Managing AWS Keys
This section describes how to manage AWS keys on CCKM. Before proceeding, you must have an AWS account added to the CCKM. Refer to Managing AWS Accounts for details.
When creating an AWS key, you can specify whether the key is a single-region key or a multi-region key.
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Source Types
For adding AWS keys, CCKM supports the following key material sources:
Native: Create AWS key material directly with native AWS application. Refer to Creating Native Key Material for details.
External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager or Vormetric Data Security Manager (DSM) as an external key source, or Decide Later.
Creating Native Key Material
To create AWS key material directly with native AWS application:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select Native as the Source Type.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Under Select Key Type, select the desired key type. The options are:
Symmetric: One key does encryption and decryption.
Asymmetric: A key pair does encryption and decryption.
Based on the selected key type, fields on the screen differ. For the Asymmetric key type, additional fields Select Key Usage and Key Algorithm are displayed.
(Asymmetric keys only) Under Select Key Usage, select the key usage:
Encrypt and Decrypt: In this key pair, the public key is used to encrypt while the private key is used to decrypt.
Sign and Verify: In this key pair, the public key is used to sign while the private key is used to verify.
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Asymmetric keys only) Select the desired Key Algorithm from the drop-down list.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and NATIVE KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Material Using External (BYOK) Source
To add key material using external BYOK as a key source:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS.
Click Add Key. The Key Material Origin screen of the Add AWS Key wizard is displayed.
Key Material Origin
Select the desired AWS Account from the drop-down list.
Select the desired Region from the drop-down list. The list shows the regions in which the selected AWS account is available.
Select External (BYOK) as Source Type.
Select the Source. The options are:
CipherTrust: Add key by creating or uploading a CipherTrust key as the source key. Refer to Adding Key Using CipherTrust as External (BYOK) Source for details.
Vormetric DSM: Add key by creating or uploading a Vormetric DSM key as the source key. Refer to Adding Key Using Vormetric DSM as External (BYOK) Source for details.
Luna HSM: Add key by creating or uploading a Luna HSM key as the source key. Refer to Adding Key Using Luna HSM as External (BYOK) Source for details.
Decide Later: Add key now, but decide the key source later. Refer to Deciding Key Material Later for details.
Adding Key Using CipherTrust as External (BYOK) Source
To add a key by creating or uploading a CipherTrust key as the source key:
Key Material Origin
Select CipherTrust as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Create New Key: Click to create a fresh key. Specify the Key Name for the new key.
Copy Existing Key: Click to create a new key by copying an existing key. Select the existing Key from the drop-down list.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Vormetric DSM as External (BYOK) Source
To add a key by creating or uploading a Vormetric DSM key as the source key:
Key Material Origin
Select Vormetric DSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Create New Key
Click to create a fresh key.
Specify the DSM Key Name for the new key.
Select the desired DSM Domain for the key. This drop-down list shows the DSM domains based on the DSM connection added to the CipherTrust Manager.
Copy Existing Key
Click to create a new key by copying an existing DSM key.
Select the existing DSM Key from the drop-down list. This field shows the available keys based on the DSM connection added to the CipherTrust Manager.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Adding Key Using Luna HSM as External (BYOK) Source
To add a key by creating or uploading a Luna HSM key as the source key:
Key Material Origin
Select Luna HSM as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Create New Key
Click to create a fresh key.
Specify the Key Name for the new Luna HSM key.
Select the desired Partition ID for the key. This drop-down list shows the Luna HSM partitions based on the Luna HSM connection added to the CipherTrust Manager.
Select the desired Key Attributes.
Copy Existing Key
Click to create a new key by copying an existing Luna HSM key.
Select the existing Key from the drop-down list. This field shows the available keys based on the Luna HSM connection added to the CipherTrust Manager.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Set the key expiration date.
Select the Set Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 16, 2020 1:50 PM.To select a specific time, click Time, and select hours and minutes, from the GUI.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys.
Deciding Key Material Later
Add key now, but decide the key source later.
To add a new key without deciding the key material source:
Key Material Origin
Select Decide Later as the Source.
Select Regionality. The options are:
Single-Region Key: A single-region key cannot be replicated in other AWS regions.
Multi-Region Key: A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
After a key is created, its regionality cannot be changed.
Click Next. The Destination (AWS) Key screen is displayed.
Destination (AWS) Key
Enter a user-friendly Alias for the key. This helps uniquely identify a key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review And Add Key screen is displayed.
