cluster add-ekm

This command configures and enables an external key manager for data encryption on a cluster that has encryption enabled. If encryption was not previously enabled on the cluster, use cluster modify to enable internal encryption, then use this command to configure an external key manager (EKM).

Note
Requirements for enabling encryption after installation:
Only one EKM is supported per cluster.
If no encryption was enabled at the time of installation, you must first enable internal encryption.
You can switch from internal encryption to an external encryption, but not between EKM types.

Usage

  add-ekm   --encryption-type ENCRYPTION_TYPE
            [--ekm-servers EKM_ADDRESS1[:PORT1][,EKM_ADDRESS2[:PORT2][,EKM_ADDRESS3[:PORT3][,EKM_ADDRESS4[:PORT4]]]]]
            [--ekm-certificate CERTIFICATE]
            [--ekm-private_key PRIVATE_KEY]
            [--ekm-ca-certificate CA_CERTIFICATE]
            [--ekm-certificate-file CERTIFICATE_FILE]
            [--ekm-private-key-file PRIVATE_KEY_FILE]
            [--ekm-ca-certificate-file CA_CERTIFICATE_FILE]
            [--ekm-bypass-validation]
            [--ekm-auth-domain AUTH_DOMAIN]
            [--ekm-domain DOMAIN]
            [--ekm-proxy-address PROXY_ADDRESS]

Required Parameter

--encryption-type ENCRYPTION_TYPE

Specifies the type of key management:

INTERNAL - internally managed keys.
CIPHER_TRUST_KMIP - Keys stored on a Thales Group CipherTrust Data Security Platform.
FORTANIX_KMIP - Keys stored on Fortanix DSM.
HASHICORP_KMIP - Keys stored on HashiCorp Vault Enterprise.
ENTRUST_KMIP - Keys stored on Entrust KeyControl.
UTIMACO_KMIP - Keys stored on the Utimaco platform.
AKEYLESS_KMIP - Keys stored on the Akeyless platform.

Options

`--ekm-servers EKM_ADDRESS1[:PORT1][,EKM_ADDRESS2[:PORT2][,EKM_ADDRESS3[:PORT3][,EKM_ADDRESS4[:PORT4]]]]`	Specifies the IP addresses or DNS names and port numbers for up to four EKM servers. Valid port range: 1024 - 65535. Default: 5696. Example: `--ekm-servers 192.0.2.0:1024,192.0.2.1:1024`
`--ekm-proxy-address PROXY_ADDRESS`	Specifies the proxy address when connecting to the Thales CipherTrust Manager via a proxy. The format of the proxy address is: https://proxy-address:port. Example: `--ekm-proxy-address https://squid:squid@10.27.103.73:3128`
`--ekm-certificate CERTIFICATE`	Specifies the SSL certificate for the connection to the EKM servers. Enter the certificate content encapsulated in quotation marks (""). Include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines from the certificate file content.
`--ekm-certificate-file CERTIFICATE_FILE`	Specifies the SSL certificate file for the connection to the EKM servers. Place the file on the CNode host from which you are running the VAST CLI under `/vast/bundles`. Specify the file path in quotation marks as `CERTIFICATE-FILE` relative to `/vast/bundles`. Example: `--ekm-certificate-file "/vast/bundles/cert.pem"`.
`--ekm-private_key PRIVATE_KEY`	Specifies the private key of the SSL certificate for connecting to the EKM servers. Enter the private key content encapsulated in quotation marks (""). Include the "-----BEGIN EC PRIVATE KEY-----" and "-----END EC PRIVATE KEY-----" lines from the private key file content.
`--ekm-private-key-file PRIVATE_KEY_FILE`	Specifies the private key file of the SSL certificate for connecting to the EKM servers. Place the private key file on the CNode host from which you are running the VAST CLI under `/vast/bundles`. Specify the file path relative to `/vast/bundles` in quotation marks as `PRIVATE-KEY-FILE`. Example: `--ekm-private-key-file "/vast/bundles/tmp/cert.key"`.
`--ekm-ca-certificate CA_CERTIFICATE`	Specifies the CA certificate file for the connection to the EKM servers. Place the file on the CNode host from which you are running the VAST CLI under `/vast/bundles`. Specify the file path relative to `/vast/bundles` in quotation marks as `CA-CERTIFICATE-FILE`.
`--ekm-ca-certificate-file CA_CERTIFICATE_FILE`	Specifies the CA certificate file for the connection to the EKM servers. Place the file on the CNode host from which you are running the VAST CLI under `/vast/bundles`. Specify the file path relative to `/vast/bundles` in quotation marks as `CA-CERTIFICATE-FILE`. Example: `--ekm-ca-certificate-file "/vast/bundles/ca-cert.pem"`.
`--ekm-bypass-validation`	Include this option to bypass certificate validation.
`--ekm-auth-domain AUTH_DOMAIN`	For use with Thales CipherTrust Manager. Specify the CipherTrust authentication domain of the user. This is the domain where the user was created. The default is an empty string, which is equivalent to the root domain. For example, if you created the domain "vastdomain" on the Thales CipherTrust manager, you should include `--ekm-auth-domain vastdomain` in the command line.
`--ekm-domain DOMAIN`	When using Thales CipherTrust Manager, specify a child domain name for use when logging in. New keys will be created inside the domain.

Thales Domain Usage

When using the --ekm-auth-domain and --ekm-domain parameters for Thales, their effects on authentication and key storage is as follows:

auth-domain	domain	effect
(empty)	(empty)	Authenticates as a user created in the root domain. Keys will be created within the root domain.
`domain`	`domain`	Authenticates as a user created in `domain`. Keys will be created in `domain`.
(empty)	`domain`	Authenticates as a user from the root domain. Keys will be created in `domain`.
`domain`	(empty)	As when both are set to `domain`, the authenticated user defaults to its own domain.
`domain`	`nested_subdomain`	Authenticates as a user created in `domain` but keys are saved in `nested_subdomain`. `nested_subdomain` must be inside of `domain`.

Example

vcli: admin> cluster add-ekm --encryption-type CIPHER_TRUST_KMIP --ekm-servers 192.0.2.0,192.0.2.1,192.0.2.2,192.0.2.3 -
-ekm-proxy-address https://squid:squid@10.27.103.73:3128 --ekm-certificate-file "/vast/bundles/cert.pem" --ekm-private-k
ey-file "/vast/bundles/tmp/cert.key" --ekm-ca-certificate-file "/vast/bundles/ca-cert.pem"