This document describes CipherTrust Manager interfaces to use CipherTrust Cloud Key Manager. The document explains how to:
Add AWS KMS accounts, Azure vaults, Luna HSM partitions, DSM domains, and Google Cloud key rings to CCKM
Manage AWS, Azure, Luna HSM, DSM, Google CMEK, and Google Cloud External Key Manager (EKM) keys on CCKM
Schedule key rotation for AWS, Azure, and Google Cloud keys
Schedule key refresh for Luna HSM, DSM, AWS, Azure, and Google Cloud keys
It is assumed, for this document, that you have already configured the CipherTrust Manager appliance. Refer to the CipherTrust Manager Deployment Guide for instructions.
The next step is to activate and install the CCKM license. Refer to Licensing for details.
This section describes the high level steps to manage keys using CCKM:
Add a connection between the CipherTrust Manager and the desired cloud or key source. This is needed to grant CCKM the access to any of the cloud service or key source users with valid user credentials.
Test the connection. The connection must be in the ready state.
Add the container that contains the keys to be managed. A container can be an AWS account, an Azure vault, a Luna HSM partition, a DSM domain, or a Google Cloud key ring.
When adding a container, you need to select the corresponding connection.
Refresh the container to download its keys to CCKM. Refreshing a container might take significant amount of time depending on the number of keys stored in it.
CCKM provides options to refresh keys of an individual or all containers of a cloud service or key source.
After a container is refreshed successfully, the downloaded keys can be managed on CCKM itself.
Manage keys. With CCKM, you can perform supported key operations such as adding, editing, and rotating keys.
CCKM also provides options to schedule key operations and supports reporting for AWS and Azure clouds. Refer to relevant sections in the CCKM Administration and CCKM API documentation for more details about the steps listed above and other CCKM features.