Creating a Key Set

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.

  2. In the top menu bar, click BYOK.
  3. Click the Key Sets tab and select Actions > Create Key Set.

  4. On the Details tab of the Create Key Set dialog box, enter the following: 

    Field

    Description
    Name Enter the name for the Key Set.

    Description

    Enter the optional description for the Key Set.

    Admin Group Select the Admin Group.

    HSM Enabled

    Check the checkbox if you plan to use an HSM to create CloudKeys that can be uploaded to the cloud.

    Note: Once the key material is in the KMS, the HSM is no longer required. However, if you remove the CloudKey from the cloud, you will need to use the HSM to upload the key again.

    HSM BYOK partition

    The default policy does not allow RSA key export on Luna HSMs. If there is no partition to start with or the partition configured with KeyControl is empty, then the administrator can create a partition with an appropriate policy to allow key export. However, if the existing partition has keys, then the policies cannot be changed without losing the keys. In such a situation the administrator can create another partition on the HSM with correct policies and use it exclusively for BYOK support.

    If the administrator has created a separate partition for BYOK, other than the partition already registered with KeyControl in Settings > HSM Server Settings, then it should be specified here.

    Important: By default, SafeNet Luna PCIe HSMs store all keys in hardware, and do not allow private key export. The partition needs to be set in Key export mode to be used as BYOK partition. If the KeyControl system partition is already in Key export mode, then it can be used instead of creating a new partition. For information on partition mode configuration, see https://thalesdocs.com/gphsm/luna/7.4/docs/pci/Content/administration/CKE/cloning_key_export.htm. For SafeNet Luna CloudHSMs, the Key export service needs to be configured, see https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/hsm-on-demand-key-export.

    Partition password

    Crypto Officer's password for the BYOK partition.

    When you finished, click Test Connection to test the connectivity and suitability of the configured HSM and BYOK partition, if a BYOK partition is specified. KeyControl checks if the HSM is accessible and if it supports the creation and export of relevant keys.

    Some HSM servers with old version of firmware do not support key creation and wrapping. This is particularly true for keys required by Azure BYOK. If connection test fails, check the firmware version of the HSM server. If it is old, update it to the latest version.

  5. Click Continue.

  6. On the CSP Account tag, choose an existing CSP Account or add a new account to use with this Key Set.

    To create a new account, click Add CSP Account and enter the account details. See Adding a CSP Account.

  7. Check the Yes, import all keys checkbox to import all pre-existing Customer Master Keys (CMK) that exist in the CSP Account.

    Important: If your imported keys are deleted in the CSP, they cannot be restored by KeyControl.

  8. On the Schedule tab, determine the rotation schedule for the CloudKeys created in this Key Set. This can be one of the following: 

    • Never—The CloudKey will never be rotated.
    • Once a year—The CloudKey will be rotated once a year.
    • Every 6 months—The CloudKey will be rotated once every 6 months.
    • Every 30 days—The CloudKey will be rotated once every 30 days.
    • Other—The CloudKey will be rotated at the interval you select.

    Note: The rotation schedule applies to all CloudKeys created in the Key Set. If you update the rotation schedule when there are already existing CloudKeys, the existing keys will not be affected unless you check the Apply to all CloudKeys checkbox.

  9. Click Create.