This topic explains how to create a symmetric encryption key inside of the Vormetric Data Security Manager (DSM).
Before you begin, you must be able to:
- Access your SSL VPN account and connect to your Armor environment.
- Access the DSM configuration provisioning ticket in the Armor Management Portal (AMP).
- This ticket contains the necessary administrator credentials and the public IP address for the DSM.
- Access the DSM and log in as a Security Administrator
Create a Symmetric Encryption Key
- Log in as the Security Administrator.
- At the top, click Keys. For the purpose of this exercise, you can disregard the drop-down menu items.
- After you click Keys, the window below appears. For now, the only key that should appear is clear_key.
- Click Add on either the top or bottom of the window.
- In Name, enter a descriptive name. This name appears when you search through the list of keys used in your policies. This name also appears in your host if you run the secfsd -status GuardPoint command.
- (Optional) In Description, enter additional details for identification and usage purposes.
- In Template, the default selection is Choose One. Armor recommends that you keep the default selection.
- In Algorithm, there is the AES256 and AES218 option. For your reference, Advanced Encryption Standard with a 256-bit key (AES256) has a higher level of data security than the DSM default of AES128, while still maintaining low performance overhead.
- In Key Type, select where you want to store the key. There are two options.
- Stored on Server is the more secure option, where the key is stored exclusively on the DSM. Each time the key is needed, the host retrieves it. While this is the more secure potion, there are some disadvantages. If the host reboots or loses contact with the DSM, the host will not have the key in persistent memory to unlock the GuardPoints until connectivity is restored.
- Cached on Host stores a copy of the key (in an encrypted form) to persistent memory on the host. With this option, it is possible to unlock the GuardPoints before connectivity is restored. This option is the more commonly used selection.
- (Optional) You can check the Unique to Host box if you want to restrict the key usage to a single host. This option is not commonly used because backups and restores are more complicated when you manage multiple keys.
- In Key Creation Method, the default selection is Generate. Armor recommends that you keep the default selection. This option automatically generates a key using a random seed.
- The other option, Manual Input, generates a key using an imported file and is rarely used.
- In Expiry Date, you can set the expiration date and a reminder to rekey at a specified time. This option is rarely used; however, this option may be needed to fulfil stricter compliance mandates.
- In Key Refreshing Period (minutes), the default selection is 10080. Armor recommends that you keep the default selection.
Next Step: Vormetric Policy Planning
Was this helpful?