Adding an Amazon Web Service Key Management Service Server

You can add or modify an AWS Key Management Service (KMS) Server from the CommCell Console.

If the user account does not have the kms:Decrypt permission, then you can perform only backup operations, and you cannot perform auxiliary copy or restore operations.

For guidelines about key rotation, see Key Rotation Guidelines for AWS Key Management Service Server.

Note: If you configure the CommServe LiveSync feature in the CommCell environment, you must copy the certificate that is created while adding the key management server, to the same certificate path on active and passive nodes that are available in the CommServe computer.

Before You Begin

  • The Commvault user should have Edit Storage Policy \ Copy permissions to a storage policy copy to assign the AWS KMS Server to the copy. For more information, see Storage Policy Management Permissions.
  • The AWS KMS account that you configure must have the following permissions:
    • kms:CreateKey
    • kms:Decrypt
    • kms:DisableKeyRotation
    • kms:Encrypt
    • kms:ScheduleKeyDeletion


  1. From the CommCell Console ribbon, on the Home tab, click Control Panel.

    The Control Panel window appears.

  2. Under Storage, click Key Management Servers.

    The Encryption Key Management Servers dialog box appears.

  3. Click Add, and then select AWS_KMS.

    The Key provider properties dialog box appears.

  4. Complete the following steps:
    • Key Provider Name: Enter a unique name for the key provider. This is the friendly name that will help you distinguish from other key management service servers.
    • Region: Select the region where AWS hosts the key management service.
    • Access Key: Enter the AWS access key.
    • Secret Access Key and Verify Secret Access Key: Enter the AWS secret access key.
  5. Click OK.

Last modified: 8/27/2020 2:51:16 AM