KEK with a KMIP Vault

KMIP vaults can be configured with a Key Encryption Key (KEK) that provides an extra layer of security by encrypting individual KMIP objects. See KEKs with KMIP.

When KEK wrapping is enabled, the KMIP object data is protected not only by the KeyControl object store encryption but is also encrypted with a KEK stored in HSM. KMIP vaults can use the system HSM configured on KeyControl to generate and store KEK. See Hardware Security Modules with KeyControl to see how to configure a system HSM on KeyControl.

The system HSM server configuration is shared by all KeyControl Vault for KMIPs.

Procedure

Log in to the KeyControl Vault for KMIP webGUI.
Click the gear icon on the right top corner to view Settings.
On the Settings page, click HSM.

On the KMIP Key Wrapping window, specify the options that you want to use.

Field	Description
Server	Select System HSM. This allows you to use the HSM configured to work with KeyControl. This can be either the Luna SA HSM, Luna Cloud HSM, or nShield Connect HSM. You must configure the HSM before it will display here. For more information, see: Configuring KeyControl as a Luna HSM Client with a Single Cluster Certificate. Configuring KeyControl as a Luna Cloud HSM Client with a Single Cluster Certificate Configuring KeyControl as an HSM Client using an nShield HSM.
HSM Root Key Label	The identifier to identify the root key on the HSM that is used to wrap and unwrap keys. If the root key label already exists, it will be used. If it does not exist, KeyControl creates a new one. The root key label must meet the following requirements: At least 8 characters No more than 31 characters Can include uppercase, lowercase, numbers, and special characters No space or tab character At this point, all existing KMIP objects and all new Key creation requests will be encrypted using the key.
KEK Cache Timeout	For KMIP Key wrapping, this is cache timeout for the KEK. Because connecting frequently to the System HSM to fetch the KEK and encrypt the object can affect performance, you can select how long you would like to keep the KEK cached in KeyControl. When the timeout period ends, the KEK is deleted from the KeyControl cache. The default value is 30 minutes. Set 0 to disable KEK cache timeout.

Field

Description

Server

Select System HSM. This allows you to use the HSM configured to work with KeyControl. This can be either the Luna SA HSM, Luna Cloud HSM, or nShield Connect HSM. You must configure the HSM before it will display here. For more information, see:

HSM Root Key Label

The identifier to identify the root key on the HSM that is used to wrap and unwrap keys.

If the root key label already exists, it will be used. If it does not exist, KeyControl creates a new one.

The root key label must meet the following requirements:

At least 8 characters
No more than 31 characters
Can include uppercase, lowercase, numbers, and special characters
No space or tab character

At this point, all existing KMIP objects and all new Key creation requests will be encrypted using the key.

KEK Cache Timeout

For KMIP Key wrapping, this is cache timeout for the KEK. Because connecting frequently to the System HSM to fetch the KEK and encrypt the object can affect performance, you can select how long you would like to keep the KEK cached in KeyControl. When the timeout period ends, the KEK is deleted from the KeyControl cache. The default value is 30 minutes. Set 0 to disable KEK cache timeout.

When you are finished, click Enable.
KeyControl contacts the HSM to create a root key specified by the root key label (if it doesn’t already exist) and use it to derive a KEK. Each KMIP object is then encrypted with a unique key derived from the KEK. All existing KMIP objects are encrypted in the background and an audit log is generated.
If you wish to disable KEK wrapping, set the status button to Disabled. All existing KMIP objects are decrypted in the background and an audit log is generated.