Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - System Logs
  - Log Forwarding
- Tokens
- Policies
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Launch
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Microsoft Azure
  - Salesforce
  - Google Cloud Platform (GCP)
  - Hadoop Knox
  - Luna Network HSM
  - Server Message Block (SMB)
  - DSM Connection
  - Secure Copy Protocol (SCP)
  - LDAP
- System Upgrade/Downgrade
- Client Management
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- Return Material Authorization (RMA) Guidance
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Scheduling Operations
  - Managing Azure Reports
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Records
  - Related APIs
    - Creating an Issuer
    - Viewing Issuers
    - Viewing Details of an Issuer
    - Deleting an Issuer
    - Creating KACLS Endpoints
    - Viewing KACLS Endpoints
    - Viewing Details of a KACLS Endpoint
    - Updating a KACLS Endpoint
    - Disabling a KACLS Endpoint
    - Enabling a KACLS Endpoint
    - Archiving a KACLS Endpoint
    - Recovering a KACLS Endpoint
    - Deleting a KACLS Endpoint
    - Encrypting Data Encryption Keys (wrap)
    - Rotating Endpoint Keys (rotate-key)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (takeout_unwrap)
    - Viewing KACLS Endpoint Perimeters
    - Updating a KACLS Endpoint Perimeter
    - Viewing the KACLS Endpoint Status
  - Performance Summary
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
- Google External Key Manager Ubiquitous Data Encryption Resources
  - Managing Google EKM UDE endpoints
- Migrate from CCKM Appliance
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Making loginuid Immutable
- Operations
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating GuardPoints for Efficient Storage Devices
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Migrating ProtectFile to CTE Agent
  - Configuration Elements used by ProtectFile
- Communication with CipherTrust Manager
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Adding Data Stores
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
ProtectV Administration
- Interfaces
- Concepts
- Operations
- Managing Images
- Managing Instances
- Viewing Encryption Keys
- Configuring a Keystore
- Configuring Key Management Settings
- Configuring Global Autoscaling
- Using Proxy with ProtectV Clients

CipherTrust Manager
Administration
CCKM Administration
Google External Key Manager Ubiquitous Data Encryption Resources
Managing Google EKM UDE endpoints
- Version 2.6
  - Version 2.6

Managing Google EKM UDE endpoints

After meeting some prerequisites to allow Google Cloud External Key Manager Ubiquitous Data Encryption (EKM UDE) Service to access CipherTrust Manager, you can create and manage an endpoint in CipherTrust Cloud Key Manager(CCKM) for Google Cloud EKM UDE service to access a Key Encryption Key (KEK) using CCKM's GUI and REST API.

Caution

This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.

After you have created an endpoint, you can:

Edit the default policies
Change the base hostname
Enable or disable the wrapping and unwrapping operation. This allows you to avoid deleting the endpoint, and temporarily suspend Google Cloud EKM UDE's ability to use the KEK.
Configure the requirements for mandating confidential computing
Delete the endpoint
View activity for a wrap or unwrap endpoint. Google Cloud Key Management Service (KMS) consumes these endpoints.
View attestation activity.

Prerequisites

To allow a connection between CipherTrust Manager and Google Cloud External Key Manager Service, some network and security configuration must be in place in both entities.

CipherTrust Manager Prerequisites

The web interface must have a TLS certificate signed by an external Certificate Authority (CA) trusted by Google Cloud Platform. Google Cloud trusts certificates issued by well-known public CAs such as Verisign. Alternatively, you can create a certificate chain with Google's Certificate Authority Service and upload the chain to CipherTrust Manager.
The CipherTrust Manager must have a public IP address with the 443 HTTPS port open. See Network Interface Configuration for details.
The CipherTrust Manager must be reachable through a Fully Qualified Domain Name (FQDN). Use the format ciphertrust.<your_domain>.com, for example ciphertrust.mycompany.com. Google Cloud recognizes the ciphertrust prefix and allows traffic to that domain.
A Google project must be added to the CipherTrust Cloud Key Manager before creating an endpoint. The steps to add the project are in the subsequent paragraphs below.

Google Cloud Platform Prerequisites

The default policy for endpoints does not require Key Access Justifications. If Key Access Justifications are required, these must be enabled in the Google account before Google services will provide these. After enabling these in the Google account, the default policy can be modified to un-comment the input.justificationReason section to apply Key Access Justification restrictions.

Add Google Project to CipherTrust Cloud Key Manager

Before creating an endpoint, a Google project must be added to CCKM. Below, we provide the steps to add a Google project to CCKM.

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager > Containers > Google.
Select Projects.
Select Add Existing Project.
Select Manually Enter Project ID.
Enter your GCP Project ID.

Create an EKM UDE Endpoint

You create a Google EKM UDE endpoint in the CipherTrust Manager GUI and to make the endpoint available to Google Cloud EKM. You can also use the /v1/cckm/ekm-e2e/endpoints endpoint in the REST API to associate metadata information with the endpoint.

Login to the CipherTrust Manager products page.
Navigate to Cloud Key Manager > Services > Google Cloud EKM UDE
Select Create Endpoint.
Provide a Name and a Key URI Hostname for your endpoint. For the purpose of this tech preview kindly input “ciphertrust.thalescpl.io” in the textbox of the Key URI Hostname.
Select which operations must enforce a requirement for confidential computing. The available operation enforcements are "Confidential computing required for encryption" and "Confidential computing required for decryption)". Consult the information box for further details on the implications of the selections.
An AES-256 Key Encryption Key (KEK) is created, with a unique URI that acts as the Google EKM endpoint key. The hostname is applied to the URI, to create a path that Google Cloud can access. The endpoint is displayed in the Google Cloud EKM UDE Endpoints table.
Caution
The KEK should only be managed by the CipherTrust Cloud Key Manager (CCKM). Managing the keys directly via CipherTrust Manager Key management functions can result in the KEK becoming unavailable to the Google Cloud EKM service unexpectedly.
Go to the Google Cloud Platform (GCP), copy the Service Account, and paste the service account details in the policies textbox. In CCKM, Cloud Key Manager>Services>Google Cloud EKM UDE, click the chevron icon to expand the details of the endpoint. Replace the text {"test1@fakeemail.com", "test2@fakeemail.com", "test3@fakeemail.com"} with your GCP service account.
Note
The service account is in the “Externally Managed Key” page of the Create Key flow in GCP. The Service Account is above the textbox where you will paste the external key URI in GCP.
Copy the key URI by clicking the copy icon next to the key URI,return to the GCP console, and paste the key URI to complete the create key flow.
Consult Google documentation on using the EKM UDE integration library and/or command-line utility for using the EKM UDE functionality either on premise or in a confidential VM.

Change the Base Hostname

You can patch the /v1/cckm/ekm-e2e/endpoints/{id} REST API endpoint, as described in the API Guide.

In the GUI:

Login to the CipherTrust Manager Products page.
Navigate to Cloud Key Manager > Services > Google Cloud EKM UDE.
Find the endpoint in the list, and click the ellipsis icon (...) at the far right for options.
Click View/Edit.
In the Edit Endpoint window, enter a new Key URI hostname and click Save.

Enable or Disable Key Wrapping

You can post to the /v1/cckm/ekm-e2e/endpoints/{id}/enable and /v1/cckm/ekm-e2e/endpoints/{id}/disable REST API endpoints, as described in the API Guide. Disabling key wrapping temporarily suspends Google Cloud EKM UDE's ability to use the KEK.

In the GUI:

Login to the CipherTrust Manager Products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM UDE.
Find the endpoint in the list, and click the ellipsis icon (...) at the far right for options.
Click Enable or Disable.

Delete the Endpoint

Caution

Once the endpoint has been deleted, the key cannot be restored.

You can delete the /v1/cckm/ekm-e2e/endpoints/{id}/ REST API endpoint, as described in the API Guide.

In the GUI:

Login to the CipherTrust Manager Products page.
Navigate to Cloud Key Manager>Services>Google Cloud EKM UDE.
Find the endpoint in the list, and click the ellipsis icon (...) at the far right for options.
Click Delete.

View Activity for a (Confidential) Wrap or Unwrap Endpoint

These endpoints are called from either workloads, via the Google-provided integration tools.

This functionality is available with the /v1/cckm/ekm-e2e/endpoints/{id}:confidentialwrap and /v1/cckm/ekm/endpoints/{id}:confidentialunwrap REST API endpoints, as described in the API Guide.

Requests to these endpoints generate a record under Records> Server Records in the GUI, and the /v1/audit/records endpoint in the API. These records can be helpful to monitor CMEK activity or troubleshoot CMEK problems.

View Attestation Activity

In EKMS, using an EKM UDE endpoint for wrap or unwrap operations requires a three-step process:

The establishment of a secure TLS 1.3 session between the Google-provided integration component and CipherTrust Manager.
The optional provision of attestation information/proofs over this secure session, allowing CipherTrust Manager to assess the data-in-use protection capabilities of the requester.
The submission and handling of (confidential) wrap and unwrap requests, over this secure session.

The TLS sessions which are established have a session lifetime of 600 seconds, allowing multiple confidential wrap/unwrap requests to be handled by any given session. Thus, any confidential wrap or unwrap request can be associated with a secure channel and any secure channel can be associated with a set of attestation proofs (or none in the case of an on premise, non-confidential environment).

All relevant details are captured in CipherTrust Manager's Server Records, allowing cross-referencing of confidential wrap/unwrap requests with sessions with attestations.

Note

The EKM UDE API contains a set of ‘Session’ endpoints, namely: session/begin session; session/handshake; session/negotiate attestation; session/finalize and session/end session.
These endpoints allow the establishment of a secure TLS 1.3 session between the Google-provided integration component and CipherTrust Manager. Further details on these endpoints is beyond the scope of this document.

Managing Google EKM UDE endpoints

Prerequisites

CipherTrust Manager Prerequisites

Google Cloud Platform Prerequisites

Add Google Project to CipherTrust Cloud Key Manager

Create an EKM UDE Endpoint

Change the Base Hostname

Enable or Disable Key Wrapping

Delete the Endpoint

View Activity for a (Confidential) Wrap or Unwrap Endpoint

View Attestation Activity

On this page

Suggest A Change