Creating a CloudKey

Before you can create a CloudKey, you must have created a Key Set. See Creating a Key Set. For specific information for creating a type of CloudKey, see one of the following:

Log into the KeyControl Vault for Cloud Keys webGUI using an account with Cloud Admin privileges.
In the top menu bar, click CloudKeys.
Click the CloudKeys tab and select the key set and where the key will be created.
- For AWS, select the Key Set and Region.
- For Azure, select the Key Set and Type.
- For GCP, select the Key Set and Key Ring.
Note: If you do not finish the selections on the CloudKeys page, you will need to add them on the Details tab of the Create CloudKey dialog box.
Select Actions > Create CloudKey.

On the Details tab of the Create CloudKey dialog box, enter the following:

Field	Description
Region or Type or Key Ring	If you did not finish selecting the Key Set prompts, you will need to complete them here. These values will change depending on the type of CloudKey you are creating.
Name	Enter the name for the CloudKey.
Description	Enter the optional description for the CloudKey
Key Management (for GCP only)	Choose one of the following: Customer Managed Key—A standard customer managed encryption key. External Key Manager (EKM)—The key material will remain in this KeyControl.

Click Continue.

For AWS and GCP only: On the Purpose tab, complete the following.

For AWS:

Field	Description
Purpose	This can be one of the following: Symmetric Encrypt and decrypt Generate and verify MAC Asymmetric Encrypt and decrypt Asymmetric Sign and verify
Algorithm	Choose the algorithm that matches the purpose you selected.

Field

Description

Purpose

This can be one of the following:

Symmetric Encrypt and decrypt
Generate and verify MAC
Asymmetric Encrypt and decrypt
Asymmetric Sign and verify

Algorithm

Choose the algorithm that matches the purpose you selected.

Note: AWS supports symmetric and asymmetric keys.

For GCP:

Field	Description
Connection Type	Choose one of the following: External via VPC—Reach your external key manager via a Virtual Private Cloud (VPC) network. External via Internet—Reach your external key manager via the internet.
Purpose	This can be one of the following: Symmetric encrypt/decrypt Asymmetric Sign
Algorithm	Choose the algorithm that matches your purpose. For more information, see .

Field

Description

Connection Type

Choose one of the following:

External via VPC—Reach your external key manager via a Virtual Private Cloud (VPC) network.
External via Internet—Reach your external key manager via the internet.

Purpose

This can be one of the following:

Symmetric encrypt/decrypt
Asymmetric Sign

Algorithm

Choose the algorithm that matches your purpose. For more information, see .

Click Continue.

For AWS and Azure only: On the Access tab, enter the following:

For AWS:

Field	Description
Administrators	Choose the users who have administrative rights to the CloudKey.
Users	Choose the users who can use the CloudKey for encryption or decryption.

For Azure:

Field	Description
Hardware Protected	Select whether or not to create a hardware protected key in Azure. For premium vaults only. Note: This field is only visible for CloudKeys of type Key Vault and TDE Keys.
Cipher	Select the RSA or EC key that you want to use.
Permitted operations (for Key Vault only)	Check the checkboxes for the allowed key operations.
Azure Accounts (for DKE Keys only)	Select Allow all or Specific tenants.

On the Schedule tab, determine the rotation schedule for the CloudKey. This can be one of the following:
- Inherit from Key Set—The CloudKey will use the default schedule from the Key Set. If the Key Set schedule changes after the CloudKey is created, the CloudKey schedule will not be updated.
- Never—The CloudKey will never be rotated.
- Once a year—The CloudKey will be rotated once a year.
- Every 6 months—The CloudKey will be rotated once every 6 months.
- Every 30 days—The CloudKey will be rotated once every 30 days.
- Other—The CloudKey will be rotated at the interval you select.
For Azure, select the Activation Date for the CloudKey.
Choose when the CloudKey should expire. This can be Never, or you can choose a specific date.
If you selected an expiration date, choose the Expire Action to define what happens to the CloudKey when it expires. This can be one of the following:
- Disable—The key will remain in the cloud, but is disabled and cannot be used by any applications.
- Delete—The key is disabled in the cloud and cannot be used by any applications. You can set the date when the key is permanently deleted.
- Delete from Cloud—Removes the key material from the KMS, and applications can no longer use this key from the cloud. However, KeyControl retains a copy of the key which can be uploaded back to the cloud.
Note: When the CloudKey expires, the selected Expire Action is performed on the key. The KeyControl handles the expiry date and expire action. The expire date is not set in the cloud service provider.
Click Apply.