Set up external key management

Contributors netapp-dbagwell amgrissino ntap-bmegan Download PDF of this page

You can follow these steps and use the Element API methods listed to set up your external key management feature.

What you’ll need
  • If you are setting up external key management in combination with software encryption at rest, you have enabled software encryption at rest using the CreateCluster method on a new cluster that does not contain volumes.

Steps
  1. Establish a trust relationship with the External Key Server (EKS).

    1. Create a public/private key pair for the Element cluster that is used to establish a trust relationship with the key server by calling the following API method: CreatePublicPrivateKeyPair

    2. Get the certificate sign request (CSR) which the Certification Authority needs to sign. The CSR enables the key server to verify that the Element cluster that will be accessing the keys is authenticated as the Element cluster. Call the following API method: GetClientCertificateSignRequest

    3. Use the EKS/Certificate Authority to sign the retrieved CSR. See third-party documentation for more information.

  2. Create a server and provider on the cluster to communicate with the EKS. A key provider defines where a key should be obtained, and a server defines the specific attributes of the EKS that will be communicated with.

    1. Create a key provider where the key server details will reside by calling the following API method: CreateKeyProviderKmip

    2. Create a key server providing the signed certificate and the public key certificate of the Certification Authority by calling the following API methods: CreateKeyServerKmip TestKeyServerKmip

      If the test fails, verify your server connectivity and configuration. Then repeat the test.

    3. Add the key server into the key provider container by calling the following API methods: AddKeyServerToProviderKmip TestKeyProviderKmip

      If the test fails, verify your server connectivity and configuration. Then repeat the test.

  3. Do one of the following as a next step for encryption at rest:

    1. (For hardware encryption at rest) Enable hardware encryption at rest by providing the ID of the key provider that contains the key server used for storing the keys by calling the EnableEncryptionAtRest API method.

      You must enable encryption at rest via the API. Enabling encryption at rest using the existing Element UI button will cause the feature to revert to using internally generated keys.
    2. (For software encryption at rest) In order for software encryption at rest to utilize the newly created key provider, pass the key provider ID to the RekeySoftwareEncryptionAtRestMasterKey API method.

Find more information