KMS integration best practices

Content Software for File User Guide

Part Number

The KMS is the sole entity holding the key to decrypt Content Software for File system filesystem keys. Adhering to the following best practices is cruicial for non-disruptive operations. Set up DR for the KMS (backup/replication) to avoid any chance of data loss.

  • DR setup for KMS: Implement backup/replication for the KMS to mitigate data loss risks.
  • High availability for KMS: Maintain high availability for the KMS, represented by a single address in the Content Software for File system.
  • Access to KMS: Provide access to the KMS from the Content Software for File backend servers.
  • Verification of KMS methods: Verify and understand the methods employed by the KMS for securing, unsealing, and reconstructing lost keys. Different KMS solutions have distinct methods; for instance, vault unsealing methods can enable auto unsealing using a trusted service.
Note: Taking a Snap-To-Object ensures that the (encrypted) filesystems keys are backed up to the object store, which is important if a total corruption of the Content Software for File system configuration occurs.

For additional best practices recommended by HashiCorp when using Vault, refer to the Production Hardening documentation.