Manage encryption keystores and keys in CloudLink Center This chapter provides information about the encryption keystores, keys, and managing them in CloudLink Center. CloudLink uses the following types of encryption keys to secure machines: These keys can be stored in the CloudLink Center keystore or an external keystore. A keystore is a combination of a key location and a key protector. For more information, see Best practices for key location access control and backup. For a machine, volume encryption keys secure the boot or data volumes, as determined by the key release policy. For more information, see CloudLink key release policies. For a device, device encryption keys secure the encrypted devices. For more information, see CloudLink key release policies. The VKEK protects the volume or device encryption keys: When CloudLink Center receives a request from CloudLink Agent to encrypt a volume on its machine, CloudLink Center generates a new VKEK in a keystore and uses it to encrypt the volume encryption key. When a volume requires decryption, CloudLink Center decrypts the volume encryption key using the VKEK and sends it to CloudLink Agent. Know the difference between the types of encryption keys that are used to secure machines. However, because volume or device encryption keys are created and managed by native technologies in the operating system of the machines, they are not discussed in detail in CloudLink documentation. Unless specified otherwise, the terms encryption keys and keys in this guide refer to the VKEK. During deployment, CloudLink Center creates an initial keystore for encryption keys called CloudLink Vault. For more information about using CloudLink Vault, see Manage CloudLink Vault. If you do not want to use the initial, or default, keystore to store encryption keys, external options are available, including Microsoft Active Directory, Amazon S3, or an S3-compatible bucket. Encryption keys are also encrypted, or protected, by one or more key protectors, including CloudLink Vault, SafeNet LunaSA, Microsoft Azure Key Vault, a KMIP key manager, or a password. If you add keystores, only one keystore can be active for each machine group, but multiple keystores can be used in each CloudLink Center or CloudLink Center cluster deployment. Keys that are generated by CloudLink Center are stored in a keystore. You can modify and delete keystores. If you have more than one keystore, you can move keys from a source keystore to a destination keystore. However, you cannot move keys from a keystore that is assigned to a machine group. This approach is useful for keeping as many keys as possible in a keystore. If you prefer, you can leave keys in the keystores where CloudLink Center created them. When CloudLink Center requires a key, it checks each accessible keystore. You can change the frequency that CloudLink Center automatically updates keys, referred to as the key lifetime. For more information, see the section "Key Lifetime" in the topic CloudLink Machine group properties. You can also manually update keys. You can view keys in a keystore and the key history for a machine. Child TopicsCloudLink Center encryption key location and protector optionsThis topic provides information about the encryption key location and protector options in CloudLink Center. View keystoresUse this procedure to view the keystores added. A keystore is a combination of a key location and a key protector. Configure a keystoreThis topic provides information about configuring a keystore. Set the current keystoreThis topic provides information about setting the current keystore. Modify key location of a keystoreUse this procedure to modify key location and key protector properties after adding a keystore. Modify key protector of a keystoreUse this procedure to modify key protector properties after adding a keystore. Delete a keystoreUse this procedure to delete a keystore. Resolve missing CloudLink Center key alarmThis topic provides information about resolving the missing CloudLink Center key alarm. Show keys in a keystoreUse this procedure to view the keys stored in a selected keystore. Move keys to another keystoreUse this procedure to move keys from one keystore to another. For example, you may want to use an external keystore such as Microsoft Active Directory instead of the initial keystore. After configuring the external keystore, move keys to it from the initial keystore. View event history of a keystoreUse this procedure to view the history of the encryption keys for a machine. Update keysUse this procedure to update keys to reencrypt all the volume encryption keys of a machine with new volume key encryption keys (VKEK).