Deploying the First KeyControl Vault Node

In order to deploy the first KeyControl Vault node on AWS, you need to launch a Entrust KeyControl for AWS instance on a new or existing VPC. After you have configured the first KeyControl Vault node, you can add other KeyControl Vault nodes to your KeyControl Vault cluster as desired.

Note: The following procedure is based on the 2019 AWS Console interface. If your version of the AWS Console is different from what is described below, please see your AWS documentation.

Open a web browser and navigate to the Amazon Web Services login page for your company. The default login page is https://aws.amazon.com/.
Log in to the AWS Management Console with your AWS user name and password.
In the top menu bar just after your login name, verify that the deployment region is correct. If you need to change it, click the current region and select the new region from the drop-down list.
If you have an existing VPC that you want to use for the KeyControl Vault node, proceed to the next step. Otherwise, create a new VPC.
Details
1. From the top menu bar, select Services > Networking & Content Delivery > VPC.
2. Click the blue Launch VPC Wizard button.
3. Make sure that VPC with a Single Public Subnet is selected and click Select.
4. In the Step 2: VPC with a Single Public Subnet page:
  - Verify that the IPv4 addresses are correct, and make any required changes. Make sure that the main IPv4 CIDR block does not overlap with the Public subnet's IPv4 CIDR. KeyControl Vault does not require any IPv6 addresses.
  - Specify a name for the VPC in the VPC name field. You will need to know this VPC name when you launch the KeyControl Vault instance.
  - If desired, in the Availability Zone field, select the availability zone you want to use for this VPC, or select No Preference to let AWS select the availability zone.
  - We recommend that you set Enable DNS hostnames to Yes.
  - Make sure that the setting for Hardware tenancy matches your corporate standards. KeyControl Vault does not require dedicated tenancy.
5. When you are done, click Create VPC, then click OK to confirm the success message.
In the top menu bar, select Services > Compute > EC2.
Click the blue Launch Instance button.
In the Step 1: Choose an Amazon Machine Image (AMI) page, click AWS Marketplace in the left-hand pane.
Search the Marketplace for "Entrust" and select one of the following:
- Entrust DataControl for AWS BYOL (Bring Your Own License). With this option, you can try DataControl for a limited time, but then you must supply license information from Entrust. We recommend that you select this option, as Entrust can tailor the license to meet your needs.
- Entrust DataControl for AWS 5VM. With this option, AWS provides a licensed copy of DataControl for an hourly or yearly fee.
Review the details of the version you selected and click Continue.

In the Step 2: Choose an Instance Type page, select an instance type. For optimal performance, we recommend that you select a general purpose or compute optimized instance type with SSD Instanced storage, such as m3.large or c3.large. The KeyControl Vault system resource recommendations are:

Resource	Standard Installation	Large Installation
CPUs	2	4
RAM	8 GB	16 GB
Disk	60 GB	140 GB

Entrust recommends that you select a large installation if your system meets one or more of the following criteria:

More than four nodes in the KeyControl Vault cluster.
More than 500 virtual machine heartbeats OR more than 10,000 KMIP keys across all tenants together.
More than 100,000 secrets stored.

After you have selected the type, click Next: Configure Instance Details.
On the Step 3: Configure Instance Details page, set the following options:
- Number of Instances —Specify the number of instances you want to launch in this field. All instances will run in the same region using the same VPC and instance settings.
  
  Tip: You can use this option to create a multi-node KeyControl Vault cluster on this VPC without needing to launch additional instances, but you can also add additional KeyControl Vault nodes to the cluster at any time after the initial node has been configured.
- Network —Select the VPC you want to use for the KeyControl Vault node.
- Set all other options on this page according to your corporate standards.
When you are done, click Next: Add Storage.
On the Step 4: Add Storage page, set the following options:
- Volume Size —Set the size of the disk based on your configuration requirements. The default setting of60 GB should work for most KeyControl Vault installations.
- Volume Type—For optimal performance, we recommend setting the volume type to one of the SSD options instead of the default Magnetic volume.
- Delete on Termination—If you select this option and the instance is deleted, all keys stored on this KeyControl Vault node will be deleted as well. In a single node configuration, this means that encrypted data cannot be decrypted, as the keys will be lost. If you want to use this option, make sure all data is decrypted before the instance is deleted.
When you are done, click Next: Add Tags.
On the Step 5: Add Tags page, click Add Tag and enter a Name tag for the instance:
- Key —Enter "Name".
- Value—Enter the name for this KeyControl Vault node.
Add any other tags as desired.
When you are done, click Next: Configure Security Group.

In the Step 6: Configure Security Group page, do the following:

Make sure that the Assign a security group field is set to Create a new security group.

Note: You can use an existing security group as long as all of the required ports are open in that security group.
Optionally enter a custom security group name and description in the Security group name and Description fields.
For each of the required entries in the security group, set the Source IP addresses or security groups that can communicate with KeyControl Vault through the associated ports. We strongly recommend that you do not use the default 0.0.0.0/0 notation, which indicates that the ports are open to the world.

KeyControl Vault requires the following ports:

Type	Protocol	Port Range	Source
SSH (22)	TCP	22	IP address list or another security group
HTTPS (443)	TCP	443	IP address list or another security group
Custom TCP Rule	TCP	5432	IP address list or another security group
Custom TCP Rule	TCP	8443	IP address list or another security group
Custom UDP Rule	UDP	123	IP address list or another security group

For details about specifying the source IP addresses or security groups, see your AWS documentation.

When you are done, click Review and Launch.
In the Step 7: Review Instance Launch page, verify your selections and click Launch.
At the prompt, either select an existing key pair or select Create a new key pair, specify a key pair name, and download the new private key file for the new key pair.
When you are done, click Launch Instances. AWS displays a confirmation page stating that your instance is being launched and displays the instance ID. Make a note of the ID, as it will be your initial KeyControl Vault password.
To verify the status of the instance, select Services > EC2 > Instances and locate the new instance in the table.

Tip: If you requested multiple instances on the Step 3: Configure Instance Details page, you will see multiple KeyControl Vault instances with the same name listed in the table. We recommend that you give each instance a unique name at this point so that you can tell them apart as you configure them. To do so, mouse over an instance name and click the pencil icon when it appears.

What to Do Next

Associate an Elastic IP address with the instance as described in Associating an Elastic IP Address with the KeyControl Vault Instance. An elastic IP address is required for every KeyControl Vault instance so that you can configure and maintain the KeyControl Vault instance using a static IPv4 address.

If you created multiple instances, you need to assign a different Elastic IP to each copy of the instance.