Bring Your Own Key for AWS Key Management Service and Entrust KeyControl

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
- Documents to read first
- Product configurations
Procedures

Introduction

This document describes the integration of AWS Bring Your Own Key (referred to as AWS BYOK in this guide) with the Entrust KeyControl Key Management Solution (KMS).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in AWS BYOK.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Also refer to the documentation and set-up process for AWS Key Management Service (KMS) in AWS Key Management Service .

Also refer to video for the set-up process with IAM at Getting Started with AWS Identity and Access Management .

Product configurations

Entrust has successfully tested the integration of KeyControl with Azure BYOK in the following configurations:

System	Version
Entrust KeyControl	5.5.1

Procedures

Follow these steps to install and configure KeyControl with VSP.

Install and configure Entrust KeyControl
Create a customer managed policy in AWS
Create IAM User in AWS
Attach a policy to an IAM user in AWS
Create an AWS CSP account
Create a key set in KeyControl
Create a cloud key in KeyControl
Create a cloud key in AWS Key Management Service
Remove a cloud key in KeyControl
Delete a cloud key in KeyControl
Cancel a cloud key deletion in KeyControl
Rotate a cloud key in KeyControl

Install and configure Entrust KeyControl

Follow the installation and set-up instructions in the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Create a customer managed policy in AWS

To create a customer managed policy in AWS:

Go to the IAM Service and select Access management > Policies from the left menu.
On the Policies page, select Actions > Create Policy . For example:
On the Create Policy page, select Chose a service and search for IAM . Select the following permissions:
- IAM GetUser .
- IAM ListUsers .
- IAM ListAccessKeys .
- IAM CreateAccessKey .
- IAM DeleteAccessKey .
- IAM UpdateAccessKey .
Select Add additional permissions . Select Chose a service and search for KMS . Select the following permissions:
- All KMS actions .
Select Add additional permissions . Select Chose a service and search for EC2 . Select the following permissions:
- DescribeRegions .
Select Add additional permissions . Select Chose a service and search for Systems Manager . Select the following permissions:
- GetParameter .
The permissions should be listed as follows:
Select the JSON tab. For example:

If there are warnings with the resource group, click All resources .
Select Next: Tags and add any appropriate tags.
Select Next: Review and enter values for the following properties:
- Name .
- Description .
- Summary .
Select Create policy . For example:

For further information, refer to the AWS BYOK Service Account Requirements in the KeyControl online documentation.

Create IAM User in AWS

To create IAM User in AWS:

Go to the IAM Service and select Access management > Add users from the left menu.
On the Users page, select Add users . For example:
Enter values for the following properties:
- User name .
- Select AWS credential type .
- Console password .
For example:
Add the user to a group that complies with your organization’s standards.
Add the necessary tags. For example:
Review the permissions and then select Create user . For example:
Click the hyperlink to download the credentials of the new user. For example:

Attach a policy to an IAM user in AWS

To attach a policy to an IAM user in AWS:

Go to the IAM Service and select Access management > Policies from the left menu.
On the Policies page, select your policy ( aws-byok-policy ).
Select Actions > Attach .
Search for your IAM User ( AWSBYOKKeycontrolUser ) in the search bar and select Attach policy .

Create an AWS CSP account

To create an AWS CSP account:

In KeyControl, select BYOK on the main toolbar.
Select the CSP Accounts tab.
Select Actions > Add CSP Account .

The Add CSP Account dialog appears.
In the Details tab, enter the information downloaded during the Create IAM User in AWS process. For example:

Note
The region selected has to match your AWS region.
In the Schedule tab, enter your organization’s standard rotation schedule.
Select Apply .

Create a key set in KeyControl

To create a key set in KeyControl:

In KeyControl, select BYOK on the main toolbar.
Select the Key Sets tab.
Select Actions > Create Key Set .

