StorageGRID provides several ways to encrypt your data at rest including the use of external key management servers. We have partnered with Entrust to add their KeyControl product to the lineup of supported Key management solutions for StorageGRID node encryption. KeyControl provides a highly available decentralized vault-based solution that is compliant with the Key Management Interoperability Protocol (KMIP). This makes KeyControl an excellent option for StorageGRID. For more information on KeyControl and to try it for yourself, please visit their website. For installation and configuration instructions please read the KeyControl online documentation. You should also read through the StorageGRID documentation relating to encryption and KMS configuration.
Let’s walk through a basic implementation with a single site StorageGRID solution containing a mix of virtual appliances and a physical appliance. Only the physical appliance will be encrypted with a key from two KeyControl servers.
Once you have chosen your KeyControl deployment method and have the desired number of clustered KeyControl server installed, it is time to create a new vault.
In KeyControl, this is as simple as clicking the “Create Vault” button
Fill in the details for the vault.
- Choose “KMIP” for the Type of vault
- Give the vault a name
- Add an optional description
Provide an admin name and email (the Email address will be the login name)
Click on the create vault button and when the vault has been created, a window will pop up containing the link to the Vault URL, username, and a randomly generated temporary password. Make sure you copy out these items as you will need them for the remaining steps.
Open the Vault URL and login with the provided credentials. You will be prompted to set a new password and log in with the new password.
Once logged into the vault click on the large Security icon in the middle. And then on Client Certificates to create the certificate bundle required to authenticate StorageGRID to the KMS.
In the Client certificate window, click on the “+” to create a new certificate.
In the Certificate creation window, provide a name for the certificate, and an expiration date. We will not have a CSR to upload and do not check the boxes for Authentication or Encryption. Click the Create button and the new certificate will be generated and appear in the Manage Client Certificate list.
Select the new certificate and click on the download button. Unzip the certificate package and you will have two .pem files: cacert.pem and certificate_name.pem. The named certificate file is a combined certificate and key that will need to be separated out into individual files with the Key text (highlighted in blue) as a new file named certificate_name.key. The “Bag Attributes” and “Key Attributes” sections are optional.
We are now ready for the StorageGRID configuration. For an appliance to use node encryption with an external KMS, it must be set at the time the appliance is installed. From inside the installer UI, select the Node Encryption menu item under the Configure Hardware Tab, check the box to enable node encryption and save. Repeat this step for all nodes to be encrypted. The node is now ready to be joined to the StorageGRID solution.
Once the node or nodes are all installed and part of the grid, you can now configure StorageGRID to use the KeyControl cluster for kms.
On the StorageGRID management UI under the Configuration tab, click on the Key management server menu item in the Security column.
Click the Create button to add the new KeyControl KMS.
Under the details for the new KMS configuration. Provide a name to identify the KMS, an encryption key name (If one exists already in the KeyControl Vault that you wish to use, or this will be the name of the new key created by this process), what site should be managed by this KMS or all sites not managed by another configured KMS, the port should remain the default, and the hostnames or IP’s on the KeyControl servers in the cluster.
After the details have been entered click the continue button to get to the next page to upload the server certificate. This is the cacert.pem file that was provided by the KeyControl client certificate creation.
Once the certificate is successfully uploaded, click the continue button for the next page where we upload the client certificate and key files.
The final step is to click the Test and save button. If all went well you should be greeted with a final window that informs you there is no existing key in the vault and a new key will be created.
Once the key is created you will see the new KMS in the list with a certificate status unknown. After a few minutes this will update to show the certificates are valid.
Clicking on the KMS name will bring up the information on the KMS. This is also where you can choose to rotate the keys.
You can click on the Encrypted nodes tab and verify the nodes encrypted and the keys used.
If we look in the KeyControl vault Objects, we see the keys in the vault and can compare to the StorageGRID keys in use.