Review And Add Key
This screen shows the key details that you have provided. These details are divided into KEY MATERIAL ORIGIN and DESTINATION KEY sections. For a multi-region key, the DESTINATION KEY section shows Multi-Region Key as the Regionality. The KEY MATERIAL ORIGIN section shows the Source Type as External (BYOK) and Source as Decide Later.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the KEY MATERIAL ORIGIN and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click OK. The Add AWS Key wizard is closed.
The newly created key is displayed in the list of AWS keys. The origin of the key is External (Unknown)
and the key state is PendingImport
.
Viewing AWS Keys
To view an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed. The AWS Keys page displays following details:
Field Description Alias Unique, user-friendly alias of the key. This is useful in searching for specific keys. The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode. Key ID Unique ID of the CipherTrust Manager key. Account AWS account name. Region AWS region. Algorithm Name of the algorithm. Supported algorithms are:
• SYMMETRIC_DEFAULT
• RSA_2048
• RSA_3072
• RSA_4096
• ECC_NIST_P256
• ECC_NIST_P384
• ECC_NIST_P521
• ECC_SECG_P256K1Source Key Name of the source key. Source Type Source of the key.
• CM: CipherTrust Manager
• DSM: Vormetric Data Securirty Manager
• Luna: HSM LunaKey State State of the key. The state can be:
• Enabled
• Disabled
• Deleted
• PendingDeletion
• PendingImport
• UnavailableCreation Date Time when the key is created. Expiration Date Time when the key will expire. Origin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
NOTE: When the CipherTrust Manager is upgraded from 2.0 to 2.1, the Origin column appears blank. The column will be populated on next scheduled key synchronization or on-demand synchronization by clicking the Sync All button.The Regionality, Cloud, and Key Usage columns are hidden by default. The Regionality column indicates whether the key is a single-region key, multi-region primary key, or multi-region replica key. The Cloud column shows the AWS cloud. The Key Usage column shows how the key is used - for example, to decrypt and encrypt or to sign and verify. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the AWS connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
When AWS regions are changed or removed. The keys from the configured region are no longer accessible.
Creating Replica of Multi-Region Keys
A multi-region key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Note
Only one replica of a primary key can be created in one AWS Region. Moreover, a replica of a replica key cannot be created.
To add a replica:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section.
Click Add Replicas. The Add Replica Region screen of the Add Replica Keys dialog box is displayed.
Add Replica Region
From the Select Replica Region drop-down list, select the AWS region where you want to create the replica key.
Click Next. The Add Labels screen is displayed.
Enter a user-friendly Alias for the replica key. This helps uniquely identify the replica key.
(Optional) Provide a brief Description of the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review screen is displayed.
Review
This screen shows the replica key details that you have provided. These details are divided into REPLICA REGION, LABELS, and CONFIRMATION sections.
Before adding the replica key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the REPLICA REGION and LABELS sections and update details. Alternatively, click Back and make changes, as appropriate.
Under CONFIRMATION, select I understand that the values I choose here are not synchronized with any other Multi-Region Key.
Click Add Replica Key. Your key is successfully added. Close window to return to replica keys list.
Click Close. The Add Replica Keys wizard is closed.
The newly created replica key is displayed in the list of replica keys under the REGIONALITY section. The Regionality of a replica key is displayed as REPLICA and its Status moves from Starting to PendingImport.
Viewing Replicas of a Multi-Region Key
To view the replicas of a multi-region key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the alias of the desired multi-region primary key. The detail view of the key is displayed.
Scroll down to the REGIONALITY section. This section shows the replicas of the multi-region primary key. The section shows the following details:
Field Description Region Region where the replica is created. Key ARN Amazon Resource Name (ARN) of the AWS replica. Alias Alias of the replica key. State State of the replica key. Regionality Regionality of the replica key is REPLICA. Creation Date Date and time when the replica is created.
Editing AWS Keys
To view or edit an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Edit or configure the following fields and click Update:
Aliases: Add or delete aliases of the key.
Description: Update description of the key.
Tags: Add tags to the key. Refer to Add Labels for characters allowed in AWS tag values.
SCHEDULES: Applies rotation schedule to the key. Refer to Apply Key Rotation Schedule for details.
AWS AUTO-ROTATE: Automatically rotates AWS native key every year.
Policies: Grant access to external accounts, key administrators, and key users.
Adding or Deleting Aliases
To add a new alias to the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under Aliases, click Add Alias.