The Create Key Set dialog appears.
In the Details tab, enter a Name and Description for the key set. For example:
Select Continue .
In the CSP Account tab, select the account previously created ( awsbyokkeycontrol ). For example:

Note
If no accounts exist, select Add CSP Account and add the CSP account, see Create an AWS CSP account .
Select Continue .
In the HSM tab, check if an HSM is configured. For example:

If no HSM is configured, configure one and then enable it in Create Key Set .
Select Continue .
In the Schedule tab, select a Rotation Schedule matching the selection made during Create an AWS CSP account . For example:
Select Apply .

The key set is added. For example:

For further information, refer to Creating a Key Set in the KeyControl online documentation.

Create a cloud key in KeyControl

To create a cloud key in KeyControl: ttach a policy to an IAM user in AWS . In KeyControl, select BYOK on the toolbar.

Select the CloudKeys tab.
Select the Key Set and Region . For example:
Select Actions > Create CloudKey .

The Create CloudKey dialog appears.
In the Details tab, enter the Name and Description . For example:
Select Continue .
In the Access tab, select the required access for. For example:
Select Continue .
In the Schedule tab:
1. Select a Rotation Schedule .
2. Set Expiration .
For example:
Select Continue .

The cloud key is created.
Verify the cloud key is visible in the AWS Key Management Service (KMS).

For further information, refer to Creating a CloudKey in the KeyControl online documentation.

Create a cloud key in AWS Key Management Service

To create a cloud key in the AWS Key Management Service:

Navigate to Services > Key Management Service > Customer managed keys > Create Key .

The Create a key dialog appears.
Enter the following properties for Step 1: Configure key .
Select Next .
Enter the following properties for Step 2: Add labels .
Select Next .
Enter the following properties for Step 3: Define key administrative permissions .
Select Next .
Enter the following properties for Step 4: Define key usage permissions .
Select Next .
Confirm all information in Step 5: Review .
Note the new key in the AWS KMS.

To import the cloud key in KeyControl:

Select BYOK on the toolbar.
Select the Key Sets tab and select awsbyokkeyset .
Select Actions > Import CloudKey . The Import Cloud Keys dialog appears.
Select Import . The key is imported.
Select the CloudKeys tab and select Refresh .
Verify the imported key. For example:

For further information, refer to Importing a CloudKey in the KeyControl online documentation.

Remove a cloud key in KeyControl

To remove a cloud key in KeyControl:

In KeyControl, select BYOK on the main toolbar.
Select the CloudKeys tab.ttach a policy to an IAM user in AWS
Select the key to the removed. For example, AWSCloudKey .
Select Actions > Remove from Cloud .

The Remove from Cloud dialog appears.
Type the name of the key in Type CloudKey Name . For example:
Select Remove .

The cloud key is removed from KeyControl. Its Cloud Status becomes NOT AVAILABLE . For example:
Verify the key is gone in AWS KMS. For example:

For further information, refer to Removing a CloudKey from the Cloud in the KeyControl online documentation.

Delete a cloud key in KeyControl

To delete a cloud key in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key to the removed. For example, AWSCloudKey .
Select Actions > Delete CloudKey .

The Delete CloudKey dialog appears.
Select a time in Define when the CloudKey should be permanently deleted . For example:
Select Delete .

The cloud key is deleted from KeyControl. The Cloud Status becomes PENDING DELETE . For example:
Verify the key turns into Pending deletion in AWS KMS. For example:

For further information, refer to Deleting a CloudKey from the Cloud in the KeyControl online documentation.

Cancel a cloud key deletion in KeyControl

To cancel a cloud key deletion in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key for which you want to cancel a deletion. For example, AWSCloudKey .
Select Actions > Cancel Deletion .

The Cancel Deletion dialog appears. For example:
Select Cancel Delete .

The deletion is cancelled.
Verify the status change in KeyControl. For example:
Verify the key is now available in Azure. For example:

Note	The initial state of the key will be Disabled. You can set the state of the key to Enabled to use it again.

For further information, refer to Canceling a CloudKey Deletion in the KeyControl online documentation.

Rotate a cloud key in KeyControl

To rotate a cloud key in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key you want to rotate. Scroll down and select the Rotate Now control. For example:
Select Rotate Now .

The key is rotated.
Verify that the key has been rotated in AWS KMS. For example: