Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CCKM Administration

Google External Key Manager Ubiquitous Data Encryption Resources

Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - System Logs
  - Log Forwarding
- Tokens
- Policies
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Launch
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Microsoft Azure
  - Salesforce
  - Google Cloud Platform (GCP)
  - Hadoop Knox
  - Luna Network HSM
  - Server Message Block (SMB)
  - DSM Connection
  - Secure Copy Protocol (SCP)
  - LDAP
- System Upgrade/Downgrade
- Client Management
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- Return Material Authorization (RMA) Guidance
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Scheduling Operations
  - Managing Azure Reports
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Records
  - Related APIs
    - Creating an Issuer
    - Viewing Issuers
    - Viewing Details of an Issuer
    - Deleting an Issuer
    - Creating KACLS Endpoints
    - Viewing KACLS Endpoints
    - Viewing Details of a KACLS Endpoint
    - Updating a KACLS Endpoint
    - Disabling a KACLS Endpoint
    - Enabling a KACLS Endpoint
    - Archiving a KACLS Endpoint
    - Recovering a KACLS Endpoint
    - Deleting a KACLS Endpoint
    - Encrypting Data Encryption Keys (wrap)
    - Rotating Endpoint Keys (rotate-key)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (takeout_unwrap)
    - Viewing KACLS Endpoint Perimeters
    - Updating a KACLS Endpoint Perimeter
    - Viewing the KACLS Endpoint Status
  - Performance Summary
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
- Google External Key Manager Ubiquitous Data Encryption Resources
  - Managing Google EKM UDE endpoints
- Migrate from CCKM Appliance
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Making loginuid Immutable
- Operations
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating GuardPoints for Efficient Storage Devices
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Migrating ProtectFile to CTE Agent
  - Configuration Elements used by ProtectFile
- Communication with CipherTrust Manager
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Adding Data Stores
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
ProtectV Administration
- Interfaces
- Concepts
- Operations
- Managing Images
- Managing Instances
- Viewing Encryption Keys
- Configuring a Keystore
- Configuring Key Management Settings
- Configuring Global Autoscaling
- Using Proxy with ProtectV Clients

CipherTrust Manager
Administration
CCKM Administration
Google External Key Manager Ubiquitous Data Encryption Resources

Google External Key Manager Ubiquitous Data Encryption Resources

Caution

This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.

Google Cloud External Key Manager Ubiquitous data encryption (EKM UDE) is a cloud native service that provides access to an external key encryption key (KEK) for use as a wrapping key in Google Cloud Platform (GCP), for wrapping and unwrapping Data Encryption Keys (DEKs). The UDE version of EKM provides additional security, access control and auditability guarantees, namely:

the end-to-end encryption of DEKs between workloads and the external key manager
the leveraging of Confidential VMs to provide strong guarantees of the runtime privacy of customer data (data-in-use security)
the use of independently-verifiable attestations of the runtime environment, allowing the EKM to strongly differentiate between protected and unprotected environments

The CipherTrust Cloud Key Manager (CCKM) integration with Google Cloud EKM UDE provides access to a UI where you can:

Manage endpoints for KEKs for keys added to the key ring through GCP EKM UDE.
Configure and manage policy sets.
Configure confidential computing requirements for access to KEKs.

The AES256 wrap/unwrap KEK allows users, developers, and organizations to maintain separation between encrypted data at rest and encryption keys.

The benefits of using CipherTrust Cloud Key Manager Google Cloud Endpoints include:

Secure generation, storage and protection of your KEK(s).
Privately maintained key provenance, managed access control, and centralized key management.
Full life cycle management of your Key Encryption Key (KEK).
Visibility for compliance.

GCP allows users to use Cloud External Key Management (EKM) in the Google Cloud Key Management Service (KMS). CCKM protects your data in GCP while your encryption keys are stored in CipherTrust Manager outside of GCP. Users create a Key Encryption Key (KEK) in CCKM, create a Cloud EKM key in Google Cloud, using the KEK's URI to identify the externally-managed key in Google Cloud KMS, and use the keys to encrypt data using a symmetric key. Google Cloud KMS does not store the external key material. This EKM functionality can be divided into regular EKM and EKM UDE functionality.

Use Cases for Google Cloud EKM UDE Integration

These CipherTrust Cloud Key Manager keys can be used in four main use cases within GCP:

A DEK is generated within a GCP confidential VM, then is wrapped by the CCKM KEK. The KEK is configured such that unwrapping of the wrapped key is only possible by an attested, verified confidential VM.
A DEK is generated on-premise, in a regular (non-confidential computing) environment, then is wrapped by the CCKM KEK. The data is uploaded to Google Cloud Storage (GCS) and the KEK is configured such that unwrapping of the wrapped key (and hence the protected data) is only possible by an attested, verified confidential VM.
A DEK is generated within a GCP confidential VM, then is wrapped by the CCKM KEK. The KEK is configured such that wrapping of the wrapped key is only possible in an attested, verified confidential VM, but that unwrapping is possible in a regular (non-confidential computing) environment.
A DEK is generated on-premise in a regular environment, then is wrapped by CipherTrust-managed KEK. The data is moved to another regular environment (on cloud or on-premise). The KEK is configured such that unwrapping of the wrapped data is possible in a second regular environment.

These four cases, respectively, give the following guarantees:

In case 1, the guarantee that the protected DEK/data is only accessible by a confidential VM.
In case 2, the guarantee that data encrypted on-premise and migrated to the cloud will only be accessible by a confidential VM.
In case 3, the guarantee that data retrieved from the cloud and decrypted, was originated in a confidential VM.
In case 4, the guarantee is that the data is only decryptable when the KEK is accessible.

Note

If you are deploying a new CipherTrust Manager instance exclusively or primarily to use the Google Cloud EKM service, we recommend deploying the instance geographically close to one of the Google Cloud KMS regions where you intend to set up the Google Cloud KMS Key Ring.

Related Documents

The following documents contain related or additional information:

CCKM Overview
Google Cloud External Key Manager Guide

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com