Managing AWS Keys
This section describes how to manage AWS keys on CCKM. Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.
When creating an AWS key, you can specify whether the key is a single-region key or a multi-region key.
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Adding AWS Keys
CCKM provides three methods to add AWS keys:
Creating/Uploading New Key Material: Add the key material by creating and uploading new source key or creating new native key.
Cloning Existing Key Material: Clone the key material from an existing key to create a new key.
Deciding Key Material Later: Leave the key material empty for now, and choose between creating or cloning a CipherTrust (local) key later.
Creating/Uploading New Key Material
To add an AWS key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
Uploading CipherTrust (Local) Key Material
Upload local key material using CipherTrust to configure source key.
Select Material Origin : Select Source
Select CipherTrust (Local).
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Create CipherTrust Key screen is displayed.
Create CipherTrust Key
Enter a Key Name.
Click Next. The Add Labels screen is displayed.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Creating AWS Native Key Material
Create AWS key material directly with native AWS application.
Select Material Origin : Select Source
Select AWS (Native).
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Add Labels screen is displayed.
Add Labels
Under Select Key Type, select the desired key type. The options are:
Symmetric: One key does encryption and decryption.
Asymmetric: A key pair does encryption and decryption.
Based on the selected key type, fields on the screen differ. For the Asymmetric key type, additional fields Select Key Usage and Key Algorithm are displayed.
(Asymmetric keys only) Under Select Key Usage, select the key usage:
Encrypt and Decrypt: In this key pair, the public key is used to encrypt while the private key is used to decrypt.
Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Asymmetric keys only) Select the desired Key Algorithm from the drop-down list. The supported algorithms are RSA-2048, RSA-3072, and RSA-4096.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and NATIVE KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Uploading Vormetric DSM Key Material
Upload key material using Vormetric DSM to configure source key.
Select Material Origin : Select Source
Select Vormetric DSM.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a DSM Key Name.
Select the desired DSM Domain.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Cloning Existing Key Material
To add a new AWS key by cloning existing key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
Cloning CipherTrust (Local) Key Material
Upload the local key material using CipherTrust to configure source key.
Select Material Origin : Select Source
Under Select Source, select CipherTrust (Local).
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired Cloud. This options are AWS China and Other.
Select the desired key from the Key Name drop-down list. This field shows the local CipherTrust Manager keys available in the selected cloud.
Click Next. The Add Labels screen is displayed.
Add Labels
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Cloning Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure source key.
Select Material Origin : Select Source
Under Select Source, select Vormetric DSM.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired Cloud. This options are AWS China and Other.
Select the desired key from the DSM Key Name drop-down list. This field shows the DSM keys available in the selected cloud.
Click Next. The Add Labels screen is displayed.
Add Labels
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Deciding Key Material Later
Leave key material empty for now, and choose between creating or cloning a CipherTrust (local) key later.
To add a new key for deciding the key material source later:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Select Material Origin screen of the Add AWS Key wizard is displayed.
Select Material Origin
Under Select Method, select Decide Later.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Add Labels screen is displayed.
Add Labels
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The MATERIAL ORIGIN section shows the method as Decide Later.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys. The origin of the key is External (Unknown)
and the key state is PendingImport
.
Viewing AWS Keys
To view an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:
Field Description Alias Unique, user-friendly alias of the key. This is useful in searching for specific keys. Key ID Unique ID of the CipherTrust Manager key. Account AWS account name. Region AWS region. Algorithm Name of the algorithm. Supported algorithms are:
• SYMMETRIC_DEFAULT
• RSA_2048
• RSA_3072
• RSA_4096
• ECC_NIST_P256
• ECC_NIST_P384
• ECC_NIST_P521
• ECC_SECG_P256K1Key State State of the key. The state can be:
• Enabled
• Disabled
• Deleted
• PendingDeletion
• PendingImport
• UnavailableCreation Date Time when the key is created. Expiration Date Time when the key will expire. Origin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.The Regionality and Cloud columns are hidden by default. The regionality indicates whether the key is a single-region key, multi-region primary key, or multi-region replica key. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
When AWS regions are changed or removed. The keys from the configured region are no longer accessible.
Creating Replica of Multi-Region Keys
A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
Only one replica of a primary key can be created in one AWS Region. Moreover, a replica of a replica key cannot be created.
To add a replica:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section.
Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.
Add Replica Region
From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.
Click Next. The Add Labels screen is displayed.
