Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Install Virtual CipherTrust Manager

Google Cloud Deployment

search

Please Note:

printsuggest an edit

Google Cloud Deployment

You can deploy a CipherTrust Manager instance in Google Cloud.

copy link to clipboardMinimum Requirements

To deploy a CipherTrust Manager instance, the following minimum requirements apply:

  • System volume: 100 GB

  • Memory: 16 GB

  • vCPUs: 2

  • NICs: 1

Note

These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.

copy link to clipboardDeploying in Google Cloud

This section provides the steps for deploying a Virtual CipherTrust Manager instance from the Google Cloud Marketplace. Refer to the Google Cloud Platform documentation for general information on launching a VM in Google Cloud.

Note

We recommend first launching the Virtual CipherTrust Manager instance, and then providing the SSH key for the ksadmin user using the CipherTrust Manager web UI, as presented in the steps below. If you wish to instead use Google Cloud tools to provide the SSH key, you must provide the username ubuntu.

copy link to clipboardPrerequisite

If you wish to set a static IP for your Virtual CipherTrust Manager instance, you must reserve a static external IP address for your project before launching the VM. Consult Google documentation to do so.

copy link to clipboardTo launch a CipherTrust Manager instance

  1. Using your gmail address, sign in to the Google Cloud Platform.

  2. In the Google Cloud Platform top banner, select a project or create a new one.

    Create Project

    To create a New Project:

    1. Select New Project.

      Create New Project

    2. Enter a Project Name and Project ID.

    3. Enter a Location if you already have a parent organization you want to use.

    4. Select Create.

      The project's DASHBOARD appears.

  3. Navigate to the Google Cloud Marketplace and search for "CipherTrust Manager" images.

  4. On the results, select CipherTrust Manager Community Edition.

  5. Select Launch.

  6. To create a CipherTrust Manager instance, review and modify these fields as needed:

    1. Enter a Deployment name for the instance.

    2. Select the Zone closest to your location.

    3. Review that the Machine type is e2-standard-4 (4vCPU, 16 GB memory), which is optimized for Virtual CipherTrust Manager. If you want to change the Machine type, make sure the selection is in keeping with the minimum requirements.

    4. Review Boot disk type and Boot disk size in GB. The default of Standard Persistent Disk and 100 fulfill the minimum requirements of the image.

    5. If desired, in the Network interface section External IP drop down, you can select any static IP which is reserved for your project. Consult Google documentation on reserving a static IP address for a project.

      Note

      After launching the VM, you can confirm the static IP was applied using the nmcli tool in an SSH session.

    6. In the Firewall section, ensure that checkboxes for Allow HTTP traffic and Allow HTTPS traffic are enabled.

    7. Enable the checkbox to accept the GCP Marketplace Terms of Service and Thales - European Union - Frankfurt Terms of Service.

  7. Select Deploy to launch the instance.

    Your new virtual CipherTrust Manager is created and appears in Deployment Manager.

    Virtual CM created

  8. Click on the Site address for the newly created vCM.

    A new browser tab opens to this address and the CipherTrust Manager web page appears.

  9. You are prompted to enter an SSH key to authenticate the ksadmin user in an SSH session.

    SSH Public Key

    Note

    We support OpenSSH for the public key format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. You can generate this key pair using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.

    After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.

  10. Log in using the initial default credentials for the root administrator: Username = admin, Password = admin

    The following notice is displayed:

    Password Change Required

    Note

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.

  11. Enter a new password using this default Password Policy:

    Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1

    A new Login screen appears.

  12. Using your new password, log in again. The CipherTrust Manager Web Page appears.

    Home Screen

  13. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

  14. Obtain the ks_patch_disable_cloud_init.tar.gz.gpg archive file from Thales support portal. This archive file is required to disable the cloud-init service after first launch, to prevent unauthorized usage of cloud-init.

  15. Transfer the archive file to the CipherTrust Manager. You require the private SSH key associated with the ksadmin account. The command and supported private key format depends on the operating system you are transferring the archive file from.

    Source Operating SystemExample Command SyntaxRequired Private Key Format
    Linuxscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.OpenSSH format
    Windowspscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.PuTTY PPK format

  16. Login as ksadmin to an SSH session or cloud web console.

  17. Apply the archive file to disable cloud-init.

    sudo /opt/keysecure/ks_upgrade.sh -f <archive_file_path>

Congratulations! You have successfully deployed a CipherTrust Manager instance.

Note

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.

copy link to clipboardSSH Access to the New Instance

If using a Windows client, use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin). If needed, use PuTTYgen or similar utility to format the SSH Key Pair.

If using a Linux client use SSH to login as KeySecure Administrator (ksadmin).

copy link to clipboardDisk Resize Available with Disk Encryption

After you launch an unencrypted Virtual CipherTrust Manager and disable the cloud-init service, you cannot resize the disk. If you require a Virtual CipherTrust Manager with a larger or smaller disk size:

  • Encrypt the disk for the Virtual CipherTrust Manager instance and then attempt re-size.

  • Take a backup on the existing Virtual CipherTrust Manager, deploy a new Virtual CipherTrust Manager instance with the desired disk size, and restore the backup file on the new instance.

On this page