# Manage KMS using the GUI

Using the GUI, you can:

* [Configure a KMS](#configure-a-kms)
* [View the KMS configuration](#view-the-kms-configuration)
* [Update the KMS configuration](#update-the-kms-configuration)
* [Remove the KMS configuration](#remove-the-kms-configuration)

## Configure a KMS

Configure the KMS of either HashiCorp Vault or KMIP within the WEKA system to encrypt filesystem keys securely.

**Before you begin**

Ensure that the KMS is preconfigured, and both the key and a valid token are readily available.

**Procedure**

1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. On the **Security** page, select **Configure KMS**.
4. On the **Configure KMS** dialog, select the KMS type to deploy: **HashiCorp Vault** or **KMIP**.
5. Set the connection properties according to the selected KMS type. Select the relevant tab for details:

{% tabs %}
{% tab title="Hashicorp Vault" %}
For the **HashiCorp Vault** type, set the following:

* **Address**: The KMS address.
* **Key Identifier**: Key name to secure the filesystem keys (encryption-as-a-service).
* **Token**: The authentication API token you obtain from the vault to access the KMS.
* **Namespace:** The namespace name that identifies the logical partition within the vault. It is used to organize and isolate data, policies, and configurations. Namespace names must not end with "/", avoid spaces, and refrain from using reserved names like `root`, `sys`, `audit`, `auth`, `cubbyhole`, and `identity`. (Available from v4.2.7.)

<div align="left"><img src="https://1970823310-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqDzxyFrTFrLD641p0iH%2Fuploads%2FRwDN7avy631SPKrGP8bz%2Fwmng_configure_KMS_Hashicorp.png?alt=media&#x26;token=817de730-c770-4448-bf0b-0a9189addb20" alt="HashiCorp Vault type configuration"></div>
{% endtab %}

{% tab title="KMIP " %}
For the **KMIP** type, set the following:

* **Address**: Hostname and port of the KMS in the format `hostname:port`. Do not include any protocol prefixes such as `https://`. The hostname can be either a fully qualified domain name (FQDN) or an IP address. Port 5696 is the default for KMIP, but this may vary depending on the server configuration.
* **KMS Identifier**: Key UID to secure the filesystem keys (encryption-as-a-service).
* **Client Certificate:** The client certificate content of the PEM file.
* **Client Key**: The client key content of the PEM file.
* **CA Certificate**: (Optional) The CA certificate content of the PEM file.

<figure><img src="https://1970823310-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqDzxyFrTFrLD641p0iH%2Fuploads%2FtId4rJCi7cel2Ttkw3Zn%2Fwmng_configure_KMIP.png?alt=media&#x26;token=f5c2ed29-04ff-4226-b2d9-627265104744" alt=""><figcaption><p>KMIP type configuration </p></figcaption></figure>
{% endtab %}
{% endtabs %}

6. Click **Save**.

**Related topics**

[Obtain an API token from the vault](https://docs.weka.io/4.2/usage/security/kms-management-1#obtain-an-api-token-from-the-vault)

[Obtain a certificate for a KMIP-based KMS](https://docs.weka.io/4.2/usage/security/kms-management-1#obtain-a-certificate-for-a-kmip-based-kms)

## View the KMS configuration

**Procedure**

1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.\
   The **Security** page displays the configured KMS.

![View the configured KMS](https://1970823310-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqDzxyFrTFrLD641p0iH%2Fuploads%2FJxVwlx8C3g7gEqBoozNZ%2Fwmng_view_kms_settings.png?alt=media\&token=6d7a25c8-556b-4e63-ba67-d2746873749a)

## Update the KMS configuration

Update the KMS configuration in the WEKA system when changes occur in the KMS server details or cryptographic keys, ensuring seamless integration and continued secure filesystem key encryption.

**Procedure**

1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. The **Security** page displays the configured KMS.
4. Select **Update KMS**, and update its settings.
5. Select **Save**.

## Remove the KMS configuration

Removing a KMS configuration is possible only if no encrypted filesystems exist.

**Procedure**

1. From the menu, select **Configure > Cluster Settings**.
2. From the left pane, select **Security**.
3. The **Security** page displays the configured KMS.
4. Select **Reset KMS.**
5. In the message that appears, select **Yes** to confirm the KMS configuration reset.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.weka.io/4.2/usage/security/kms-management/kms-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.