Introduction

Entrust KeyControl has been rebranded as the Entrust Cryptographic Security Platform (CSP) Key Manager.

The Entrust CSP Key Manager continues to provide a comprehensive solution for discovering and managing the lifecycles of cryptographic keys, secrets, certificates, tokens, libraries, protocols, and configurations:

The KeyControl Compliance Manager is now the Entrust CSP Compliance Manager. It still integrates with Entrust nShield Hardware Security Modules (HSMs) to protect the master keys for the CSP.
KeyControl Vault is now the Entrust Cryptographic Security Platform Vault. The Cryptographic Security Platform Vaults also still integrate with Entrust nShield HSMs to provide an optional HSM root of trust.

Because the Entrust integrations are tested against specific product versions, this guide is still branded as a "KeyControl" integration. It was tested against a pre-CSP version of KeyControl.

Exercise caution when using an Entrust Integration Guide with a product version that does not match the tested version, because your version might not function in exactly the same way.

Entrust cannot guarantee the success of integrations in configurations other than those indicated in the guide. This guide remains on the website for customers using pre-CSP versions of KeyControl.

This guide describes the integration of the Entrust KeyControl KMIP Vault Key Management Solution (KMS) with Veeam Backup & Replication. Entrust KeyControl KMIP Vault can serve as a Key Management Server in Veeam Backup & Replication using the Key Management Interoperability Protocol (KMIP) open standard.

Documents to read first

This guide describes how to configure the Entrust KeyControl KMIP Vault as a Key Management Server in Veeam Backup & Replication.

To install and configure the Entrust KeyControl KMIP Vault as a KMIP server, see the following documents:

Entrust KeyControl Vault nShield HSM Integration Guide. You can access it from the Entrust Document Library and from the nShield Product Documentation website.
Entrust KeyControl Vault nShield Online Help.
Veeam Backup & Replication.

Product configuration

Product	Version
Windows	Windows 2022
Veeam Data Backup & Replication	12.1.0.2131
Entrust KeyControl	10.2

Product

Version

Windows

Windows 2022

Veeam Data Backup & Replication

12.1.0.2131

Entrust KeyControl

10.2

Supported features

The following Entrust KeyControl features have been tested in this integration.

Entrust KeyControl Feature	Support
Deployment in Nutanix AHV from ISO	Yes
Cluster Mode	Yes
Cluster Expansion	Yes
Node Removal	Yes
Retain Configuration After Total Cluster Power-Down	Yes

Entrust KeyControl Feature

Support

Deployment in Nutanix AHV from ISO

Yes

Cluster Mode

Yes

Cluster Expansion

Yes

Node Removal

Yes

Retain Configuration After Total Cluster Power-Down

Yes

Support for the following Veeam Backup & Replication features have been tested in this integration.

Veeam Backup & Replication Feature	Support
Data-at-Rest Encryption	Yes
Re-Keying	Yes

Veeam Backup & Replication Feature

Support

Data-at-Rest Encryption

Yes

Re-Keying

Yes

Requirements

Veeam Backup & Replication requires the following certificates:

A certificate issued by a certificate authority to authenticate the KeyControl KMIP server.
A client certificate created by KeyControl.

A local certificate authority (A) is required, with both Veeam Backup & Replication and KeyControl in the domain. The local CA does not have to be a subordinate of a trusted CA.