Skip to main content

Configure StorageGRID as a client in the KMS

Contributors

You must configure StorageGRID as a client for each external key management server or KMS cluster before you can add the KMS to StorageGRID.

Note These instructions apply to Thales CipherTrust Manager and Hashicorp Vault. For a list of supported products and versions, use the NetApp Interoperability Matrix Tool (IMT).
Steps
  1. From the KMS software, create a StorageGRID client for each KMS or KMS cluster you plan to use.

    Each KMS manages a single encryption key for the StorageGRID appliances nodes at a single site or at a group of sites.

  2. Create a key using one of the following two methods:

    • Use the key management page of your KMS product. Create an AES encryption key for each KMS or KMS cluster.

      The encryption key must be 2,048 bits or more, and it must be exportable.

    • Have StorageGRID create the key. You will be prompted when you test and save after uploading client certificates.

  3. Record the following information for each KMS or KMS cluster.

    You need this information when you add the KMS to StorageGRID:

    • Host name or IP address for each server.

    • KMIP port used by the KMS.

    • Key alias for the encryption key in the KMS.

  4. For each KMS or KMS cluster, obtain a server certificate signed by a certificate authority (CA) or a certificate bundle that contains each of the PEM-encoded CA certificate files, concatenated in certificate chain order.

    The server certificate allows the external KMS to authenticate itself to StorageGRID.

    • The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.

    • The Subject Alternative Name (SAN) field in each server certificate must include the fully qualified domain name (FQDN) or IP address that StorageGRID will connect to.

      Note When you configure the KMS in StorageGRID, you must enter the same FQDNs or IP addresses in the Hostname field.
    • The server certificate must match the certificate used by the KMIP interface of the KMS, which typically uses port 5696.

  5. Obtain the public client certificate issued to StorageGRID by the external KMS and the private key for the client certificate.

    The client certificate allows StorageGRID to authenticate itself to the KMS.