Manage KMS using GUI

Explore procedures for managing Key Management System (KMS) integration with the WEKA system using the GUI.

Using the GUI, you can:

Configure a KMS

Configure the KMS of either HashiCorp Vault or KMIP within the WEKA system to encrypt filesystem keys securely.

Before you begin

Ensure the KMS is preconfigured, and the key and a valid token are readily available.

Procedure

From the menu, select Configure > Cluster Settings.
From the left pane, select Security.
On the Security page, select Configure KMS.
On the Configure KMS dialog, select the KMS type to deploy: HashiCorp Vault or KMIP.
Set the connection properties according to the selected KMS type. Select the relevant tab for details:

For the HashiCorp Vault type, set the following:

Address: The KMS address.
Key Identifier: Key name to secure the filesystem keys (encryption-as-a-service).
Role Id: Role ID for KMS access with per-filesystem encryption. Required if KMS Namespace is defined. Provided by Vault administrator in HashiCorp environments.
Secret ID: Secret ID for KMS access. Required if KMS Namespace is defined. Can also be set with WEKA_KMS_SECRET_ID. Provided by Vault administrator in HashiCorp environments.
Namespace: The namespace name that identifies the logical partition within the vault. It is used to organize and isolate data, policies, and configurations. Namespace names must not end with "/", avoid spaces, and refrain from using reserved names like root, sys, audit, auth, cubbyhole, and identity.

The Token parameter, used for cluster-wide encryption, has been deprecated from the GUI but can still be set through the CLI (see Configure the KMS). For per-filesystem encryption, use the Role ID and Secret ID instead.

For the KMIP type, set the following:

Address: Hostname and port of the KMS in the format hostname:port. Do not include any protocol prefixes such as https://. The hostname can be either a fully qualified domain name (FQDN) or an IP address. Port 5696 is the default for KMIP, but this may vary depending on the server configuration.
KMS Identifier: Key UID to secure the filesystem keys (encryption-as-a-service).
Client Certificate: The client certificate content of the PEM file.
Client Key: The client key content of the PEM file.
CA Certificate: (Optional) The CA certificate content of the PEM file.

Select Save.

Related topics

Obtain an API token from the vault

Obtain a certificate for a KMIP-based KMS

View the KMS configuration

Procedure

From the menu, select Configure > Cluster Settings.
From the left pane, select Security. The Security page displays the configured KMS.

Update the KMS configuration

Update the KMS configuration in the WEKA system when changes occur in the KMS server details or cryptographic keys, ensuring seamless integration and continued secure filesystem key encryption.

If your system is upgraded to version 4.4.2 or higher, the Update KMS Configuration screen displays a configuration with the Token parameter. Reset the KMS configuration and configure it using the new Role ID and Secret ID parameters.

Procedure

From the menu, select Configure > Cluster Settings.
From the left pane, select Security.
The Security page displays the configured KMS.
Select Update KMS, and update the settings. For the parameter descriptions, see Configure a KMS.
Select Save.

Reset the KMS configuration

Reseting a KMS configuration is possible only if no encrypted filesystems exist.

Procedure

From the menu, select Configure > Cluster Settings.
From the left pane, select Security.
The Security page displays the configured KMS.
Select Reset KMS.
In the message that appears, select Yes to confirm the KMS configuration reset.

PreviousManage KMS NextManage KMS using CLI