> CommCell Console > CommCell Management > Security > Encrypting Backup Data > Software Encryption > Key Management > Managing a Key Management Server > Adding a Key Management Server > Adding an Amazon Web Service Key Management Service Server

Adding an Amazon Web Service Key Management Service Server Using a Credential File

You can add or modify an AWS Key Management Service (KMS) Server from the CommCell Console using a credential file.

Before You Begin

  • The AWS KMS account that you configure must have the following permissions:

    • kms:CreateKey

    • kms:Decrypt

    • kms:DisableKeyRotation

    • kms:Encrypt

    • kms:ScheduleKeyDeletion

  • To use your own key, obtain the key ID provided by your key management service (KMS) provider after you import or generate the key using the KMS provider interface.

Procedure

  1. Create a credential file with the following format:

    [ProfileName]
aws_access_key_id=<AccessKey>
aws_secret_access_key=<SecretAccessKey>
region=<RegionName>

    For example:

    [AwsKMS]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region=us-east-1

    In the above example, AwsKMS is the profile name for the AWS key management server account.

    You can add multiple profiles in a credential file.

  2. Copy the credential file to a system location on your Commserve computer, and then make a note of the location.

  3. On your CommServe computer, create a system environment variable with the name AWS_SHARED_CREDENTIALS_FILE with the definite path for the credential file as the value.

  4. Restart the Commvault services on your Commserve computer.

    For instructions, see Controlling Commvault Services on Clients.

  5. From the CommCell Console ribbon, on the Home tab, click Control Panel.

    The Control Panel window appears.

  6. Under Storage, click Key Management Servers.

    The Encryption Key Management Servers dialog box appears.

  7. Click Add, and then select AWS KMS.

    The Key Provider Properties dialog box appears.

  8. In the Key Provider Name box, enter a unique name for the key provider.

  9. From the Region list, select the region where AWS hosts the key management service.

  10. From the Authentication Type list, select the Use Access & Secret Keys (Credentials file) option.

  11. In the Profile name box, enter the profile name that you specified in the credential file.

  12. To use access node, complete the following steps:

    1. Select Use Access Node checkbox.

      The Access Nodes area appears.

    2. Click Add.

      The Access Node dialog box appears.

    3. From the Access Node list, select the MediaAgent that you want to use as access node.

    4. From the Authentication Type list, select the Use Access & Secret Keys (Credentials file) option.

    5. In the Profile name box, enter the profile name that you specified in the credential file.

    6. Click OK.

  13. To use your own key, complete the following steps:

    1. Click the Bring Your Own Keys tab.

    2. To enable Bring your Own Key (BYOK), select the Enable Bring Your Own Keys checkbox.

    3. To add a key, complete the following steps:

      1. Click Add.

        The Bring Your Own Key dialog box appears.

      2. Enter Key ID, and then click OK.

  14. Click OK.

Page contents

×

Loading...