Test integration

Create a key set in Entrust KeyControl

This key set will be used to create a cloud key in Entrust KeyControl.

  1. Sign in to the Entrust KeyControl Vault URL bookmark in [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the Key Sets tab.

  4. Select Actions > Create Key Set.

    The Choose the type of keys…​ dialog appears.

  5. Choose GCP Key.

    The Create Key Set dialog appears.

  6. In the Details tab, enter a Name and Description.

  7. From the Admin Group menu, select Cloud Admin Group.

    For example:

    keycontrol create key set 1

  8. Select Continue.

  9. In the CSP Account tab, select the CSP account created in [create-keycontrol-csp-account].

    For example:

    keycontrol create key set 2

  10. Select Continue.

  11. In the HSM tab, select Enable HSM if using one. The HSM must be configured prior to this step.

    For example:

    keycontrol create key set 3

  12. Select Continue.

  13. In the Schedule tab, select a Rotation Schedule.

    For example:

    keycontrol create key set 4

  14. Select Apply.

    The key set is added.

    For example:

    keycontrol create key set 5

  15. Verify the GCP key ring created in [create-gcp-keyring] is listed in the Key Rings tab. Select Sync Now on the right of the display to update the Key Ring list.

    For example:

    keycontrol create key set 6

For additional information, see Creating a Key Set.

Create a cloud key in Entrust KeyControl

The following steps create a cloud key in Entrust KeyControl and verify it is available in GCP key ring:

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. In the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. In the Key Ring menu, select the key ring created in [create-gcp-keyring].

    For example:

    create cloudkey keycontrol 1

  6. Select Actions > Create CloudKey.

    The Create CloudKey dialog appears.

  7. In the Details tab, enter a Name and Description.

  8. Select Customer Managed Key from the list of Key Management options.

    For example:

    create cloudkey keycontrol 2

  9. Select Continue.

  10. If you are using the hardware protection method, in the Purpose tab, select HSM from the Protection Level options.

  11. From the Purpose and Algorithm pull down menus, select the appropriate options for your application.

    For example:

    create cloudkey keycontrol 3

  12. In the Schedule tab, select the Rotation Schedule and Expiration.

    For example:

    create cloudkey keycontrol 4

  13. Select Apply.

    The cloud key is created.

    create cloudkey keycontrol 5

  14. Verify the cloud key created in Entrust KeyControl is Available in the GCP key ring.

    create cloudkey keycontrol 6

For additional information, see Creating a CloudKey.

Import a GCP cloud key into Entrust KeyControl

The following steps document how to import an existing cloud key from GCP to Entrust KeyControl.

It is recommended that all cloud keys be created in Entrust KeyControl, and never directly in GCP.

  1. Open a browser and sign in to the GCP portal https://console.cloud.google.com.

  2. In the navigation menu select Security > Key Management.

  3. In the KEY RINGS tap in the left-hand pane, select the key ring created in [create-gcp-keyring].

  4. The existing cloud key in GCP to be imported into Entrust KeyControl is enclosed in the red box.

    For example:

    import gcp cloudkey 1

  5. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  6. Select the CLOUDKEYS icon on the toolbar.

  7. Select the Key Sets tab.

  8. Select the key set created in Create a key set in Entrust KeyControl.

  9. Select Actions > Import CloudKey.

    The Import Cloud Keys dialog appears.

  10. From the Key Ring pull-down menu, select the GCP key ring created in [create-gcp-keyring].

    For example:

    import gcp cloudkey 2

  11. Select Import.

    The key is imported.

    For example:

    import gcp cloudkey 3

  12. Verify that the GCP cloud key is AVAILABLE in Entrust KeyControl.

    import gcp cloudkey 4

Rotate a cloud key in Entrust KeyControl

To rotate a cloud key in Entrust KeyControl:

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. From the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. From the Key Ring menu, select the key ring created in [create-gcp-keyring].

