External KMIP Keystore Overview
Describes the External KMIP Keystore functionality.
An external keystore is a third party server that securely manages authentication keys used
by a client. The functions of an external keystore include:
- Secure cryptographic key generation
- Secure cryptographic key storage at least for the top level and most sensitive keys, often called master keys
- Key management
NOTE
General purpose Hardware Security Modules (HSMs) can also function as
external keystores, so although their feature set may be different, the terms HSM and
keystore may be used interchangeably in this topic.Use the external keystore to store data-fabric cryptographic keys, and passwords.
ATTENTION
You can use HSM keystores from only one vendor per cluster.Advantage of the KMIP Keystore
KMIP is a key management standard defined by the Organization for the Advancement of Structured Information Standards (OASIS), a global nonprofit consortium that works on the development, convergence and adoption of open standards for security and other areas.
The primary advantage of KMIP for key management is interoperability. With KMIP, the key management client and the server communicate using the same protocol, allowing data-fabric customers to choose any HSM vendor that supports KMIP.
KMIP Use Case Examples
Use KMIP to secure customer deployments that require
highly secure, automated workflows to protect data at rest. The use cases for HSMs for
data-fabric are as follows:
- Store the CLDB master key. Use the CLDB master key to encrypt server keys. Use the server key to generate tickets, protect user keys, and data in transit.
- Store the DARE master key. Use the DARE master key to derive keys to encrypt storage pools to protect data-at-rest.
- Securely generate master keys. HSMs incorporate True Random Number Generators (TRNG), which are used as seeds for secure generation of cryptographic keys.
- Onboard secure key management, including storage, backup and restore, guaranteeing that critical master keys can never be accidentally deleted or lost.
- FIPS 140-2 validation to provide users with the confidence that the HSM is certified to professional international standards.