Test the integration

Create a single-region cloud key in KeyControl

  1. Sign in to the cloud keys vault URL created in deploy-entrust-kc.adoc#create-cloud-keys-vault.

  2. Select the CloudKeys tab.

  3. In the Key Set pull-down menu, select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws. In the Region pull-down menu, select your region.

    For example:

    keycontrol create single cloudkey 1
  4. In the Actions pull down menu, select Create CloudKey. The Create CloudKey window appears.

  5. In the Details tab, enter the Name and Description. Uncheck Create as Multi-Region Key. Then select Continue.

    For example:

    keycontrol create single cloudkey 2
  6. In the Purpose tab, select from the Purpose and Algorithm pull-down menus. Then select Continue.

    For example:

    keycontrol create single cloudkey 3
  7. In the Access tab, choose the Administrators and Users. Then select Continue.

    For example:

    keycontrol create single cloudkey 4
  8. In the Schedule tab, select your Rotation Schedule and Expiration date. Then select Apply.

    For example:

    keycontrol create single cloudkey 5
  9. Notice the newly created cloud key.

    keycontrol create single cloudkey 6

Create a multi-region cloud key in KeyControl

  1. Repeat the steps in Create a single-region cloud key in KeyControl, this time checking the box for Create as Multi-Region Key.

    For example:

    keycontrol create multi cloudkey 1
  2. Select the multi-region cloud key just created. In the Actions pull down menu, select Create Replica CloudKey.

  3. In the Create Replica Key window, select a Replica Region from the pull-down menu. Then select Create Replica Key.

    For example:

    keycontrol create multi cloudkey 2
  4. Notice the newly created multi-region cloud key.

    keycontrol create cloudkey 1
  5. Verify the newly created multi-region cloud key is visible in AWS Key Management Service.

    keycontrol create cloudkey 2
  6. Select the newly created multi-region cloud key. In the regionality tab, notice the second region.

    keycontrol create cloudkey 3

For further information, refer to Creating a CloudKey in the KeyControl online documentation.

Create a cloud key in AWS Key Management Service

  1. In AWS, navigate to Key Management Service > Customer managed keys. Then select the Create key icon.

  2. In the Configure key window, select the Key type and Key usage. Then expand the Advance options and select the Key material origin. For Regionality select the Multi-Region key radio button. Then select Next.

    For example:

    aws create cloudkey 1
  3. In the Add labels window, enter the Alias and Description. Then select Next.

    For example:

    aws create cloudkey 2
  4. In the Define key administrative permissions - optional window, enter the service account name created in create-aws-iam-user.adoc#create-aws-iam-user and select it. In the Key deletion section, check Allow key administrators to delete this key. Then select Next.

    For example:

    aws create cloudkey 3
  5. In the Define key usage permissions - optional window, enter the service account name created in create-aws-iam-user.adoc#create-aws-iam-user and select it. Then select Next.

    For example:

    aws create cloudkey 4
  6. In the Edit key policy - optional window, select Next.

  7. In the Review window, select Finish.

    aws create cloudkey 5
  8. Notice the newly created cloud key in AWS Key Management Service.

    aws create cloudkey 6

Import a cloud key created in AWS Key Management Service into KeyControl

  1. Sign in to the cloud keys vault URL created in deploy-entrust-kc.adoc#create-cloud-keys-vault.

  2. Select the Key Sets tab. Then select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws.

  3. In the Actions pull down menu, select Import CloudKeys. The Import Cloud Keys window appears.

  4. Select your region. Then select Import.

    keycontrol import cloudkey 1
  5. Select the CloudKeys tab and select Refresh.

  6. Verify the imported key is visible in the KeyControl cloud keys vault.

    keycontrol import cloudkey 2

For further information, refer to Importing CloudKeys in the KeyControl online documentation.

Remove a cloud key in KeyControl

  1. Sign in to the cloud keys vault URL created in deploy-entrust-kc.adoc#create-cloud-keys-vault.

  2. Select the CloudKeys tab.

  3. In the Key Set pull-down menu, select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws. In the Region pull-down menu, select your region.

  4. Select the key to be removed from the cloud.

  5. In the Actions pull down menu, select Remove from Cloud. The Remove from Cloud dialog appears.

  6. Type the name of the key in the Type CloudKey Name text box. Then select Remove.

    For example:

    keycontrol remove cloudkey 1
  7. Notice the key Cloud Status becomes NOT AVAILABLE.

    For example:

    keycontrol remove cloudkey 2
  8. Verify the key Status changed in AWS Key Management Service.

    keycontrol remove cloudkey 3

For further information, refer to Removing a CloudKey from the Cloud in the KeyControl online documentation.

Delete a cloud key in KeyControl

  1. Sign in to the cloud keys vault URL created in deploy-entrust-kc.adoc#create-cloud-keys-vault.

  2. Select the CloudKeys tab.

  3. In the Key Set pull-down menu, select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws. In the Region pull-down menu, select your region.

  4. Select the key to be deleted.

  5. In the Actions pull down menu, select Delete CloudKey. The Delete CloudKey dialog appears.

  6. Select a time in Define when the CloudKey should be permanently deleted. Then select Delete.

    For example:

    keycontrol delete cloudkey 1
  7. Notice the key Cloud Status becomes PENDING DELETE.

    keycontrol delete cloudkey 2
  8. Verify the key Status changed in AWS Key Management Service.

    keycontrol delete cloudkey 3

For further information, refer to Deleting a CloudKey in the KeyControl online documentation.

Cancel a cloud key deletion in KeyControl

  1. Sign in to the cloud keys vault URL created in deploy-entrust-kc.adoc#create-cloud-keys-vault.

  2. Select the CloudKeys tab.

  3. In the Key Set pull-down menu, select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws. In the Region pull-down menu, select your region.

  4. Select the key who’s scheduled deletion is going to be cancelled.

  5. In the Actions pull down menu, select Cancel Deletion. The Cancel Deletion dialog appears.

  6. Select Yes, Cancel Deletion.

    keycontrol cancel deletion cloudkey 1
  7. Notice the key Cloud Status becomes NOT AVAILABLE.

    keycontrol cancel deletion cloudkey 2
  8. Verify the key Status changed in AWS Key Management Service.

    keycontrol cancel deletion cloudkey 3
  9. Back in KeyControl, In the Actions pull down menu, select Upload to Cloud. The Upload to Cloud dialog appears.

  10. Select Upload.

    keycontrol cancel deletion cloudkey 4
  11. Notice the key Cloud Status becomes AVAILABLE.

    keycontrol cancel deletion cloudkey 5
  12. Verify the key Status changed in AWS Key Management Service.

    keycontrol cancel deletion cloudkey 6

For further information, refer to Canceling a CloudKey Deletion in the KeyControl online documentation.

Rotate a cloud key in KeyControl

  1. Sign in to the cloud keys vault URL created in Create a Cloud Keys Vault in the KeyControl.

  2. Select the CloudKeys tab.

  3. In the Key Set pull-down menu, select the key set created in integrate-kc-aws-byok.adoc#create-key-set-for-aws. In the Region pull-down menu, select your region.

  4. Select the key to be rotated.

  5. Scroll down, select the Details tab, and select the Rotate Now icon.

    keycontrol rotate cloudkey 1
  6. Verify the key has been rotated in AWS Key Management Service.

    keycontrol rotate cloudkey 2