Creating a KMIP type keystore
If your remote key server is located in a server/cluster supporting the KMIP standard you can create a single type of keystore (KMIP). At this moment, the same keystore type can be used by both the Storage Space Encryption and Integrated Backup Encryption features.
For Integrated Backup Encryption, this type of keystore works similarly with Azure and AWS: We provide the Key name of a RMEK that is used to encrypt the Backup Encryption Keys.
For Storage Space Encryption, the Key Name provided is the IDS MEK.
When asked to create a KMIP type keystore the following information must be readily
available by the operator:
- KMIP Server, the IP address or hostname where the KMIP server is listening for request. If the port where the server listens is different from the default (5696), the port must be specified (ie “myserver.hcl.com:2356).
- KMIP Username, username to access the KMIP server. This is optional since in most cases, the access to the server is done by using SSL certificates.
- KMIP Password, password for the given username. This is also optional.
- KMIP Client Certificate File, a file containing the certificate for the client, The file must also contain the Private Key matching the certificate. The private key is expected to be a PKCS#8 key. The certificate is expected to have Authentication extensions.
- KMIP CA Certificate File, a file containing the root CA used to sign both the KMIP Client Certificate File and the KMIP Server Certificate File.
- KMIP Key Name, The name of the KMIP Key used as MEK by the Storage Spaces Encryuption feature or as RMEK by the Integrated backup Encryption Feature. It is optional. If not present, onkstore will generate a new key and report its Id to the operator.
To use a JSON file as input for onkstore, create a file with the following
structure:
{
"Credentials" :
{
"Type" : "..." ,
"KMIP Server" : "...",
"KMIP Username" : "...",
"KMIP Password" : "...",
"KMIP Client Certificate File" : "...",
"KMIP CA Certificate File" : "...",
"KMIP Key Name" : "..."
}
}
where the value for "Type" is "kmip".