Procedures

The steps in this section describe a single-site StorageGRID solution containing a mix of virtual appliances and a physical appliance. Only the physical appliance will be encrypted with a key from two KeyControl servers.

Deploy KeyControl and create a vault

Deploy KeyControl deployment and install the clustered KeyControl server.
Create a new vault.

In KeyControl, select Create Vault.
Create a KMIP vault type and fill in the details for the vault.

The admin email address will be the login name for the vault.
When the vault has been created, make a copy of the vault information: the link to the vault URL, the user name, and the randomly generated temporary password.

Create a client certificate

Launch the vault from the URL and sign in with the new credentials. You will be prompted to set a new password and log in with the new password.
When you logged in with the new password, select the large Security tile in the middle.
On Client Certificates, create the certificate bundle to authenticate StorageGRID to the KMS.
In Client certificate, select the plus sign (+) to create a new certificate.
Provide a name and an expiration date for the certificate.

This integration does not have a CSR to upload so we clear the checkbox for authentication and encryption.

Select Create.

The new certificate is generated and it appears in the Manage Client Certificate list.
Select the new certificate, download and unzip it.

There are two .pem files: cacert.pem and certificate_name.pem.

The named certificate file is a combined certificate and key that will need to be separated out into individual files with the Key text (highlighted in yellow) as a new file named certificate_name.key.

Configure StorageGRID

Appliances can only use node encryption with an external KMS if it is configured when the appliance is installed.

From inside the installer UI, select Configure Hardware > Node Encryption, select the checkbox to enable node encryption, then select Save.

Repeat this step for all nodes to be encrypted.

The nodes are now ready to be joined to the StorageGRID solution.
Install the node or nodes and join them to the grid.
Configure StorageGRID to use the KeyControl cluster for a KMS. In the StorageGRID management UI, select Configuration> Security> Key management server.
Select Create add the new KeyControl KMS.
Ender the details for the new KMS configuration.

Provide a name to identify the KMS, an encryption Key name (if one exists already in the KeyControl Vault that you wish to use, or this will be the name of the new key created by this process), what site should be managed by this KMS or all sites not managed by another configured KMS, the port should remain the default, and the hostnames or IP addresses of the KeyControl servers in the cluster.
Select Continue to get to the next page to upload the server certificate.

This is the cacert.pem file that was provided by the KeyControl client certificate creation.
Select Continue to upload the client certificate and key files.
Select Test and save.
If all went well the final dialog informs you that no key exists in the vault and a new key will be created.
When the key has been created, you can see the new KMS in the list with a certificate status unknown.

After a few minutes this will update to show the certificates are valid.
Select the KMS name to bring up the information on the KMS.

This is also where you can choose to rotate the keys.
Select Encrypted nodes and verify which nodes are encrypted and which keys are used.
Open KeyControl and in Vault Objects and check the keys in the vault and compare them to the StorageGRID keys that are in use.