Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
- Keys
- Key Rotation
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE UserSpace Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Multifactor Authentication
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Concepts
- Migrating CTE Resources from CipherTrust Manager Appliance
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

CipherTrust Data Security Platform Services
Administration
CCKM Administration
Overview

Overview

CipherTrust Cloud Key Manager (CCKM, also referred to as CCKM Embedded) centralizes the management of key life cycle for various cloud services providers. The CCKM complies with data security mandates in cloud storage environments while retaining the custodianship of the encryption keys. Enterprises can back up keys on-premise, destroy keys when no longer needed, and manage the entire life cycle of the cloud keys.

The following diagram shows the high level CCKM overview:

CCKM Components

The CCKM solution comprises the following components:

CCKM GUI on the CipherTrust Manager for administrators and users
At least one of the supported clouds
A supported trusted key source
A supported Internet browser

The product is delivered as a licensed component of the CipherTrust Manager appliance that can be installed on any one of the supported deployment methods.

Supported Clouds

Amazon Web Services (AWS)
- AWS China
Azure Cloud
- Azure China Cloud
- Azure US Government
Google Cloud
Oracle Cloud
Salesforce
- Salesforce Sandbox
SAP Data Custodian

Note

AWS China cloud does not support uploading 256-bit keys. It supports 128-bit keys only. CCKM automatically uploads 128-bit keys to the AWS China cloud through the GUI. Other AWS clouds support upload of 256-bit keys.
AWS China cloud does not support creation of native asymmetric keys.
Azure China cloud requires that the CipherTrust Data Security Platform Service and automated systems are deployed in the same VPC and subnet.

Supported Cloud Services

AWS Customer Managed CMKs
AWS Custom Key Stores
- AWS CloudHSM Key Stores
- External Key Stores (XKS)
Azure Cloud BYOK
Azure Key Vault Managed HSM
Azure Stack (Azure Active Directory, Azure AD)
Azure Stack (Active Directory Federation Services, AD FS)
Google Workspace Client Side Encryption (CSE)
Google Cloud CustomerManaged Encryption Keys (CMEK)
Google Cloud External Key Manager (EKM)
Google Ubiquitous Data Encryption (EKM+UDE)
Microsoft Double Key Encryption (DKE)
Oracle Cloud Infrastructure (OCI) (BYOK)
OCI External Key Management Service (EKMS)
Salesforce Bring Your Own Key (BYOK)
Salesforce Cache-Only Key Service
SAP Data Custodian Key Management Service (BYOK)

Supported Key Sources

CCKM uses the following as the trusted key sources for the encryption keys employed within the supported clouds:

CipherTrust Manager
External CipherTrust Manager
Azure Dedicated HSM

The CipherTrust Manager supports all clouds that CCKM supports. The CipherTrust Manager stores its own keys and the backup keys from the supported clouds.

Note

On the CipherTrust Manager, CCKM cannot manage source keys created on the CCKM Appliance v1.x.

Supported Internet Browsers

The CCKM supports the following Internet browsers:

Chrome 51.0.2704 (64-bit) or later
Firefox 45.0 or later
Microsoft Edge 91.0.864.37 or later

CCKM Functionality

The CCKM provides following functionalities for the supported cloud services:

Life cycle management of keys, key versions, and attributes:
- View Keys
- Update Keys
- Upload Keys
- Rotate Keys
- Delete Keys
Disaster recovery of keys:
- Backup Keys
- Restore Keys
Hybrid key management:
- On-premise keys storage
- Management of both keys originating from trusted key sources and cloud-provider-sourced keys
- Key synchronization
Compliance management:
- On-premise key storage with up to FIPS 140-2 Level 3 certification (CipherTrust Manager K570 with K7 card)
Key visibility reporting:
- Key Activity Report: Inspect individual key histories by operations, for example, when they were refreshed, rotated, edited, or deleted. Also, use this report to compare key activities between CCKM and a cloud service.
- Key Aging Report: Track keys by their expiration dates. Audit a range of dates, from past material deletions to future scheduled deletions, within a cloud service.
- Service/Usage Report: Monitor key usage by tracking services and applications consuming the keys. View when and where a service requests the use of each key.
Note
Reporting is not supported for the Azure Stack cloud. All clouds do not support all types of reports. Refer to related sections of the CCKM documentation for cloud-specific reports.

User Roles

CCKM has the following users with different responsibilities in administering and using the resources of supported clouds and key sources.

CCKM Admins

There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the CCKM administrators need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.

A CCKM Administrator is responsible for creating and managing the following resources:

AWS KMS Accounts, AWS Keys, AWS Custom Key Stores
Azure Key Vaults, Azure Subscriptions, and Azure Keys
Google Cloud Projects, Key Rings, and Keys
Google EKM endpoints
Microsoft DKE endpoints
Salesforce Organizations, Tenant Secrets
SAP Groups, SAP Keys
CCKM Schedules
CCKM Reports

CCKM Users

There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the CCKM users need the Key Users permissions to perform key operations on the supported clouds. As well, they need custom key store permissions to manage AWS custom key stores.

Additional ACLs/Permissions

Additional ACLs/permissions can be granted to different CCKM roles on individual cloud resources such as AWS Accounts, Azure Key Vaults, Google Key Rings, Oracle Vaults, Salesforce Organizations, and SAP Groups.

Refer to the CCKM documentation of the respective clouds.