Manage KMS using GUI

Explore procedures for managing Key Management System (KMS) integration with the WEKA system using the GUI.

Using the GUI, you can:

Configure a KMS

Configure the KMS of either HashiCorp Vault or KMIP within the WEKA system to encrypt filesystem keys securely.

Before you begin

Ensure the KMS is preconfigured, and the key and a valid token are readily available.

Procedure

  1. From the menu, select Configure > Cluster Settings.

  2. From the left pane, select Security.

  3. On the Security page, select Configure KMS.

  4. On the Configure KMS dialog, select the KMS type to deploy: HashiCorp Vault or KMIP.

  5. Set the connection properties according to the selected KMS type. Select the relevant tab for details:

For the HashiCorp Vault type, set the following:

  • Address: The KMS address.

  • Key Identifier: Key name to secure the filesystem keys (encryption-as-a-service).

  • Role Id: Role ID for KMS access with per-filesystem encryption. Required if KMS Namespace is defined. Provided by Vault administrator in HashiCorp environments.

  • Secret ID: Secret ID for KMS access. Required if KMS Namespace is defined. Can also be set with WEKA_KMS_SECRET_ID. Provided by Vault administrator in HashiCorp environments.

  • Namespace: The namespace name that identifies the logical partition within the vault. It is used to organize and isolate data, policies, and configurations. Namespace names must not end with "/", avoid spaces, and refrain from using reserved names like root, sys, audit, auth, cubbyhole, and identity.

The Token parameter, used for cluster-wide encryption, has been deprecated from the GUI but can still be set through the CLI (see Configure the KMS). For per-filesystem encryption, use the Role ID and Secret ID instead.

HashiCorp Vault type configuration
  1. Select Save.

Related topics

Obtain an API token from the vault

Obtain a certificate for a KMIP-based KMS

View the KMS configuration

Procedure

  1. From the menu, select Configure > Cluster Settings.

  2. From the left pane, select Security. The Security page displays the configured KMS.

View the configured KMS

Update the KMS configuration

Update the KMS configuration in the WEKA system when changes occur in the KMS server details or cryptographic keys, ensuring seamless integration and continued secure filesystem key encryption.

If your system is upgraded to version 4.4.2 or higher, the Update KMS Configuration screen displays a configuration with the Token parameter. Reset the KMS configuration and configure it using the new Role ID and Secret ID parameters.

Procedure

  1. From the menu, select Configure > Cluster Settings.

  2. From the left pane, select Security.

  3. The Security page displays the configured KMS.

  4. Select Update KMS, and update the settings. For the parameter descriptions, see Configure a KMS.

  5. Select Save.

Reset the KMS configuration

Reseting a KMS configuration is possible only if no encrypted filesystems exist.

Procedure

  1. From the menu, select Configure > Cluster Settings.

  2. From the left pane, select Security.

  3. The Security page displays the configured KMS.

  4. Select Reset KMS.

  5. In the message that appears, select Yes to confirm the KMS configuration reset.