|
v 4.1 |
Copyright © 2017 HyTrust, Inc. All Rights Reserved. |
Follow us: |
A Key Encryption Key (KEK ) provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with a Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.
To protect the KEK, KeyControl requires that the KEK be stored in the hardware security module (HSM) associated with this KeyControl cluster. If the HSM is not available, then the VMs protected by the KEK cannot be accessed or rebooted. If you decide to associate a KEK with a Cloud VM Set, it is imperative that the HSM be available to KeyControl at all times.
The KEK also provides a way to control the accessibility of all the associated VMs with a single command. If the KEK expires or is revoked, then all associated VMs become inaccessible at the next heartbeat regardless of the state of their individual data encryption keys.
As the KEK expiration date nears, KeyControl issues an alert notifying the Domain Admins associated with the Cloud VM Set that the KEK is about to expire. When the expiration date is reached, the KEK state changes from ACTIVE to EXPIRED_PENDING. What happens at that point depends on the Key Expiration Action defined for the KEK. For more information, see Changing the Key Encryption Key Properties.
For information on configuring an HSM, see Hardware Security Modules with KeyControl.
Considerations
|
v 4.1 |
Copyright © 2017 HyTrust, Inc. All Rights Reserved. |
Follow us: |
