Enabling EKM Encryption

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

Note

This procedure can be used to enable EKM encryption on a cluster that has encryption enabled with internal management of encryption keys. When you enable an EKM, pre-existing encryption groups are not affected. New tenants can be encrypted with new or pre-existing encryption groups.

Enabling Encryption with an EKM from the VAST Web UI

  1. From the left navigation menu, select Settings, Cluster and then KMIP

  2. Select  Encryption Type to enable on the cluster:

    • INTERNAL. Encryption with keys managed internally. This is the only type of encryption that can be disabled after installation or enabled after installation.

    • CIPHER_TRUST_KMIP. Encryption with keys managed externally on Thales Group CipherTrust Data Security Platform.

    • FORTANIX_KMIP. Encryption with keys managed externally on Fortanix DSM.

    • HASHICORP_KMIP. Encryption with keys managed externally on HashiCorp Vault Enterprise.

    • ENTRUST_KMIP. Encryption with keys managed externally on Entrust KeyControl.

    • AKEYLESS_KMIP. Encryption with keys managed externally on the Akeyless platform.

    • UTIMACO_KMIP. Encryption with keys managed externally on Utimaco Enterprise Secure Key Manager.

    • GENERIC_KMIP. Enables generic KMIP support instead of choosing one of the specific EKMs.

  3. Add up to four  External Key Management Servers: For each server, enter the server IP address in the Server Address field and the port in the Port field, and then click Add To Table.  

  4. Enter the SSL certificate for the connection to the EKM servers:

    • Click the +Add Certificate link under EKM Certificate and then paste the content of the certificate file into the text field provided. Include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines from the certificate file content.

    • Click the +Add Key link under EKM Private Key and paste the content of the private key file of the SSL certificate into the test field provided.

    • Optionally, enter a CA certificate: Click the +Add Certificate link under EKM CA certificate and paste the content of the CA certificate file.

  5. For Thales Group CipherTrust Data Security Platform only:

    • In the Auth Domain field, you can specify a subdomain of the EKM root domain (optional).

      The subdomain needs to be created on the Thales CipherTrust manager.

      When the deployment is complete, encryption groups created on the cluster will have their encryption-at-rest keys generated within the specified subdomain.

    • In the Use proxy field, you can specify a proxy server through which to connect to the EKM server (optional). Select the check box and then provide the host and port of the proxy server in the fields provided. Specify Host in the format  https://proxy-address.

  6. When done, select Save. A message appears that Encryption Settings have been updated.

Any encryption groups created after this procedure will use the newly configured EKM.

Enabling Encryption with an EKM from the VAST CLI

Use the cluster add-ekm command.

Related articles