Before you can select external encryption, you must obtain and upload a DARE license. Before you select external encryption, you should ensure that the KMS system has multiple servers.
Before you start you need to know, for each KMS server:
- The name you intend to label the server with
- The host name or IP address
- The port (typically 5696)
- The TLS version used
- The KMIP protocol version
- The HTTPS ciphers
This procedure configures a connection to a KMS server. For configuration to succeed the configuration values must be accurate and the server must be online. The first server configured is designated the primary server; you can configure connections to one or two servers on this page. After you configure two server connections, you can configure connections to up to two more servers.
- From the Object Storage Management application, select Settings > Encryption.
The ENCRYPTION page opens. The page displays information about the key management server options.
- In the External Key Management Server (KMS) panel, click Enable.
The CONFIGURE EXTERNAL KEY MANAGEMENT SERVER window opens.
- In the Name field, type a label for the primary server. This name must be unique.
- In the Hostname or IP Address field, type a host name or an IP address for the primary server.
- In the Port field, type the server port number. The default is 5696.
- (Optional) In the Allow TLS 1.2 field, select whether Transport Layer Security v1.2 is used. The default is No (a version later than v1.2 is used).
- (Optional) In the KMIP Protocol field, select the KMIP version used:
- 1.3
- 1.4 (the default)
- 2.0
- 2.1
- 3.0
- (Optional) In the HTTPS Ciphers section, edit the comma-separated list of ciphers used.
The default group of ciphers ensures interoperability with popular commercial key managers and an open-source implementation called PyKMIP. The default ciphers are: TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- (Optional) In the SECONDARY KEY MANAGEMENT SERVER (OPTIONAL) section, repeat steps 3 through 8 for the secondary KMS server.
- Click Save.
The connection is validated and you are prompted, "Server added successfully."
- (Optional) To configure a connection to another server, click Add KMS and repeat steps 3 through 10.
Encryption begins according to bucket policies. The first server you configure is designated as the primary server; any others are designated secondary servers.
After enabling external encryption, bucket owners can define policies to begin object encryption.