Enter an Alias Name.
Click Save. The new alias is added to the key.
The AWS Keys page shows the latest alias under the Alias field. Additional aliases for the key are displayed in braces. For example, if a key has three aliases and the latest alias is "latest-alias", the Alias field shows "latest-alias (+2 more)". Clicking the link takes to the Aliases section of the key in edit mode.
To delete an alias of the key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under Aliases, click the overflow icon () corresponding to the desired alias.
Click Delete. The alias is deleted.
Apply Key Rotation Schedule
To apply a key rotation schedule to an AWS key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Under SCHEDULES, from the Rotation drop-down list, select a schedule to apply.
Grant or deny decrypt permissions to the current key. Select Disable Encrypt Permissions on Current Key to grant, clear to deny.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Click Update.
Adding/Editing Policies
To add or edit key policy:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Add/Edit Policies. The POLICIES section contains two options to edit policies:
Basic (default view): Grant the desired permissions. The permission can be granted for the following roles:
Role Description Key Administrators IAM users who can administer this key. In the Add Key Admins field, enter the usernames of the desired users, and click the + button. Key Users IAM users who can use this key in cryptographic operations. In the Add Key Users field, enter the usernames of the desired users, and click the + button. External Accounts AWS accounts that can use this key. In the Add Accounts field, enter the usernames of the desired users, and click the + button. To switch to the raw view, click Switch to policy (Raw) View.
Raw: Click Switch to policy (Raw) View and edit the AWS policy under Raw Policy. Refer to Using key policies in AWS KMS for details.
To switch to the basic view, click Switch to policy (Basic) View.
Click Update.
Refreshing AWS Keys
Refreshing is the process of downloading keys created on the AWS KMS to CCKM. You can refresh keys from all KMS accounts at once.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The AWS Keys page is displayed. This page displays the list of AWS keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page.
Disabling Keys
To disable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Disable. The Disable AWS key screen is displayed.
Click Disable Key.
A message Key <key_name> disabled is displayed on the screen.
Caution
Take care when disabling a key. You cannot use this key in cryptographic operations and it may limit your access to certain resources that use this key. To reverse this action in the future, you can always choose to enable the key again.
Enabling Keys
To enable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Enable. The Enable AWS key screen is displayed.
Click Yes, Enable Key.
A message Key <key_name> enabled is displayed on the screen.
Downloading Keys
Asymmetric keys can be downloaded to your local machines. Symmetric keys cannot be downloaded.
To download an asymmetric key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Download Key. The key is downloaded.
Importing Key Material
You can create a key without key material and can later import the CipherTrust key material to the AWS KMS. As the key material is not created on the AWS KMS, its origin is external.
Note
You can only import AES keys with status PendingImport
to the AWS KMS.
To import key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Import Material. The Import Material dialog box is displayed.
Select Import Type (the desired key material source). The options are:
Import Using CipherTrust
When importing the key material from CipherTrust, Select Key Material Origin. The options are:
Create New Key
In this method, CipherTrust Manager creates the new key material locally.
Select Create New Key.
Click Next.
Enter Key Name.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the CipherTrust creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing CipherTrust Manager key is used.
Select Use Existing Key.
Click Next.
Select an existing CipherTrust key from the Source Key drop-down list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing CipherTrust key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Vormetric DSM
When importing the key material from Vormetric DSM, Select Key Material Origin. The options are:
Create New Key
In this method, DSM creates the new key material locally.
Select Create New Key.
Click Next.
Enter a DSM Key Name.
Select the desired DSM Domain.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the DSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing DSM key is used.
Select Use Existing Key.
Click Next.
Select an existing DSM key from the DSM Key Name drop-down list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing DSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Import Using Luna HSM
When importing the key material from Luna HSM, Select Key Material Origin. The options are:
Create New Key
In this method, Luna HSM creates the new key material locally.
Select Create New Key.
Click Next. The Add Key Details page is disabled.
Enter a Key Name.
Select the desired Partition ID.
Select the desired Key Attributes.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed. When the status next to the SOURCE KEY section becomes Complete, the key material is imported successfully.
Click OK.
In this scenario, the Luna HSM creates a new key material and the key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Use Existing Key
In this method, the key material of an existing Luna HSM key is used.
Select Use Existing Key.
Click Next. The Add Key Details page is disabled.
Select an existing Luna HSM key from the Key drop-down list.
