Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- Tokens
- Policies
- Records
- Syslogs
- Banners
- Interfaces
- Proxy Configuration
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Launch
- Scheduler
- System Logs
- System Upgrade/Downgrade
- Client Management
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Microsoft Azure
  - Hadoop Knox
  - Luna Network HSM
  - Server Message Block (SMB)
  - DSM Connection
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Alarms
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- Return Material Authorization (RMA) Guidance
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Scheduling Operations
  - Managing Azure Reports
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Records
  - Related APIs
    - Creating an Issuer
    - Viewing Issuers
    - Viewing Details of an Issuer
    - Deleting an Issuer
    - Creating KACLS Endpoints
    - Viewing KACLS Endpoints
    - Viewing Details of a KACLS Endpoint
    - Updating a KACLS Endpoint
    - Disabling a KACLS Endpoint
    - Enabling a KACLS Endpoint
    - Archiving a KACLS Endpoint
    - Recovering a KACLS Endpoint
    - Deleting a KACLS Endpoint
    - Encrypting Data Encryption Keys (wrap)
    - Rotating Endpoint Keys (rotate-key)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (takeout_unwrap)
    - Viewing KACLS Endpoint Perimeters
    - Updating a KACLS Endpoint Perimeter
    - Viewing the KACLS Endpoint Status
- Migrate from CCKM Appliance
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Troubleshooting
CTE UserSpace Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Making loginuid Immutable
- Operations
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Communication with CipherTrust Manager
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Managing Scans
- Managing Reports
- Logging
- Troubleshooting
- Appendix
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
ProtectV Administration
- Interfaces
- Concepts
- Operations
- Managing Images
- Managing Instances
- Viewing Encryption Keys
- Configuring a Keystore
- Configuring Key Management Settings
- Configuring Global Autoscaling
- Using Proxy with ProtectV Clients

CipherTrust Manager
Administration
CCKM Administration
Google Cloud External Key Manager Resources
Managing Google EKM Endpoints

Managing Google EKM Endpoints

After meeting some prerequisites to allow Google Cloud External Key Manager (EKM) Service to access CipherTrust Manager, you can create and manage an endpoint in CipherTrust Manager for Google Cloud EKM service to access a Key Encryption Key (KEK) using CipherTrust Manager's GUI and REST API.

After you have created an endpoint, you can:

Edit the default policies
Change the base hostname
Enable or disable the wrapping and unwrapping operation. This allows you to avoid deleting the endpoint, and temporarily suspend Google Cloud EKM's ability to use the KEK.
Delete the endpoint
View activity for a wrap or unwrap endpoint. Google Cloud Key Management Service (KMS) consumes these endpoints.

Prerequisites

To allow a connection between CipherTrust Manager and Google Cloud External Key Manager Service, some network and security configuration must be in place in both entities.

CipherTrust Manager Prerequisites

The CipherTrust Manager must have a public IP address with the 443 HTTPS port open. See Network Interface Configuration for details.
The CipherTrust Manager must be reachable through a Fully Qualified Domain Name (FQDN). Use the format ciphertrust.<your_domain>.com, for example ciphertrust.mycompany.com. Google Cloud recognizes the ciphertrust prefix and allows traffic to that domain.
The web interface must have a TLS certificate signed by an external Certificate Authority (CA) trusted by Google Cloud Platform. Google Cloud trusts certificates issued by well-known public CAs such as Verisign. Alternatively, you can create a certificate chain with Google's Certificate Authority Service and upload the chain to CipherTrust Manager.

Google Cloud Platform Prerequisites

The default policy for endpoints requires Key Access Justifications. Key Access Justifications must be enabled in the Google Account before Google services can access the endpoint.

Create an endpoint

Below, we provide steps to create a Google endpoint in the CipherTrust Manager GUI and to make the endpoint available to Google Cloud EKM. You can also use the /v1/cckm/ekm/endpoints endpoint in the REST API to associate meta information with the endpoint.

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM
Click Create Endpoint
Provide a Name and a Key URI Hostname for your endpoint. The Key URI Hostname should be the FQDN of the CipherTrust Manager instance.
An AES-256 Key Encryption Key (KEK) is created, with a unique URI, that acts as the Google EKM endpoint key. The hostname is applied to the URI, to create a path that Google Cloud can access.
Caution
Do not edit this KEK through the general CipherTrust Manager key management functions. Do not modify the KEK through the Keys menu in the GUI, ksctl keys commands in the CLI, or the /v1/vault/keys2 endpoint in the REST API. This can result in the KEK becoming unavailable to the Google Cloud EKM service unexpectedly.
Edit the endpoint policies, if desired. By default, the endpoint allows all clients and all supported justification reasons.
Enable Key Access Justifications in your Google Account, if you have not already.
On Google Cloud, create a Cloud EKM key, matching the URI for the KEK. Provide the full URI, including hostname. For the location, choose the region geographically closest to where the CipherTrust Manager instance is deployed.
Consult documentation for your desired Google CMEK service integrated with Cloud EKM to grant permissions for the CMEK service to use the KEK in Cloud KMS. Consult this documentation as well for particular encryption and decryption usecases for the CMEK service.
For example:
- Protecting BigQuery data with Cloud KMS keys
- Protecting Compute Engine resources with Cloud KMS keys

Change the base hostname

You can patch the /v1/cckm/ekm/endpoints/{id} REST API endpoint, as described in the API Guide.

In the GUI:

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM
Find the endpoint in the list, and click the ellipsis icon (...) at the far right for options.
Click View/Edit
In the Edit Endpoint window, enter a new Key URI hostname and click Save.

Enable or Disable Key Wrapping

You can post to the /v1/cckm/ekm/endpoints/{id}/enable and /v1/cckm/ekm/endpoints/{id}/disable REST API endpoints, as described in the API Guide.

In the GUI:

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM
Find the endpoint in the list, and click the ellipsis icon(...) at the far right for options.
Click Enable or Disable.

Delete the Endpoint

You can delete the /v1/cckm/ekm/endpoints/{id}/ REST API endpoint, as described in the API Guide.

In the GUI:

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM
Find the endpoint in the list, and click the ellipsis icon(...) at the far right for options.
Click Delete.

View Activity for a Wrap or Unwrap Endpoint

Google Cloud KMS calls these endpoints to perform a wrap or unwrap operation on a base64 blob, and therefore protect some data on behalf of a CMEK service integrated with Cloud EKM such as BigQuery or Compute Engine.

This functionality is available with the /v1/cckm/ekm/endpoints/{id}:wrap and /v1/cckm/ekm/endpoints/{id}:unwrap REST API endpoints, as described in the API Guide.

Google Cloud KMS can find and make calls to these endpoints without user intervention, if Google Cloud KMS has correctly configured the Cloud EKM key, and the CMEK service is correctly configured to access the key on Google Cloud KMS. This configuration happens as part of creating a new endpoint.

Requests to these endpoints generate a record under Records> Server Records in the GUI, and the /v1/audit/records endpoint in the API. These records can be helpful to monitor CMEK activity or troubleshoot CMEK problems.

Suggest A Change

Managing Google EKM Endpoints

Prerequisites

CipherTrust Manager Prerequisites

Google Cloud Platform Prerequisites

Create an endpoint

Change the base hostname

Enable or Disable Key Wrapping

Delete the Endpoint

View Activity for a Wrap or Unwrap Endpoint

On this page