Skip to content
This repository was archived by the owner on Jun 19, 2025. It is now read-only.

Entrust KeyControl

Jump to bottom
Andreas Auernhammer edited this page Jul 25, 2023 · 8 revisions

The Entrust KeyControl implementation is work in progress (PR: xyz) and not available, yet.

This guide shows how to setup a KES server that uses Entrust KeyControl as a persistent key store:

                         ╔═════════════════════════════════════════════════╗
┌────────────┐           ║  ┌────────────┐          ┌────────────────────┐ ║
│ KES Client ├───────────╫──┤ KES Server ├──────────┤ Entrust KeyControl │ ║
└────────────┘           ║  └────────────┘          └────────────────────┘ ║
                         ╚═════════════════════════════════════════════════╝

Entrust KeyControl

Entrust KeyControl is a proprietary KMS that provides a secret store that can be used by KES.

This guide assumes that you have setup an Entrust KeyControl v10.1 cluster. For setting up a Entrust KeyControl cluster checkout the Entrust documentation:

1. Create a new Vault

First, login into your KeyControl cluster as secroot and create a new PASM Vault.

Step 1

2. Login into Vault

Now, login into your KeyControl cluster as Vault admin (as specified when creating the Vault). The Vault admin should have received an email with a one-time password. The Vault URL can also be viewed in the Vault details tab:

Step 2

3. Create a new Box

Once logged into the KeyControl Vault, create a new Box under Manage Boxes. Do not set a checkout or rotation duration.

keycontrol_2-create-box keycontrol_3-create-box keycontrol_4-create-box

3. Attach the 'Vault User' role policy

Now create a new policy with the Vault User role and attach the policy to the user account used by KES.

keycontrol_5-create-policy keycontrol_6-create-policy keycontrol_7-create-policy

Clone this wiki locally