(Optional) Select the Key Material Expiration Date from the on-screen calendar.
Click Next. The Review Key Details screen is displayed.
Review the key details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Import.
The key import starts. A Import in Progress message is displayed on the screen. Leave the window open until the process is completed.
Click OK.
In this scenario, the existing Luna HSM key material is imported to the AWS KMS. The key state changes from PendingImport to Enabled. The Origin changes to CCKM
.
Deleting Key Material
To delete key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete Material. The Delete Key Material dialog box is displayed.
Select I wish to delete key material.
Click Delete Key Material.
A message AWS Key material deleted is displayed on the screen. The key state changes to PendingImport
.
Warning
Be extremely careful when deleting a key material from the AWS KMS. Once the key material is deleted, decryption of data cannot be performed using that key material. However, if needed, you can reimport the key material.
Scheduling Key Deletion
Schedule key deletion permanently removes the key from the AWS KMS at the specified time. The AWS KMS enforces a waiting period of 7 to 30 days. You can cancel schedule deletion before the waiting period ends.
Note
Schedule key deletion is not allowed for multi-region primary keys that have replicas. To schedule deletion of such a key, delete its replica keys first.
To schedule key deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Schedule Key Deletion.
On the Schedule Key Deletion screen:
Select I wish to delete this key.
Specify the Waiting period (in Days) after which the key will be deleted. The default value is 30.
Click Schedule Deletion.
A message Key <key_name> scheduled for deletion is displayed on the screen. The key state changes to
PendingDeletion
.
Warning
Be extremely careful when scheduling key deletion. Once the key is deleted from the AWS KMS, it cannot be restored and the data encrypted with this key will be unrecoverable.
Canceling Scheduled Deletion
To cancel scheduled deletion:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Cancel Deletion.
A message Scheduled deletion cancelled is displayed on the screen. The key state changes to Disabled. You can enable the key if you want to use this key in the cryptographic operations.
Rotating Keys
Key rotation allows you to create a new cryptographic material for the keys.
To rotate a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > AWS. The list of available AWS keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Key.
On the Select Material Origin screen. The options are:
Upload New Local Key
In this method, the CipherTrust Manager first creates a key material and then uses this key material for key rotation.
On the Select Material Origin screen, select Upload New Local Key.
Click Next. The Create CipherTrust Key screen is displayed.
Create CipherTrust Key
Specify a unique Key Name.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Local Key
In this method, use the key material of an existing CipherTrust Manager key for key rotation.
On the Select Material Origin screen, select Use Existing Local Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired key from the Key Name from drop-down list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Vormetric DSM Key
In this method, upload the key material using Vormetric DSM to configure source key. In this scenario, the key material of a DSM key is uploaded and then used for key rotation.
On the Select Material Origin screen, select Upload New Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Specify a unique DSM Key Name for the key.
Select the desired DSM Domain from the drop-down list.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Vormetric DSM Key
In this method, use the key material of an existing Vormetric DSM key.
On the Select Material Origin screen, select Use Existing Vormetric DSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired key from the DSM Key Name from drop-down list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Set a key expiration date.
Select the Expiration Date check box.
Either enter the expiration time manually or select using the on-screen calendar. The time format is
MM/DD/YYYY HH:MM
, for example, September 23, 2020 4:03 AM.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.
Upload New Luna HSM Key
In this method, upload the key material using Luna HSM to configure source key. In this scenario, the key material of a Luna HSM key is uploaded and then used for key rotation.
On the Select Material Origin screen, select Upload New Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Specify a unique Key Name for the key.
Select the desired Partition ID from the drop-down list.
Select the desired Key Attributes.
Click Next. The Configure Destination (AWS) Key screen is displayed.
Configure Destination (AWS) Key
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key creation and key rotation is displayed on the screen.
Upload Existing Luna HSM Key
In this method, use the key material of an existing Luna HSM key.
On the Select Material Origin screen, select Use Existing Luna HSM Key.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select the desired key from the Key from drop-down list.
Click Next. The Add Labels screen is displayed.
Add Labels
The Alias of the current key is populated automatically.
(Optional) Provide a Description of the key.
(Optional) Select the Disable Encrypt Permissions on Current Key check box.
(Optional) Select the Apply Gravestone Alias on Current Key check box to retain the key alias with timestamp on the archived key after rotation. If not selected, the alias is not retained after rotation.
Click Save.
A message stating successful key rotation is displayed on the screen.