOK key and the XKS ID which AWS KMS needs to communicate to the HYOK and source key.
Block a Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon (
) corresponding to the desired key and click Block Key.
Confirm you wish to block the key by clicking Block in the Block Key dialog.
Unblock a Key
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
You can filter this list on Origin: HYOK-CCKM to display only local HYOK keys.
Click the overflow icon (
) corresponding to the desired key and click Unblock Key.
Confirm you wish to unblock the key by clicking Unblock in the Block Key dialog.