Using a Remote Key Server
These topics provide information about Remote Key Server.
The usage of a remote key server allows you to work with Integrated Backup Encryption.
- KMIP complaint servers that support the ENCRYPT and DECRYPT cryptographic operations.
- The Amazon Web Services Key Management Service (AWS-KMS).
- The Microsoft Azure Key Vault service.
In order to use a remote key server, you must provide the appropriate credentials to connect to it. The credentials to access the server are stored in a keystore generated by the onkstore utility.
The credential types supported by Integrated backup encryption are "kmip" for KMIP servers, "aws-bar" for AWS Key Management System and "azure-bar" for Azure KeyVault. Any keystore with other types of credentials (ie AWS-EAR) are not supported and its usage will result in an error.
The parameters required to create each type of credentials vary depending from the provider, you will need to understand the meaning of this parameters and how to request/generate them. For example, what we describe in this document as Remote Master Encryption Key (RMEK) is known as “Azure Key Name? for Azure KeyVault or “AWS CMD Id? (AWS Customer Master Key Id) for AWS KMS.
For more information, see The onkstore Utility