Add Labels
Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review screen is displayed.
Review
This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, and CONFIRMATION sections.
Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.
Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.
Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.
Click Close. The Add Replica Keys wizard is closed.
The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.
Viewing Replicas of a Multi-Region Key
To view the replicas of a multi-region key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:
Field Description Region Region where the replica is created. Key ARN Amazon Resource Name (ARN) of the AWS replica. Alias Alias of the replica key. State State of the replica key. Regionality Regionality of the replica key is REPLICA. Creation Date Date and time when the replica is created.
Editing AWS Keys
To view or edit an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Edit or configure the following fields and click Update:
Description: Update description of the key.
Tags: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.
SCHEDULES: Applies rotation schedule to the key.
AWS AUTO-ROTATE: Automatically rotates AWS native key every year.
Policies: Grant access to external accounts, key administrators, and key users.
Adding/Editing Policies
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies. The Add/Edit Policies screen is displayed. It contains two options to edit policies:
Basic: Select this option and grant the desired permissions. The permission can be granted for the following roles:
Role Description External Accounts AWS accounts that can use this key. Key Administrators IAM users who can administer this key. Key Users IAM users who can use this key in cryptographic operations. Raw: Select this option to edit the AWS policy under Raw Policy. Refer to Using key policies in AWS KMS for details.
Click Save.
Refreshing AWS Keys
Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all KMS accounts at once.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.
Disabling Keys
To disable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Disable. The Disable AWS key screen is displayed.
Click Disable Key.
A message Key <key_name> disabled is displayed on the screen.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
Enabling Keys
To enable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Enable. The Enable AWS key screen is displayed.
Click Yes, Enable Key.
A message Key <key_name> enabled is displayed on the screen.
Importing Key Material
You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.
Note
You can only import AES keys with status PendingImport
to the AWS KMS.
To import key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Key Material dialog box is displayed.
Select the desired key material source. The options are:
Import using CipherTrust
When importing the key material from CipherTrust, you can either Create New Local Key or Use Existing Local Key, as described below.
Create New Local Key
In this method, CipherTrust Manager creates the new key material locally.
Enter Key Name.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Local Key
In this method, the key material of an existing CipherTrust Manager key is used.
Select an existing CipherTrust key from the Source Key drop-down list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import using Vormetric DSM
When importing the key material from Vormetric DSM, you can either Create New DSM Key or Use Existing DSM Key, as described below.
Create New DSM Key
In this method, DSM creates the new key material locally.
Enter a DSM Key Name.
Select the desired DSM Domain.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing DSM Key
In this method, the key material of an existing DSM key is used.
Select an existing DSM key from the DSM Key Name drop-down list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Save.
In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Deleting Key Material
To delete key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.
Select I wish to delete key material.
Click Delete Key Material.
A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport
.
Warning
Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.
Scheduling Key Deletion
Schedule key deletion permanently removes the key from the AWS KMS at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.
Note
Schedule key deletion is not allowed for multi-region primary keys that have replicas. To schedule deletion of such a key, delete its replica keys first.
To schedule key deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.
On the Schedule Key Deletion screen:
Select I wish to delete this key.
Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.
Click Schedule Deletion.
A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to
PendingDeletion
.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.
Canceling Scheduled Deletion
To cancel scheduled deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.
A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key if you want to use this key in the cryptographic operations.
Rotating Keys
Key rotation allows you to create a new cryptographic material for the keys.
To rotate a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Key.
On the Select Material Origin screen. The options are:
Upload New Local Key
In this method, the CipherTrust Manager first creates a key material and then uses this key material for key rotation.
On the Select Material Origin screen, select Upload New Local Key.
Click Next. The Create CipherTrust Key screen is displayed.
Create CipherTrust Key
Specify a unique Key Name.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Local Key
In this method, use the key material of an existing CipherTrust Manager key for key rotation.
On the Select Material Origin screen, select Use Existing Local Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired key from the Key Name from drop-down list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Vormetric DSM Key
In this method, upload the key material using Vormetric DSM to configure source key. In this scenario, the key material of a DSM key is uploaded and then used for key rotation.
On the Select Material Origin screen, select Upload New Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Specify a unique DSM Key Name for the key.
Select the desired DSM Domain from the drop-down list.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Vormetric DSM Key
In this method, use the key material of an existing Vormetric DSM key.
On the Select Material Origin screen, select Use Existing Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired key from the DSM Key Name from drop-down list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.