Open topic with navigation

Key Management Interoperability Protocol (KMIP) Usage

About the Key Management Interoperability Protocol (KMIP)

KMIP is a communication protocol that enables the secure storage of keys on a key management server. HyTrust KeyControl leverages KMIP for the storage of Admin Keys, rather than distributing them in key parts. You will need to be strategic in your approach to key management, protecting the KMIP server login just as you would any other highly sensitive login.

KMIP Concepts

The following KMIP concepts are part of HyTrust's implementation if KMIP.

External Key Server

HyTrust KeyControl (HTKC) has the ability to interact with External Key Servers (EKS). Currently this is limited to servers that support Key Management Interoperability Protocol (KMIP). Once access is configured, a KMIP server can provide the following features to your HTKC:

Entropy

HTKC will contact the EKS server at each reboot to obtain a seed value for its Random Number Generator (RNG). This provides another source of entropy to help randomize values used in things like key generation. This seed will be gathered each reboot unless the option “Disable Entropy Seed” is set (see below).

MasterKey Protection

HTKC has an encrypted object store that protects keys and other sensitive information. The encryption key itself is protected by a MasterKey. (for details, see Admin Key Parts). If the HTKC needs to be recovered or restored it is necessary to reconstruct this MasterKey to unlock the encryption key. With EKS the MasterKey is protected and can be recovered if and only if the HTKC can contact the EKS with appropriate credentials. See below for actual recovery instructions.

Configuring a KMIP Server Connection

To set the parameters for utilizing the Key Management Interoperability Protocol, click the Settings Icon and then click KMIP. Then you must fill in the blanks in the following dialog boxes. Whenever you finish a blank field, click Save and move to the next field. You must do this for all three tabs, including the Basic tab, the Advanced tab, and the Configuration tab. All three tabs are described in the material that follows here.

When you complete all three dialog tabs of information, click Apply to save your parameter entries.

You also can click Test to test your entries, Revert to go back to your previously-saved settings, or Reset to set everything to default values, as appear in the screenshots that follow. These settings depend upon how the KMIP server is configured, and many will be optional or unused.

Basic KMIP Settings

Fill in the dialog box for Basic KMIP Settings:

Details of Basic KMIP settings:

  • Server Name: name of the KMIP server
  • Host Name: hostname of the KMIP server
  • Port: port used to connect to the KMIP server
  • Auto-Reconnect: 0 or 1; 1 means "automatically reconnect"
  • Verify: yes or no; whether verification is needed to connect to the KMIP server
  • Protocol: version of KMIP protocol to use
  • Nbio: 0 or 1; whether non-blocking I/O is required
  • Timeout: seconds before timeout, with 0 meaning "no timeout"

Advanced KMIP Settings

Fill in the dialog box for Advanced KMIP Settings, going from one sub-tab to the next:

Details of Advanced KMIP Settings:

Cert sub-tab:

  • Cert File: SSL certificate file
  • Cert Format: PEM or P12; format of the key file
  • Cert Password: password for the certificate file
  • Load File: opens a browser for you to select the cert file to upload
  • Clear: removes any previously-loaded file

Key sub-tab:

  • Key File: SSL key file
  • Key Format: PEM or P12; format of the key file
  • Key Password: password for the key file
  • Load File: opens a browser for you to select the cert file to upload
  • Clear: removes any previously-loaded file

CA Trusted Cert sub-tab:

  • CA Trusted Cert File: Trusted Certification Authority file
  • CA Trusted Cert Format: PEM or P12; format of the key file
  • CA Trusted Cert Password: password for the trusted cert file
  • Load File: opens a browser for you to select the trusted cert file to upload
  • Clear: removes any previously-loaded file

Server Cert sub-tab:

  • Server Cert: SSL certificate file for the server
  • Server Cert Format: PEM or P12; format of the server certificate file
  • Server Cert Password: password for the server certificate file
  • Load File: opens a browser for you to select the server cert file to upload
  • Clear: removes any previously-loaded file

Server Key sub-tab:

  • Server Key File: server key file for the server
  • Server Key Format: PEM or P12; format of the server certificate file
  • Server Key Password: password for the server key
  • Load File: opens a browser for you to select the server key file to upload
  • Clear: removes any previously-loaded file

Credentials sub-tab:

  • Username: username for the KMIP server
  • Password: password for the KMIP server
  • Ciphers: ciphers to use

KMIP Settings: Configuration

Fill in the dialog box for KMIP Settings: Configuration

Details of KMIP Settings: Configuration:

  • Description: description of the KMIP server
  • Disable Entropy Seed: disables the seeding of the HTKC RNG from the KMIP server
  • Disable Hardware Signature: currently not implemented
  • No Split Key: currently not implemented

Testing Your KMIP Connection

Once you have finished filling in all appropriate settings, click Apply. This will store the KMIP settings, and if you have enabled entropy in the Configuration step, the Random Number Generator will be automatically seeded. The Admin Key will be regenerated and will be stored on the KMIP server.

System Recovery from the External Key Server

If you need system recovery for your KeyControl, it can be done by accessing the EKS. You will be presented with an option for “Recovery from External Key Server”. Here the settings have to be entered as above and, once successfully applied, the Admin Key is recovered from the EKS and the KeyControl is restored. (For details on system recovery, see Restoring from a KeyControl Backup.)

See also: Using the Settings Icon to Configure Defaults.