Managing KeyControl Appliances

Contents

Introduction

HyTrust KeyControl is delivered in three different formats. Click on the link to refer to the installation instructions that are specific for the media type you are using.

  • OVF - to install KeyControl in VMware vSphere environments.
  • ISO - to install KeyControl as a virtual machine (any hypervisor) or on physical hardware.
  • AMI - to install KeyControl on Amazon Web Services.

The DataControl agent software for Windows and Linux can be downloaded from any available KeyControl cluster node.

The first step is to install an initial KeyControl appliance. Once an appliance is installed and set up, most administrative tasks are performed using the webGUI.

The steps needed for installation are shown below.

  • Install the first KeyControl node.
  • Log in to the webGUI, accept the EULA, and add user accounts.
  • Install new KeyControl nodes to the cluster and add DataControl agents.

NOTE - A 30-day license key is shipped with the product and will be activated when you install and configure the first KeyControl node. This allows you to protect up to 5 virtual machines and use all product features. Please see the section on License Management for further details.

System requirements

The HyTrust KeyControl is based on the FreeBSD operating system and will work with the following list of supported devices:

http://www.freebsd.org/releases/9.2R/hardware.html

The most popular method is to install a KeyControl appliance as a virtual machine and have the hypervisor manage the storage directly. This has the advantage of utilizing your underlying storage subsystems without change. For example, you can just give each KeyControl appliance one disk and have redundant storage underneath the hypervisor.

Installation of HyTrust KeyControl requires the following minimum configuration:

  • Intel / AMD 64-bit x86_64 CPU.
  • 1 GB RAM.
  • 1 G-bit Ethernet card.
  • Two disks for mirrored system install (min 8 GB per disk). You can install on one disk (for testing purposes) but we recommend two disks for high availability. The exception to this is if you are installing KeyControl as a virtual machine and already have redundant storage on the data store where the KeyControl will reside. Please note that although although the KeyControl cluster does not consume a lot of disk space, you still need additional disk space to cover system dumps. We recommend 4x the amount of RAM minimum for system dump usage. The same is true when installing a DataControl agent.

The recommendated configuration is:

  • Intel / AMD chipset with AES-NI support.
  • SSD drives for cache / performance on DataControl agents.
  • 2 GB RAM for KeyControl Servers and 8 GB RAM for DataControl agents - additional storage / RAM depending on the number of virtual machines
  • Virtualized DataControl Virtual Storage appliance (VMware ESX / ESXi) for Fibre Channel, iSCSI or NFS storage
  • Multi-port Ethernet card(s) or 10 Gig-E for higher aggregate bandwidth
  • Each KeyControl server holds keys, policies and other configuration information. The space consumed is minimal and all modern disk drives should be more than adequate to store millions of keys.

The DataControl agent on Linux and Windows servers has very basic requirements:

  • Windows 2008 Server (64-bit), Windows 7 64-bit, or Windows 2012 Server
  • Most versions of Linux (64-bit)

For details on DataControl requirements please refer to the VM Encryption chapter.

KeyControl ports that need to be open

Please note that KeyControl nodes communicate amongst themselves over ports 443, 2525 and 2526. If you have a firewall between one or more KeyControl nodes in your cluster, you need to make sure that these ports are open.

Having the KeyControl cluster behind a firewall

To operate a KeyControl cluster in your data center / private cloud, VMs that operate in the public Cloud using the DataControl agent must be able to see each KeyControl node. Consider the following figure:

VM Firewall

There are two KeyControl nodes in the cluster with IP address 10.238.32.90 and 10.238.32.91. The VM communicates with them through port 443 (HTTPS). There are multiple ways to achieve this communication, but the simplest way is to map a port in your firewall to each KeyControl node in the cluster and use the firewall IP address / port number when registering the VMs.

You can also consider having a load balancer behind the firewall that exports a single IP address to the firewall (and therefore the VMs) and your KeyControl nodes.

Using the system console menus

Regardless of the media used for installation, you will need to use the system console menus. These are text-based and involve use of the cursor keys, the <tab> key and the <enter / return> key.

  • For selection menus, use <up / down> arrows to highlight your choice, <enter / return> to make a selection.
  • For confirmation, if you are presented a <yes>, <no> or <cancel> choice, press <tab> to change the choice, <enter / return> to make the selection.

Back to Contents