Managing the External Key Service

After the external key service is configured, you can select an external key management server to manage keys when creating a self-encrypting storage pool or enabling data encryption for an account.

Prerequisites

The external key service is supported only when an advanced license is imported.

Procedure

  1. Choose Settings > External Key Service.
  2. Click Edit.

    If an external key management server has been configured, you can click Modify to modify its settings.

    To modify a configured external key management server, delete it and then add a new one.

  3. Click Import. The Import and Activate page is displayed. Set Certificate File, CA Certificate File, and Private Key File of the external key service and click OK.

    If the external key service certificates have been imported, click Re-import to update the certificates.

  4. Select the type of the external key management server and enter its IP address and port number. Table 1 describes the parameters of an external key management server.

    • Click to configure a second external key management server. The two servers back up each other.
    • Click to remove an external key management server. When modifying or removing an external key management server, ensure that the IP address of the other server is connected, or modify or remove the server whose IP address is disconnected.
    Table 1 Parameters of an external key management server

    Parameter

    Description

    Example

    Server Type

    Type of an external key management server.

    SafeNet KMIP

    NOTE:
    • Thales KMIP: Thales CipherTrust Manager key management server.
    • SafeNet KMIP: SafeNet KeySecure key management server.
    • Sansec KMIP: Sansec SecKMS key management server.
    • Utimaco KMIP: Utimaco vESKM key management server.
    • Thales DSM KMIP: Thales Vormetric Data Security Manager key management server.

    Server Address

    Service network port IP address of an external key management server.

    192.168.141.128

    Port

    Port of an external key management server IP address.

    Value range: 1 to 65535.

    Default value: 5696.

    NOTE:

    If Thales DSM KMIP is selected, the port number can only be set to 5696.

  5. Click Test to check whether the external key management server is configured successfully.
  6. Click Save.
  7. (Optional) To delete a configured server, click Initialize Server and confirm the operation as prompted.

    Before initializing a server, ensure that the self-encrypting storage pool or encrypted account that uses the external key service has been deleted and the configured external key management servers are connected. If either server is disconnected, remove it and try again.

Parent topic: Managing Storage System Settings