Create an Encryption Key
-
From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.
Tip
To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.
-
Above the Key table, click Add Key.
-
In the Key Name field, add a name for the key. This name must be unique. For example, Simple-Key.
-
In the Key Usage section, make sure Encryptand Decrypt are selected.
-
Click Add Key. CipherTrust Manager displays the properties for the new key.
-
In the general options area, enable the Exportable option.
You can also enable the Deletable option in this section if you want a CipherTrust Manager Administrator to be able to delete the key.
-
In the Key Access section, do the following:
a. In the Search Groups box, type CTE.
If no groups display, make sure that the Added Only option is disabled.
b. Click the Read and Export option for both the CTE Admins and CTE Clients groups.
c. When you are done, click Update.
-
Click the CTE tab and set the following properties:
-
CTE Versioned: Specify whether the key is versioned.
For a standard policy, and for CTE-U, you should clear this check box. If you do not, the key will not appear in the keys list when you add the key rule to the standard policy.
Note
CTE-U only supports standard and offline policies. It does not support LDT.
-
Persistent on Client: Specify whether the key is stored in persistent memory on the client.
-
Unselected
The keys are only stored on the disk inside the CipherTrust Manager. When required, they are downloaded to CipherTrust Transparent Encryption, but only cached in kernel memory and while encrypted. This is the default mode. The Agent continues to work even if communication to CipherTrust Manager is not active. Note that this mode requires a stable connection between CipherTrust Manager and the CipherTrust Transparent Encryption agent in case the agent is restarted, or the server is rebooted to retrieve the keys and polices from CM.
-
Selected
In this mode, the keys are further encrypted with a derived key generated using a FIPS-approved derivation function and stored in the local protected directory which can be accessed only by CTE services and utilities. If the connection between CipherTrust Manager and CTE agent is not available, keys are recovered for service through the challenge/response mechanism.
-
-
Encryption Mode: Encryption mode of the key. The options are:
-
XTS/CBC-CS1
-
CBC
For CTE-U, select CBC-CS1. CBC keys are supported due to legacy key requirements, but they are not recommended for CipherTrust Transparent Encryption UserSpace.
-
-
-
When you are done, click Update.
For creating keys through the API, see Creating Keys for more information.
