External KMIP Keystore Overview

Describes the External KMIP Keystore functionality.

An external keystore is a third party server that securely manages authentication keys used by a client. The functions of an external keystore include:
  • Secure cryptographic key generation
  • Secure cryptographic key storage at least for the top level and most sensitive keys, often called master keys
  • Key management
Keystores meet the requirements of international standards such as Common Criteria and various levels of FIPS 140-2 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are secure. With external keystore support, enterprise customers in sectors such as finance, legal and government sectors, can obtain the highest levels of protection.
Note: General purpose Hardware Security Modules (HSMs) can also function as external keystores, so although their feature set may be different, the terms HSM and keystore may be used interchangeably in this topic.

Use the external keystore to store data-fabric cryptographic keys, and passwords.

Attention: You can use HSM keystores from only one vendor per cluster.

Advantage of the KMIP Keystore

KMIP is a key management standard defined by the Organization for the Advancement of Structured Information Standards (OASIS), a global nonprofit consortium that works on the development, convergence and adoption of open standards for security and other areas.

The primary advantage of KMIP for key management is interoperability. With KMIP, the key management client and the server communicate using the same protocol, allowing data-fabric customers to choose any HSM vendor that supports KMIP.

KMIP Use Case Examples

Use KMIP to secure customer deployments that require highly secure, automated workflows to protect data at rest. The use cases for HSMs for data-fabric are as follows:
  • Store the CLDB master key. Use the CLDB master key to encrypt server keys. Use the server key to generate tickets, protect user keys, and data in transit.
  • Store the DARE master key. Use the DARE master key to derive keys to encrypt storage pools to protect data-at-rest.
  • Securely generate master keys. HSMs incorporate True Random Number Generators (TRNG), which are used as seeds for secure generation of cryptographic keys.
  • Onboard secure key management, including storage, backup and restore, guaranteeing that critical master keys can never be accidentally deleted or lost.
  • FIPS 140-2 validation to provide users with the confidence that the HSM is certified to professional international standards.