  6. Select the key to rotate.

    For example:

    keycontrol key rotation 1

  7. Select Rotate Now. You might need to scroll down the page to view this button.

    For example:

    keycontrol key rotation 2

  8. In GCP, navigate to Security > Key Management.

  9. In the KEY RINGS tab in the left-hand pane, select the key ring created in [create-gcp-keyring].

  10. Select the key you just rotated in Entrust KeyControl.

  11. Verify that the key has been rotated in GCP in synchronization with Entrust KeyControl.

    For example:

    keycontrol key rotation 3

Remove a cloud key in Entrust KeyControl

A removed cloud key in Entrust KeyControl will no longer be available for use in GCP. However, Entrust KeyControl will keep a copy of the removed cloud key, which can be reloaded back to GCP for use.

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. In the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. In the Key Ring menu, select the key ring created in [create-gcp-keyring].

  6. Select the key to the removed.

  7. Select Actions > Remove from Cloud.

    The Remove from Cloud dialog appears.

  8. Type the name of the cloud key in Type CloudKey Name.

    For example:

    keycontrol remove cloudkey 1

  9. Select Remove.

  10. Verify the status change in Entrust KeyControl.

    For example:

    keycontrol remove cloudkey 2

  11. Verify the key is now Not available in GCP.

    For example:

    keycontrol remove cloudkey 3

For additional information, see Removing a CloudKey from the Cloud.

Upload a removed Entrust KeyControl key back to GCP

Follow these steps to upload back to GCP the Entrust KeyControl key removed in Remove a cloud key in Entrust KeyControl.

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. From the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. From the Key Ring menu, select the key ring created in [create-gcp-keyring].

  6. Select the key to be uploaded.

  7. Select Actions > Upload to Cloud.

    The Upload to CloudKey dialog appears.

    For example:

    keycontrol upload removed cloudkey 1

  8. Select Upload.

  9. Verify the status change in Entrust KeyControl.

    For example:

    keycontrol upload removed cloudkey 2

  10. Verify the key is now Available in GCP.

    For example:

    keycontrol upload removed cloudkey 3

Delete a cloud key in Entrust KeyControl

The deletion of a cloud key does not take effect immediately. However, after a user-defined interval, the key will be permanently removed.

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. From the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. From the Key Ring menu, select the key ring created in [create-gcp-keyring].

  6. Select the key to delete.

  7. Select Actions > Delete CloudKey.

    The Delete CloudKey dialog appears.

  8. Select a time in Define when the CloudKey should be permanently deleted.

    For example:

    keycontrol delete cloudkey 1

  9. Select Delete.

  10. Verify the status change in Entrust KeyControl.

    For example:

    keycontrol delete cloudkey 2

  11. Verify the key is now Not available in GCP.

    For example:

    keycontrol delete cloudkey 3
A permanently removed key continues to appear in both GCP and Entrust KeyControl. Its status is set to *Destroyed" by GCP. Neither the key nor its name can ever be used again.

For additional information, see Deleting a CloudKey.

Cancel a cloud key deletion in Entrust KeyControl

The deletion of a key can be canceled while the time in the Define when the CloudKey should be permanently deleted setting has not expired. Follow these steps to upload back to GCP the Entrust KeyControl key deleted in Delete a cloud key in Entrust KeyControl.

  1. Sign in to the Entrust KeyControl Vault URL bookmark from [create-keycontrol-vault].

  2. Select the CLOUDKEYS icon on the toolbar.

  3. Select the CloudKeys tab.

  4. In the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.

  5. In the Key Ring menu, select the key ring created in [create-gcp-keyring].

  6. Select the key deletion to be canceled.

  7. Select Actions > Cancel Deletion.

    The Cancel Deletion dialog box appears.

    For example:

    keycontrol cancel deletion cloudkey 1

  8. Select Yes, Cancel Deletion.

  9. Verify the status change in Entrust KeyControl.

    For example:

    keycontrol cancel deletion cloudkey 2

  10. Select Actions > Enable CloudKey.

    The Enable CloudKey dialog box appears.

    For example:

    keycontrol cancel deletion cloudkey 3

  11. Select Enable.

  12. Verify the status change in Entrust KeyControl.

    For example:

    keycontrol cancel deletion cloudkey 4

  13. Verify the key is now Available in GCP.

    For example:

    keycontrol cancel deletion cloudkey 5

For additional information, see Canceling a CloudKey Deletion.