# Manage KMS using the GUI
Using the GUI, you can:
* [Configure a KMS](#configure-a-kms)
* [View the KMS configuration](#view-the-kms-configuration)
* [Update the KMS configuration](#update-the-kms-configuration)
* [Remove the KMS configuration](#remove-the-kms-configuration)
## Configure a KMS
Configure the KMS of either HashiCorp Vault or KMIP within the WEKA system to encrypt filesystem keys securely.
**Before you begin**
Ensure that the KMS is preconfigured, and both the key and a valid token are readily available.
**Procedure**
1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. On the **Security** page, select **Configure KMS**.
4. On the **Configure KMS** dialog, select the KMS type to deploy: **HashiCorp Vault** or **KMIP**.
5. Set the connection properties according to the selected KMS type. Select the relevant tab for details:
{% tabs %}
{% tab title="Hashicorp Vault" %}
For the **HashiCorp Vault** type, set the following:
* **Address**: The KMS address.
* **Key Identifier**: Key name to secure the filesystem keys (encryption-as-a-service).
* **Token**: The authentication API token you obtain from the vault to access the KMS.
* **Namespace:** The namespace name that identifies the logical partition within the vault. It is used to organize and isolate data, policies, and configurations. Namespace names must not end with "/", avoid spaces, and refrain from using reserved names like `root`, `sys`, `audit`, `auth`, `cubbyhole`, and `identity`. (Available from v4.2.7.)
{% endtab %}
{% tab title="KMIP " %}
For the **KMIP** type, set the following:
* **Address**: Hostname and port of the KMS in the format `hostname:port`. Do not include any protocol prefixes such as `https://`. The hostname can be either a fully qualified domain name (FQDN) or an IP address. Port 5696 is the default for KMIP, but this may vary depending on the server configuration.
* **KMS Identifier**: Key UID to secure the filesystem keys (encryption-as-a-service).
* **Client Certificate:** The client certificate content of the PEM file.
* **Client Key**: The client key content of the PEM file.
* **CA Certificate**: (Optional) The CA certificate content of the PEM file.
KMIP type configuration
{% endtab %}
{% endtabs %}
6. Click **Save**.
**Related topics**
[Obtain an API token from the vault](https://docs.weka.io/4.2/usage/security/kms-management-1#obtain-an-api-token-from-the-vault)
[Obtain a certificate for a KMIP-based KMS](https://docs.weka.io/4.2/usage/security/kms-management-1#obtain-a-certificate-for-a-kmip-based-kms)
## View the KMS configuration
**Procedure**
1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.\
The **Security** page displays the configured KMS.
## Update the KMS configuration
Update the KMS configuration in the WEKA system when changes occur in the KMS server details or cryptographic keys, ensuring seamless integration and continued secure filesystem key encryption.
**Procedure**
1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. The **Security** page displays the configured KMS.
4. Select **Update KMS**, and update its settings.
5. Select **Save**.
## Remove the KMS configuration
Removing a KMS configuration is possible only if no encrypted filesystems exist.
**Procedure**
1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. The **Security** page displays the configured KMS.
4. Select **Reset KMS.**
5. In the message that appears, select **Yes** to confirm the KMS configuration reset.
