Creating a Key Set for TDE

  1. Log into the KeyControl Vault for Databases using an account with Cloud Admin privileges.

  2. In the top menu bar, click CloudKeys.

  3. Select Actions > Create Key Set.

  4. On the Details tab of the Create Key Set dialog box, enter the following: 

    Field

    Description
    Name Enter the name for the Key Set.

    Description

    Enter the optional description for the Key Set.

    Admin Group Select the Admin Group.

    Database Type

    Select the database type that you are going to use. This can be one of the following: 

    • Microsoft SQL Server

    • Oracle Database Server

    • MariaDB Database Server

    Allow automatic key creation from MariaDB

    For MariaDB only. If set to Yes, when MaraDB attempts to fetch a key with a keyID that is not present in this vault, the KeyControl Vault for Databaseswill automatically create a key with that keyID and send it to MariaDB.

  5. Click Continue.

  6. On the HSM tab, if an HSM exists, complete the following tasks: 

    1. Check the Enable HSM checkbox if you plan to use an HSM to create CloudKeys that can be uploaded to the cloud.

    2. Choose the Yes radio button if you want to allow key caching. This caches the key in the KeyControl Vault for Databases, where it is protected by the key set local root key.

    3. If you selected Enable HSM, click Verify HSM connection to test the connectivity and suitability of the configured HSM. KeyControl checks if the HSM is accessible and if it supports the creation and export of relevant keys.

      Note: Some HSM servers with old version of firmware do not support key creation and wrapping. If the connection test fails, check the firmware version of the HSM server. If it is old, update it to the latest version.

  7. For MariaDB only. Click Continue.

  8. For MariaDB only. On the Schedule tab, determine the default rotation schedule for the CloudKeys created in this Key Set. This can be one of the following: 

    • Never—The CloudKey will never be rotated.
    • Once a year—The CloudKey will be rotated once a year.
    • Every 6 months—The CloudKey will be rotated once every 6 months.
    • Every 30 days—The CloudKey will be rotated once every 30 days.
    • Other—The CloudKey will be rotated at the interval you select.

    Note: This rotation schedule is applied to all CloudKeys created in the Key Set, unless a different value is explicitly chosen. If there are existing CloudKeys in the Key Set, you can update the rotation schedule of the CloudKeys to align with your selected rotation schedule by checking Apply to all CloudKeys.

  9. Click Apply.