Object Storage Management application instructions

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11
Before you can select external encryption, you must obtain and upload a DARE license. Before you select external encryption, you should ensure that the KMS system has multiple servers.

Before you start you need to know, for each KMS server:

  • The name you intend to label the server with
  • The host name or IP address
  • The port (typically 5696)
  • The TLS version used
  • The KMIP protocol version
  • The HTTPS ciphers

This procedure configures a connection to a KMS server. For configuration to succeed the configuration values must be accurate and the server must be online. The first server configured is designated the primary server; you can configure connections to one or two servers on this page. After you configure two server connections, you can configure connections to up to two more servers.

  1. From the Object Storage Management application, select Settings > Encryption.
    The ENCRYPTION page opens. The page displays information about the key management server options.
  2. In the External Key Management Server (KMS) panel, click Enable.
    The CONFIGURE EXTERNAL KEY MANAGEMENT SERVER window opens.
  3. In the Name field, type a label for the primary server. This name must be unique.
  4. In the Hostname or IP Address field, type a host name or an IP address for the primary server.
  5. In the Port field, type the server port number. The default is 5696.
  6. (Optional) In the Allow TLS 1.2 field, select whether Transport Layer Security v1.2 is used. The default is No (a version later than v1.2 is used).
  7. (Optional) In the KMIP Protocol field, select the KMIP version used:
    • 1.3
    • 1.4 (the default)
    • 2.0
    • 2.1
    • 3.0
  8. (Optional) In the HTTPS Ciphers section, edit the comma-separated list of ciphers used.
    The default group of ciphers ensures interoperability with popular commercial key managers and an open-source implementation called PyKMIP. The default ciphers are: TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  9. (Optional) In the SECONDARY KEY MANAGEMENT SERVER (OPTIONAL) section, repeat steps 3 through 8 for the secondary KMS server.
  10. Click Save.
    The connection is validated and you are prompted, "Server added successfully."
  11. (Optional) To configure a connection to another server, click Add KMS and repeat steps 3 through 10.
Encryption begins according to bucket policies. The first server you configure is designated as the primary server; any others are designated secondary servers.
After enabling external encryption, bucket owners can define policies to begin object encryption.