Entrust KeyControl

At the heart of every DataControl deployment is an active-active cluster of KeyControl nodes that manage encryption keys for virtual Linux and Windows machines.

Arch KeyControl

KeyControl features include:

  • An active-active cluster for high availability. Any changes made to any KeyControl node in the cluster are automatically reflected on all nodes in the cluster.
  • Clustered object store protecting keys, policies and configuration data. All objects are encrypted and ultimately wrapped with an Admin Key.

    The Admin Key uses a software-based "n of m" backup. This prevents KeyControl backups from being stolen and installed on new hardware.

  • Nodes can join or leave the cluster without affecting KeyControl's ability to deliver encryption keys.
  • A KeyControl cluster moves into degraded mode (read only) on network disconnect or failure. While in degraded mode, any KeyControl node can still serve requests for existing keys and policies from VMs where the Policy Agent is installed. However, new encryption keys cannot be created.
  • Each Policy Agent communicates with any KeyControl node, switching between them if they detect a non-responsive KeyControl node.
  • Support for admin authentication via local accounts with strict password controls or via accounts stored in RADIUS or LDAP (including Microsoft AD).
  • Support for Alerts in environments with and without email access.
  • Full-featured command line utilities (hicli and hcl).
  • A rich RESTful API.