Creating a Key Set

1. Log into the KeyControl Vault for Cloud Keys webGUI using an account with Cloud Admin privileges.

2. In the top menu bar, click CloudKeys.

3. Click the Key Sets tab.

4. Select the type of key to be contained in the Key Set. This can be one of the following: 

   • AWS Key

   • Azure Key

   • GCP Key

5. On the Details tab of the Create Key Set dialog box, enter the following: 

   Field	Description
   Name	Enter the name for the Key Set.
   Description	Enter the optional description for the Key Set.
   Admin Group	Select the Admin Group.

6. Click Continue.

7. On the CSP Account tag, choose an existing CSP Account or add a new account to use with this Key Set.

   To create a new account, click Add CSP Account and enter the account details. For more information, see the appropriate topic: 

   • Adding a CSP Account for AWS

   • Adding a CSP Account for Azure

   • Adding a CSP Account for GCP

8. Check the Yes, import all keys checkbox to import all pre-existing Customer Managed Keys (CMK) that exist in the CSP Account.

   Important: If your imported keys are deleted in the CSP, they cannot be restored by KeyControl.

9. Click Continue.

10. On the HSM tab, check the Enable HSM checkbox if you plan to use an HSM to create CloudKeys that can be uploaded to the cloud.

    Note: Once the key material is in the KMS, the HSM is no longer required. However, if you remove the CloudKey from the cloud, you will need to use the HSM to upload the key again.

    For more information about using HSMs with BYOK, see AWS BYOK Process or Azure BYOK Process .

11. If you selected Enable HSM, click Verify HSM connection to test the connectivity and suitability of the configured HSM. KeyControl checks if the HSM is accessible and if it supports the creation and export of relevant keys.

    Note: Some HSM servers with old version of firmware do not support key creation and wrapping. This is particularly true for keys required by Azure. If the connection test fails, check the firmware version of the HSM server. If it is old, update it to the latest version.

12. Click Continue.

13. On the Schedule tab, determine the default rotation schedule for the CloudKeys created in this Key Set. This can be one of the following: 

    • Never—The CloudKey will never be rotated.
    • Once a year—The CloudKey will be rotated once a year.
    • Every 6 months—The CloudKey will be rotated once every 6 months.
    • Every 30 days—The CloudKey will be rotated once every 30 days.
    • Other—The CloudKey will be rotated at the interval you select.

    Note: This rotation schedule is applied to all CloudKeys created in the Key Set, unless a different value is explicitly chosen. If there are existing CloudKeys in the Key Set, you can update the rotation schedule of the CloudKeys to align with your selected rotation schedule by checking Apply to all CloudKeys.

14. Click Apply.