Managing AWS Keys

This section describes how to manage AWS keys on CCKM. Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.

Adding AWS Keys

CCKM provides three methods to add AWS keys:

• Creating/Uploading New Key Material: Add the key material by creating and uploading new source key or creating new native key.

• Cloning Existing Key Material: Clone the key material from an existing key to create a new key.

• Deciding Key Material Later: Leave the key material empty for now, and choose between creating or cloning a CipherTrust (local) key later.

Creating/Uploading New Key Material

To add an AWS key by creating/uploading new key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

4. Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:

   • CipherTrust (Local)

   • AWS (Native)

   • Vormetric DSM

Uploading CipherTrust (Local) Key Material

Upload local key material using CipherTrust to configure source key.

Select Material Origin

1. Select CipherTrust (Local).

2. Click Next. The Create CipherTrust Key screen is displayed.

Create CipherTrust Key

1. Enter a Key Name.

2. Click Next. The Add Labels screen is displayed.

Add Labels

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

4. Select the desired AWS Account from the drop-down list.

5. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

6. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

7. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Creating AWS Native Key Material

Create AWS key material directly with native AWS application.

Select Material Origin

1. Select AWS (Native).

2. Click Next. The Add Labels screen is displayed.

Add Labels

1. Under Select Key Type, select the desired key type. The options are:

   • Symmetric: One key does encryption and decryption.

   • Asymmetric: A key pair does encryption and decryption.

   Based on the selected key type, fields on the screen differ. For the Asymmetric key type, additional fields Select Key Usage and Key Algorithm are displayed.

2. (Asymmetric keys only) Under Select Key Usage, select the key usage:

   • Encrypt and Decrypt: In this key pair, the public key is used to encrypt while the private key is used to decrypt.

   • Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.

3. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

4. (Optional) Provide a brief Description of the key.

5. Select the desired AWS Account from the drop-down list.

6. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

7. (Asymmetric keys only) Select the desired Key Algorithm from the drop-down list. The supported algorithms are RSA-2048, RSA-3072, and RSA-4096.

8. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

9. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and NATIVE KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Uploading Vormetric DSM Key Material

Upload key material using Vormetric DSM to configure source key.

Select Material Origin

1. Select Vormetric DSM.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Enter a DSM Key Name.

2. Select the desired DSM Domain.

3. Click Next. The Configure Destination (AWS) Key screen is displayed.

Configure Destination (AWS) Key

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

4. Select the desired AWS Account from the drop-down list.

5. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

6. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

7. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Cloning Existing Key Material

To add a new AWS key by cloning existing key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.

4. Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:

   • CipherTrust (Local)

   • Vormetric DSM

Cloning CipherTrust (Local) Key Material

Upload the local key material using CipherTrust to configure source key.

Select Material Origin

1. Under Select Source, select CipherTrust (Local).

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired Cloud. This options are AWS China and Other.

2. Select the desired key from the Key Name drop-down list. This field shows the local CipherTrust Manager keys available in the selected cloud.

3. Click Next. The Add Labels screen is displayed.

Add Labels

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

4. Select the desired AWS Account from the drop-down list.

5. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

6. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

7. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Cloning Vormetric DSM Key Material

Upload the key material using Vormetric DSM to configure source key.

Select Material Origin

1. Under Select Source, select Vormetric DSM.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired Cloud. This options are AWS China and Other.

2. Select the desired key from the DSM Key Name drop-down list. This field shows the DSM keys available in the selected cloud.

3. Click Next. The Add Labels screen is displayed.

Add Labels

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. (Optional) Set the key expiration date.

   1. Select the Set Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 16, 2020 1:50 PM.

      To select a specific time, click Time, and select hours and minutes, from the GUI.

4. Select the desired AWS Account from the drop-down list.

5. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

6. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

7. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys.

Deciding Key Material Later

Leave key material empty for now, and choose between creating or cloning a CipherTrust (local) key later.

To add a new key for deciding the key material source later:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS.

3. Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.

Select Material Origin

1. Under Select Method, select Decide Later.

2. Click Next. The Add Labels screen is displayed.

Add Labels

1. Enter a user-friendly Alias for the key. This helps uniquely identify a key.

2. (Optional) Provide a brief Description of the key.

3. Select the desired AWS Account from the drop-down list.

4. Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.

5. (Optional) Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

   To add a tag:

   1. Specify a tag name.

   2. Specify the tag value.

   3. Click the + button.

   Similarly, you can add more tags.

6. Click Next. The Review And Add Key screen is displayed.

Review And Add Key

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and DESTINATION KEY sections. The MATERIAL ORIGIN section shows the method as Decide Later.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click OK. The Add AWS Key wizard is closed.

The newly created key is displayed in the list of AWS keys. The origin of the key is External (Unknown) and the key state is PendingImport.

Viewing AWS Keys

To view an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:

   Field	Description
   Alias	Unique, user-friendly alias of the key. This is useful in searching for specific keys.
   Key ID	Unique ID of the CipherTrust Manager key.
   Account	AWS account name.
   Cloud	Name of the cloud. Supported clouds are: • aws • aws-us-gov • aws-cn
   Region	AWS region.
   Algorithm	Name of the algorithm. Supported algorithms are: • SYMMETRIC_DEFAULT • RSA_2048 • RSA_3072 • RSA_4096 • ECC_NIST_P256 • ECC_NIST_P384 • ECC_NIST_P521 • ECC_SECG_P256K1
   Key State	State of the key. The state can be: • Enabled • Disabled • Deleted • PendingDeletion • PendingImport • Unavailable
   Creation Date	Time when the key is created.
   Origin	Source of the key material. The origin of the key can be: • CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud. NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.

Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

• Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.

• Connection is changed in KMS. The new connection does not have permissions to access the keys.

• When AWS regions are changed or removed. The keys from the configured region are no longer accessible.

Editing AWS Keys

To view or edit an AWS key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click View/Edit.

4. Edit or configure the following fields and click Update:

   • Description: Update description of the key.

   • Tags: Add tags to the key.

   • SCHEDULES: Applies rotation schedule to the key.

   • AWS AUTO-ROTATE: Automatically rotates AWS native key every year.

   • Policies: Grant access to external accounts, key administrators, and key users.

Adding/Editing Policies

To add or edit key policy:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies. The Add/Edit Policies screen is displayed. It contains two options to edit policies:

   • Basic: Select this option and grant the desired permissions. The permission can be granted for the following roles:

     Role	Description
     External Accounts	AWS accounts that can use this key.
     Key Administrators	IAM users who can administer this key.
     Key Users	IAM users who can use this key in cryptographic operations.

   • Raw: Select this option to edit the AWS policy under Raw Policy. Refer to Using key policies in AWS KMS for details.

4. Click Save.

Refreshing AWS Keys

Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all KMS accounts at once.

To refresh keys:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.

3. Click Refresh All. The This may take a while... message is displayed.

   Note

   Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?

4. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.

The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.

Disabling Keys

To disable a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Disable. The Disable AWS key screen is displayed.

4. Click Disable Key.

A message Key <key_name> disabled is displayed on the screen.

Enabling Keys

To enable a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Enable. The Enable AWS key screen is displayed.

4. Click Yes, Enable Key.

A message Key <key_name> enabled is displayed on the screen.

Importing Key Material

You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.

To import key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Key Material dialog box is displayed.

4. Select the desired key material source. The options are:

   • Import using CipherTrust

   • Import using Vormetric DSM

Import using CipherTrust

When importing the key material from CipherTrust, you can either Create New Local Key or Use Existing Local Key, as described below.

Create New Local Key

In this method, CipherTrust Manager creates the new key material locally.

1. Enter Key Name.

2. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

3. Click Save.

In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing Local Key

In this method, the key material of an existing CipherTrust Manager key is used.

1. Select an existing CipherTrust key from the Source Key drop-down list.

2. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

3. Click Save.

In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Import using Vormetric DSM

When importing the key material from Vormetric DSM, you can either Create New DSM Key or Use Existing DSM Key, as described below.

Create New DSM Key

In this method, DSM creates the new key material locally.

1. Enter a DSM Key Name.

2. Select the desired DSM Domain.

3. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

4. Click Save.

In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Use Existing DSM Key

In this method, the key material of an existing DSM key is used.

1. Select an existing DSM key from the DSM Key Name drop-down list.

2. (Optional) Select the Key Material Expiration Date from the on-screen calendar.

3. Click Save.

In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM.

Deleting Key Material

To delete key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.

4. Select I wish to delete key material.

5. Click Delete Key Material.

A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport.

Scheduling Key Deletion

Schedule key deletion permanently removes the key from the AWS KMS at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.

To schedule key deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.

4. On the Schedule Key Deletion screen:

   1. Select I wish to delete this key.

   2. Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.

   3. Click Schedule Deletion.

   A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to PendingDeletion.

Canceling Scheduled Deletion

To cancel scheduled deletion:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.

A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key if you want to use this key in the cryptographic operations.

Rotating Keys

Key rotation allows you to create a new cryptographic material for the keys.

To rotate a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.

3. Click the overflow icon () corresponding to the desired alias and click Rotate Key.

4. On the Select Material Origin screen. The options are:

   • Upload New Local Key

   • Upload Existing Local Key

   • Upload New Vormetric DSM Key

   • Upload Existing Vormetric DSM Key

Upload New Local Key

In this method, the CipherTrust Manager first creates a key material and then uses this key material for key rotation.

1. On the Select Material Origin screen, select Upload New Local Key.

2. Click Next. The Create CipherTrust Key screen is displayed.

Create CipherTrust Key

1. Specify a unique Key Name.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing Local Key

In this method, use the key material of an existing CipherTrust Manager key for key rotation.

1. On the Select Material Origin screen, select Use Existing Local Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired key from the Key Name from drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key rotation is displayed on the screen.

Upload New Vormetric DSM Key

In this method, upload the key material using Vormetric DSM to configure source key. In this scenario, the key material of a DSM key is uploaded and then used for key rotation.

1. On the Select Material Origin screen, select Upload New Vormetric DSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Specify a unique DSM Key Name for the key.

2. Select the desired DSM Domain from the drop-down list.

3. Click Next. The Configure Destination (AWS) Key screen is displayed.

Configure Destination (AWS) Key

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key creation and key rotation is displayed on the screen.

Upload Existing Vormetric DSM Key

In this method, use the key material of an existing Vormetric DSM key.

1. On the Select Material Origin screen, select Use Existing Vormetric DSM Key.

2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

1. Select the desired key from the DSM Key Name from drop-down list.

2. Click Next. The Add Labels screen is displayed.

Add Labels

The Alias of the current key is populated automatically.

1. (Optional) Provide a Description of the key.

2. (Optional) Set a key expiration date.

   1. Select the Expiration Date check box.

   2. Either enter the expiration time manually or select using the on-screen calendar. The time format is MM/DD/YYYY HH:MM, for example, September 23, 2020 4:03 AM.

3. (Optional) Select the Disable Encrypt Permissions on Current Key check box.

4. (Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.

5. Click Save.

A message stating successful key rotation is displayed on the screen.