Key Server Integration
- Updated On 19 Oct 2020
- 2 Minutes To Read
SecureCircle manages access to key derivation keys that are themselves encrypted using master keys provided by a Key Management Service (KMS). The SecureCircle Server provides by default a built-in KMS for master key generation and management. One or many third party KMS's may also be simultaneously integrated with the SecureCircle Server to allow for the generation and management of master keys external to the SecureCircle Server. The following are considerations when determining how and when to integrate an external KMS.
Using the Default, Built-In KMS
The SecureCircle Server provides a default, built-in KMS that is seamlessly integrated into the service. The default KMS uses FIPS 140-2-capable key generation libraries and stores protected master encryption key data in the SecureCircle Server database. If no external KMS is integrated, the built-in KMS is used by default and requires no administrator setup or configuration. Use the built-in KMS in the following scenarios:
- There is no compliance-related requirement in the organization to use a hardware-only HSM + KMS.
- Control and management of master encryption keys on the SecureCircle Server meets the security standards of the organization.
Using an External KMS
The SecureCircle Server supports a variety of KMS integrations, all of which allow master key encryption keys to be generated and controlled external to the SecureCircle Server itself. The SecureCircle Server uses these keys to derive per-file encryption keys. If an administrator disallows the SecureCircle Server access to the KMS, the SecureCircle Server no longer has access to the master key encryption keys and will no longer be able to derive new keys for new file encryption, or existing keys for file decryption. Using key encryption key and key derivation methodology allows administrators to maintain control over data access external to the SecureCircle Server, while preventing overload on the KMS. In some cases, this may also enable an organization to consider a SecureCircle SaaS or Cloud-based offering since they are able to maintain control over encryption keys on-premise or in a private Cloud.
Multiple KMS's, including the default, built-in KMS, can be used simultaneously by creating and applying different Key Management policies to different Circles. This allows data encryption in some Circles to be controlled via one KMS, while data in other Circles is controlled via another KMS.
Use an external KMS in the following scenarios:
- The organization has a compliance-related requirement to use a hardware-only HSM/KMS.
- The organization would like to use a SaaS or Cloud-based SecureCircle Server deployment while maintaining control over master encryption keys using an external system.
The default Key Server is Local Database Key Storage using Java cryptographic libraries. SecureCircle also integrates with:
- Amazon AWS KMS
- Voltage REST
- Voltage API
- Any KMIP-based key server
Key Server Management
To add Key Server integrations, click on Key Servers on the left navigation bar. Click on Add Server. Depending on which server type selected, fill in the required configuration information. Click Add.
To Modify a Key Server integration, click on the checkbox field of the server(s) you want to modify. Then click the Actions button. Click Modify. Change the appropriate fields and click Modify.
To Delete a Key Server integration, click on the checkbox field of the server(s) you want to delete. Then click the Actions button. Click Delete. Click Delete again to confirm.
Key Server integrations cannot be removed if the integration has already generated keys for files/Circles.
Following diagram illustrate relations between objects in Secure Circle Domain.
The following workflow describes how Key Management System master keys are used to encrypt/decrypt intermediary "integration" keys, which are then used for key generation/derivation.