Object Storage Management application instructions

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11
Before you can select internal encryption, you must obtain and upload a DARE license. Before you select internal encryption, you should scale the Key-Management-Server service to at least three instances.
  1. From the Object Storage Management application, select Settings > Encryption.
    The ENCRYPTION page opens. The page displays information about the key management server options.
  2. In the Internal Key Management Server (KMS) panel, click Enable.
    You are reminded that your selection is permanent, and reminded to scale the KMS service up to at least three instances.
  3. Click Continue to confirm your selection.
    The Vault Unsealing window opens, displaying your initial root token and five unseal keys.
    Note: You receive an error message if the KMS service is stopped, unable to complete the request, or not yet available. In this case, try again when the service is available.
    Important: This window is the only time that all of this data is ever available to you, and also the only time that the unseal keys should ever appear together. To minimize the possibility of multiple keys becoming unavailable, the best practice is securely distribute, encrypt, and store the unseal keys in separate locations.
  4. Do one of the following:
    • Click Download Keys to download the initial root token and the five unseal keys in a single text file.
    • Click the copy icons (Copy icon on ENCRYPTION page), for the initial root token and each unseal key, to save the token and keys in separate files.
  5. Secure the token and unseal key files.
  6. Click Continue.
    You are warned that you won't have another opportunity to record the unseal keys and the initial root token.
  7. Click Continue.
    A connection to the KMS service is established, the storage component encryption keys are generated and applied, and encryption is enabled.
After enabling internal encryption, restart (repair) the S3 Gateway and Policy Engine services.