Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Install Virtual CipherTrust Manager

Microsoft Azure Deployment

search

Please Note:

printsuggest an editpdf paneldownload

Microsoft Azure Deployment

You can deploy a CipherTrust Manager within the Microsoft Azure Cloud Computing Platform, including in the Azure Government environment (Arizona, Iowa, Virginia, and Texas regions).

copy link to clipboardMinimum Requirements

To deploy a CipherTrust Manager instance, the following minimum requirements apply:

  • System volume: 100 GB

  • Memory: 16 GB

  • vCPUs: 2

  • NICs: 1

Note

These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.

copy link to clipboardDeploying in Azure

This section provides the steps for deploying a Virtual CipherTrust Manager instance in Microsoft Azure. Refer to the Azure documentation for general information on launching a VM in Microsoft Azure.

copy link to clipboardPrerequisites

  • If using a Windows client, use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin).

    If needed, use PuTTYgen or similar utility to format the SSH Key Pair.

  • If using a Linux client: use, SSH to login as KeySecure Administrator (ksadmin).

copy link to clipboardTo launch a Virtual CipherTrust Manager instance

  1. Sign in to the Azure or Azure Government portal.

  2. Search for CipherTrust Manager on the Marketplace page.

    Only the latest version is available on the Marketplace page, as CipherTrust Manager Community Edition.

    Older versions back to 2.6 are available through the Azure CLI. Some versions older than 2.6 are available from Thales customer support as a VHD file.

copy link to clipboardTo deploy the latest Virtual CipherTrust Manager Version from Marketplace

  1. Select the Thales Virtual CipherTrust Manager image from the Virtual Machines group.

    Note

    The following steps apply to the Azure recommended 'Resources Manager' deployment model.

  2. Click Create. The first screen of the Create virtual machine page is displayed.

  3. Change the Subscription type if desired.

  4. Select an existing Resource group or enter the name for a new one.

    Note

    For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

  5. Specify the Region of an Azure Datacenter. For example, East US.

    Note

    For Azure government, this must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

  6. Enter a Virtual machine name, which is the hostname for the virtual machine your are creating, for example, "mycompany-ciphertrust".

  7. Select the Size for the VM that supports the Minimum Requirements.

  8. Select the SSH Public Key for the Authentication type.

    Note

    SSH Public Key authentication must be used. Password authentication is not allowed when connecting as the initial user. We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

  9. For the Username, enter "ksadmin", the default name for the System Administrator.

    Note

    You MUST use the name “ksadmin” for this initial user.

  10. For the SSH public key source, select one of "Generate new key pair", "Use existing public key", "Use existing public key stored in Azure". We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

    Warning

    It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

  11. In the SSH Public Key field, provide the necessary information for the SSH public key source selected in the last step.

  12. Select Next: Disks >. The Disks screen is displayed.

  13. Change the OS disk type to "Standard HDD", unless you desire a faster disk.

  14. Select an Encryption type depending on the Azure-level disk encryption you prefer.

  15. Select Next: Networking >. The Networking screen is displayed.

    The Virtual Network, Subnet, Public IP and Configure network security group fields are populated with default values for this VM, if you have preset networking values for other Azure VMs. Create new values if needed.

    For deployments with Azure Dedicated HSMs, the virtual network must also include the Dedicated HSM instance, and the lunaclient host instance. The subnet must also include the lunaclient host instance; this is subnet is referred to as the "Compute" subnet.

    For a list of security groups/ports, refer to Network Security Groups.

  16. Select Next: Management >. The Management screen is displayed.

  17. Select Next: Advanced > The Advanced screen is displayed.

  18. If desired, you can apply cloud-init configuration. Paste cloud-init configuration in the Custom Data field.

  19. Select Next: Tags >. The Tags screen is displayed.

  20. Enter any desired tags.

  21. Select Next: Review + create >. This is the final screen. Enter an email address, and click Create to launch the VM.

    Azure will run an evaluation of your virtual machine creation configuration.

    1. If the validation was not successful, a Validation failed message is displayed:

      Click on the arrow for details and precede to correct the cause of the validation error.

    2. If the validation is successful, a Validation passed screen is displayed, listing all VM details:

  22. Select Create to begin deployment of this VM. This screen is displayed indicating that deployment is in process.

    When deployment completes, this screen is displayed, providing access to all resources supporting the new VM.

  23. Connect to the CipherTrust Manager Web Page.

    1. Select the resource with the IP address, in this example: Keysecure-k170v-test-ip.

    2. Browse to this IP address (in this example enter https://40.117.142.62). The Log In screen appears.

  24. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    Note

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  25. Enter a new password using this default Password Policy:

    Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1

    A new Login screen appears.

  26. Using your new password, log in again. The CipherTrust Manager Web Page appears.

  27. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

  28. Obtain the ks_patch_disable_cloud_init.tar.gz.gpg archive file from Thales support portal. This archive file is required to disable the cloud-init service after first launch, to prevent unauthorized usage of cloud-init.

  29. Transfer the archive file to the CipherTrust Manager. You require the private SSH key associated with the ksadmin account. The command and supported private key format depends on the operating system you are transferring the archive file from.

