Manage encryption keystores and keys in CloudLink Center

This chapter provides information about the encryption keystores, keys, and managing them in CloudLink Center.

CloudLink uses the following types of encryption keys to secure machines:

CloudLink encryption keys for securing machines

These keys can be stored in the CloudLink Center keystore or an external keystore. A keystore is a combination of a key location and a key protector. For more information, see Best practices for key location access control and backup.

  • For a machine, volume encryption keys secure the boot or data volumes, as determined by the key release policy. For more information, see CloudLink key release policies.
  • For a device, device encryption keys secure the encrypted devices. For more information, see CloudLink key release policies.
  • The VKEK protects the volume or device encryption keys:
    • When CloudLink Center receives a request from CloudLink Agent to encrypt a volume on its machine, CloudLink Center generates a new VKEK in a keystore and uses it to encrypt the volume encryption key.
    • When a volume requires decryption, CloudLink Center decrypts the volume encryption key using the VKEK and sends it to CloudLink Agent.

Know the difference between the types of encryption keys that are used to secure machines. However, because volume or device encryption keys are created and managed by native technologies in the operating system of the machines, they are not discussed in detail in CloudLink documentation. Unless specified otherwise, the terms encryption keys and keys in this guide refer to the VKEK.

During deployment, CloudLink Center creates an initial keystore for encryption keys called CloudLink Vault. For more information about using CloudLink Vault, see Manage CloudLink Vault. If you do not want to use the initial, or default, keystore to store encryption keys, external options are available, including Microsoft Active Directory, Amazon S3, or an S3-compatible bucket.

Encryption keys are also encrypted, or protected, by one or more key protectors, including CloudLink Vault, SafeNet LunaSA, Microsoft Azure Key Vault, a KMIP key manager, or a password.

If you add keystores, only one keystore can be active for each machine group, but multiple keystores can be used in each CloudLink Center or CloudLink Center cluster deployment. Keys that are generated by CloudLink Center are stored in a keystore. You can modify and delete keystores.

If you have more than one keystore, you can move keys from a source keystore to a destination keystore. However, you cannot move keys from a keystore that is assigned to a machine group. This approach is useful for keeping as many keys as possible in a keystore. If you prefer, you can leave keys in the keystores where CloudLink Center created them. When CloudLink Center requires a key, it checks each accessible keystore.

You can change the frequency that CloudLink Center automatically updates keys, referred to as the key lifetime. For more information, see the section "Key Lifetime" in the topic CloudLink Machine group properties. You can also manually update keys.

You can view keys in a keystore and the key history for a machine.