Configuring symmetric encryption KEKs in KMS mode
Requirements
To use the Stormshield KMaaS with a key management system (KMS), you must meet the following requirements:
-
The version of the protocol used for connecting to the KMS must be KMIP 1.4,
-
The algorithm used for wrapping KEKs must be AES-GCM.
Generating symmetric encryption KEKs in the KMS
In the interface of the KMS, create a new key with the following values:
| name | <name_of_your_kek> |
| algorithm | AES-256 |
| exportable | true |
| usage | not necessary |
|
custom attribute |
x-sds-kacls-kek-label:<my_kacls_keks_label> Label that identifies all your KEKs. It must match the value of the kacls_kek_label field in the config.json file. |
|
x-sds-kacls-tenant-id:<UUIDv4> Identifier of your tenant in UUID v4 format. This ID must match the one specified for the External key service. |
The KMIP client must be allowed to use this key.
When the Stormshield KMaaS is being initialized, all KEKs that match the x-sds-kacls-kek-label label will be retrieved, regardless of their status in the KMS.
While all retrieved KEKs can be used for unwrap operations, only the most recent key of each tenant will be used for encryption operations. This particular KEK is identified by the is_active_kek:true field in logs.
Renewing KEKs in the KMS
For greater security, you can regularly renew the active KEK. To do so, generate a new KEK in the KMS. The Stormshield KMaaS will automatically import this KEK as the active key when the keys are refreshed. Older keys will be kept for decryption operations.
The Thales KMS does not allow more than 200 KEKs to be managed. Please do not exceed this limit.
If the KEK list refresh operation fails, the list of current keys will be kept and service will not be disrupted. The Stormshield KMaaS will refresh the key list again when a periodic or one-off refresh operation is triggered.