Creating a CloudKey

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.

  2. In the top menu bar, click BYOK.
  3. Click the CloudKey tab and select Actions > Create CloudKey.
  4. Select in which cloud the key has to be created:
    • For AWS, select the Key Set and Region.
    • For Azure, select the Key Set and Key Vault.
  5. On the Details tab of the Create CloudKey dialog box, enter the following: 

    Field

    Description

    Name Enter the name for the CloudKey.

    Description

    Enter the optional description for the CloudKey

    Key Set

    Choose an existing Key Set or add a new one. All CloudKeys must be associated with a Key Set.

    If you need to create a new Key Set, see Creating a Key Set.

  6. Click Continue
  7. On the Access tab, enter the following.

    For AWS:

    Field

    Description

    Region Enter the region where the CloudKey will be created.

    Administrators

    Choose the users who have administrative rights to the CloudKey.

    Users Choose the users who can use the CloudKey for encryption or decryption.

    For Azure:

    Field

    Description

    Hardware Protected

    On Premium Key Vault you have an option of creating hardware protected key in Azure.

    Cipher

    RSA or EC key with various key size and EC curve options.

    Permitted operations

    Allowed key operations.

  8. Click Continue.
  9. On the Schedule tab, determine the rotation schedule for the CloudKey. This can be one of the following: 

    • Inherit from Key Set—The CloudKey will use the default schedule from the Key Set. If the Key Set schedule changes after the CloudKey is created, the CloudKey schedule will not be updated.
    • Never—The CloudKey will never be rotated.
    • Once a year—The CloudKey will be rotated once a year.
    • Every 6 months—The CloudKey will be rotated once every 6 months.
    • Every 30 days—The CloudKey will be rotated once every 30 days.
    • Other—The CloudKey will be rotated at the interval you select.
  10. Activation date for the key - Azure only.

    Choose when the CloudKey should expire. This can be Never, or you can choose a specific date.

  11. Choose the Expire Action to define what happens to the CloudKey when it expires. This can be one of the following:

    • Disable—The key will remain in the cloud, but is disabled and cannot be used by any applications.

    • Delete—The key is disabled in the cloud and cannot be used by any applications. You can set the date when the key is permanently deleted.

    • Delete from Cloud—Removes the key material from the KMS, and applications can no longer use this key from the cloud. However, KeyControl retains a copy of the key which can be uploaded back to the cloud.

  12. Click Create.