Introduction
This guide describes the integration of the Entrust KeyControl Cloud Key Management Vault with Amazon Web Services KMS External Key Store (XKS).
Entrust KeyControl Cloud Key Management Vault provides an External Key Store Proxy inside KeyControl Vault. This feature allows the KeyControl Vault administrator to protect their data within Amazon Web Services (AWS) with 256-bit AES keys residing in KeyControl Vault. KeyControl Vault generates the keys and the keys are stored in KeyControl Vault only.
Product configuration
Entrust has successfully tested the following software version:
| Product | Version | Certification |
|---|---|---|
KeyControl Vault |
10.1.1 10.2 |
FIPS 140-2 Level 1 |
Requirements
To integrate Entrust KeyControl Cloud Key Management Vault and Amazon Web Services KMS External Key Store (XKS), the server must be set up as follows.
-
You must have an AWS account with KMS access allowed.
-
There is a minimum of 2 KeyControl instances within a cluster. These instances must be accessible through a load balancer, typically realized using Elastic Load Balancer in the AWS environment.
This integration uses a public endpoint connectivity for AWS XKS. The following are required:
-
Your external key store proxy must be reachable at a publicly routable endpoint.
-
You must obtain a TLS certificate issued by a public certificate authority supported for external key stores. For a list, see https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities.
-
The subject common name (CN) on the TLS certificate must match the domain name in the proxy URI endpoint for the external key store proxy. For example, if the public endpoint is
https://myproxy.xks.example.com, the TLS, the CN on the TLS certificate must bemyproxy.xks.example.comor*.xks.example.com. -
Ensure that any firewalls between AWS KMS and the external key store proxy allow traffic to and from port 443 on the proxy. AWS KMS communicates on port 443 and this value is not configurable.
Familiarize yourself with:
Overview
Entrust KeyControl Cloud Key Management Vault provides an External Key Store Proxy within KeyControl. This feature allows KeyControl administrators to safeguard their data within Amazon Web Services (AWS) using 256-bit AES keys housed in the KeyControl Vault. KeyControl generates the keys, which are exclusively stored in KeyControl.
In this guide:
-
BYOK (Bring Your Own Key): This approach involves generating and managing encryption keys within an external key management system, such as the Amazon Web Services Key Management Service (AWS KMS). BYOK allows you to maintain control over your encryption keys while utilizing the services provided by AWS.
-
HYOK (Hold Your Own Key): This method takes data security a step further by enabling you to retain absolute control over encryption keys, even when data is processed in cloud environments. With HYOK, the encryption keys are stored outside the cloud provider’s infrastructure.
Entrust supports both BYOK and HYOK approaches to data security. This integration is HYOK implementation, ensuring that encryption keys are held within our control while still harnessing the benefits of cloud services.
For more information about the BYOK approach, refer to Bring Your Own Key for AWS Key Management Service and Entrust KeyControl Integration Guide.