Deploying Additional KeyControl Vault Nodes

The following procedure describes how to deploy a KeyControl Vault node that you intend to add to an existing KeyControl Vault cluster. If you want to deploy a KeyControl Vault node that will become the first node in a new cluster, see Deploying the First KeyControl Vault Node.

Note: The following procedure is based on the 2019 AWS Console interface. If your version of the AWS Console is different from what is described below, please see your AWS documentation.

Before You Begin 

If you want to use a existing VPC for the new node that is different from the VPC used for the first KeyControl Vault node, make sure that you have set up VPC-to-VPC communication between the VPCs. This includes configuring a Peering Connection and setting the correct Routing Table information. For details, see your AWS documentation.

If you want to use the same VPC for the new node as you used for the first node, make sure you know the following information:

  • The region in which the first node is deployed.

  • The VPC assigned to the first node.

  • The Security Group assigned to the first node.

Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the first KeyControl Vault node in the table. In the Description tab, look at the VPC ID and Security groups fields.

Procedure 

  1. Open a web browser and navigate to the Amazon Web Services login page for your company. The default login page is https://aws.amazon.com/.
  2. Log in to the AWS Management Console with your AWS user name and password.

  3. In the top menu bar just after your login name, select the Region into which you want to deploy the KeyControl Vault node. If you want to use the same VPC as the first KeyControl Vault node, you must deploy the new node in the same region as the first node.

  4. If you intend to use the same VPC as you used for the first KeyControl Vault node, proceed to the next step. Otherwise, make sure that you have configured VPC-to-VPC communication between the two VPCs as per your AWS documentation.

  5. In the top menu bar, select Services > Compute > EC2.
  6. Click the blue Launch Instance button.
  7. In the Step 1: Choose an Amazon Machine Image (AMI) page, click AWS Marketplace in the left-hand pane.

  8. Search the Marketplace for "Entrust" and select one of the following:

    • Entrust DataControl for AWS BYOL (Bring Your Own License). With this option, you can try DataControl for a limited time, but then you must supply license information from Entrust. We recommend that you select this option, as Entrust can tailor the license to meet your needs.
    • Entrust DataControl for AWS 5VM. With this option, AWS provides a licensed copy of DataControl for an hourly or yearly fee.
  9. Review the details of the version you selected and click Continue.

  10. In the Step 2: Choose an Instance Type page, select an instance type. For optimal performance, we recommend that you select a general purpose or compute optimized instance type with SSD Instanced storage, such as m3.large or c3.large. The KeyControl Vault system resource recommendations are:

    Resource

    Standard
    Installation

    Large
    Installation
    CPUs 2 4
    RAM 8 GB 16 GB
    Disk

    60 GB

    140 GB

    Entrust recommends that you select a large installation if your system meets one or more of the following criteria:

    • More than four nodes in the KeyControl Vault cluster.
    • More than 500 virtual machine heartbeats OR more than 10,000 KMIP keys across all tenants together.
    • More than 100,000 secrets stored.
  11. After you have selected the type, click Next: Configure Instance Details.

  12. On the Step 3: Configure Instance Details page, set the following options:

    • Number of Instances—Specify the number of instances you want to launch in this field. All instances will run in the same region using the same VPC and instance settings.

    • Network —Select the VPC you want to use for the KeyControl Vault node.
    • Set all other options on this page according to your corporate standards.
  13. When you are done, click Next: Add Storage.

  14. On the Step 4: Add Storage page, set the following options:

    • Volume Size —Set the size of the disk based on your configuration requirements. The default setting of 20 GB should work for most KeyControl Vault installations.
    • Volume Type—For optimal performance, we recommend setting the volume type to one of the SSD options instead of the defaut Magnetic volume.
    • Delete on Termination—If you select this option and the instance is deleted, all keys stored on this KeyControl Vault node will be deleted as well. In a single node configuration, this means that encrypted data cannot be decrypted, as the keys will be lost. If you want to use this option, make sure all data is decrypted before the instance is deleted.
  15. When you are done, click Next: Add Tags.

  16. On the Step 5: Add Tags page, click Add Tag and enter a Name tag for the instance:

    • Key —Enter "Name".
    • Value—Enter the name for this KeyControl Vault node.

    Add any other tags as desired.

  17. When you are done, click Next: Configure Security Group.

  18. In the Step 6: Configure Security Group page Assign a security group field, do one of the following:

    • Select Select an existing security group and then select the security group you assigned to the first KeyControl Vault node.

      Note: You can use any existing security group as long as all of the required ports are open in that security group.

    • Select Create a new security group. For each of the required entries in the security group, set the Source IP addresses or security groups that can communicate with KeyControl Vault through the associated ports. We strongly recommend that you do not use the default 0.0.0.0/0 notation, which indicates that the ports are open to the world.

       KeyControl Vault requires the following ports:

      Type

      Protocol

      Port Range

      Source
      SSH (22)

      TCP

      22

      		 IP address list or another security group

      HTTPS (443)

      TCP

      443

      IP address list or another security group

      Custom TCP Rule

      TCP

      5432

      IP address list or another security group

      Custom TCP Rule

      TCP

      8443

      		 IP address list or another security group

      Custom UDP Rule

      UDP

      123

      IP address list or another security group

      For details about specifying the source IP addresses or security groups, see your AWS documentation.

  19. When you are done, click Review and Launch.
  20. In the Step 7: Review Instance Launch page, verify your selections and click Launch.
  21. At the prompt, either select an existing key pair or select Create a new key pair, specify a key pair name, and download the new private key file for the new key pair.

  22. When you are done, click Launch Instances. AWS displays a confirmation page stating that your instance is being launched and displays the instance ID. Make a note of the ID, as it will be your initial KeyControl Vault password.

  23. To verify the status of the instance, select Services > EC2 > Instances and locate the new instance in the table.

    Tip: If you requested multiple instances on the Step 3: Configure Instance Details page, you will see multiple KeyControl Vault instances with the same name listed in the table. We recommend that you give each instance a unique name at this point so that you can tell them apart as you configure them. To do so, mouse over an instance name and click the pencil icon when it appears.

What to Do Next 

Associate an Elastic IP address with the instance as described in Associating an Elastic IP Address with the KeyControl Vault Instance. An elastic IP address is required for every KeyControl Vault instance so that you can configure and maintain the KeyControl Vault instance using a static IPv4 address.

If you created multiple instances, you need to assign a different Elastic IP to each copy of the instance.