    Source Operating SystemExample Command SyntaxRequired Private Key Format
    Linuxscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.OpenSSH format
    Windowspscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.PuTTY PPK format

  30. Login as ksadmin to an SSH session or cloud web console.

  31. Apply the archive file to disable cloud-init.

    sudo /opt/keysecure/ks_upgrade.sh -f <archive_file_path>

Note

Virtual CipherTrust Manager includes a 90 day trial license. To activate your instance with a term or perpetual license, see Licensing.

copy link to clipboardTo deploy versions back to 2.6 using the Azure CLI

  1. List the Virtual CipherTrust Manager images available through the Azure CLI. Find the URN value for your desired version.

    az vm image list --offer cm_k170v --all

    Example response:

    [
  {
    "offer": "cm_k170v",
    "publisher": "thalesdiscplusainc1596561677238",
    "sku": "ciphertrust_manager",
    "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506",
    "version": "2.6.6506"
  },
  {
    "offer": "cm_k170v",
    "publisher": "thalesdiscplusainc1596561677238",
    "sku": "ciphertrust_manager",
    "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.7.6808",
    "version": "2.7.6808"
  }
]

  2. Accept the terms for the desired Virtual CipherTrust Manager image version.

    az vm image terms accept --urn <image_urn>

  3. Create the VM image. You provide or specify the following values:

    • The image URN.

    • The name of an existing resource group. The image's region will be taken from this resource group.

      Note

      For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

      Note

      For Azure government, the region must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

    • A new name for the VM.

    • A desired size for the VM, that meets the Minimum Requirements.

    • The admin username set to ksadmin. This is required to supply an SSH key at launch time, and for SSH access. The only allowed value is ksadmin.

    • A public IP SKU set to Standard

    • A source for the SSH key. You can choose to generate a new SSH key pair(--generate-ssh-keys), enter a name for an existing key already stored in Azure (--ssh-key-name <name_of_existing_ssh_key_in_azure>), or upload an SSH key file (--ssh-key-value <ssh_key_file>). We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

      Warning

      It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

    • (Optional) If you wish to perform cloud-init configuration to set some initial values for CipherTrust Manager, you can use the -d or --custom-data flag to pass in the user data from config.dat file.

    Example syntax

    az vm create --resource-group <resource_group> --name <desired_vm_name> --image <image_urn> --size <desired_image_size> --admin-username ksadmin {--generate-ssh-keys | --ssh-key-name <name_of_existing_ssh_key_in_azure> | --ssh-key-value <ssh_key_file>} [--custom-data <config.dat_file_path>] --public-ip-sku Standard

    Example command with Standard_F4s_V2 size and SSH key generation

    az vm create --resource-group myURNVM --name myVM --image thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506 --admin-username ksadmin --size Standard_F4s_v2 --generate-ssh-keys --public-ip-sku Standard

    Example response

    {
  "fqdns": "",
  "id": "/subscriptions/260ecbe7-777b-4d3c-84ea-887620498863/resourceGroups/myURNVM/providers/Microsoft.Compute/virtualMachines/myVM",
  "location": "westus",
  "macAddress": "00-00-00-00-00-00",
  "powerState": "VM running",
  "privateIpAddress": "1.1.1.1",
  "publicIpAddress": "2.2.2.2",
  "resourceGroup": "myURNVM",
  "zones": ""
}

    Note the public IP address returned in the VM creation response.

  4. Open the 443 port to allow web browsing to the Virtual CipherTrust Manager instance.

    az vm open-port -g <resource_group_name> -n <virtual_machine_name> --port '443'

  5. Navigate to the https://<VM_public_IP_address> to connect to the CipherTrust Manager Web Page. The public IP address was returned when the VM was created. You can also view this value in the Azure portal Virtual Machine list.

    The Log In screen appears.

  6. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    Note

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  7. Enter a new password using this default Password Policy:

    Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1

    A new Login screen appears.

  8. Using your new password, log in again. The CipherTrust Manager Web Page appears.

  9. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

  10. Obtain the ks_patch_disable_cloud_init.tar.gz.gpg archive file from Thales support portal. This archive file is required to disable the cloud-init service after first launch, to prevent unauthorized usage of cloud-init.

  11. Transfer the archive file to the CipherTrust Manager. You require the private SSH key associated with the ksadmin account. The command and supported private key format depends on the operating system you are transferring the archive file from.

    Source Operating SystemExample Command SyntaxRequired Private Key Format
    Linuxscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.OpenSSH format
    Windowspscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.PuTTY PPK format

  12. Login as ksadmin to an SSH session or cloud web console.

  13. Apply the archive file to disable cloud-init.

    sudo /opt/keysecure/ks_upgrade.sh -f <archive_file_path>

Note

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or term or perpetual license, see Licensing.

copy link to clipboardDisk Resize Available with Disk Encryption

After you launch an unencrypted Virtual CipherTrust Manager and disable the cloud-init service, you cannot resize the disk. If you require a Virtual CipherTrust Manager with a larger or smaller disk size:

  • Encrypt the disk for the Virtual CipherTrust Manager instance and then attempt re-size.

  • Take a backup on the existing Virtual CipherTrust Manager, deploy a new Virtual CipherTrust Manager instance with the desired disk size, and restore the backup file on the new instance.

On this page