Before you can enroll your applications, add databases and enable encryption, you must enroll your Keystore so Baffle Manager can access and/or create data encryption keys (DEKs) that will be used to protect your data.
Baffle Data Protection Services supports various Keystore vendors using industry standard protocols such as KMIP, PKCS#11, and REST APIs. Follow the steps below to enroll a Keystore for use with Baffle Shields and databases.
The general procedure for connecting to a keystore is the same for all platforms.
To connect to the keystore, do the following:
- Display a list of configured keystores. After logging into Baffle Manager, click the key icon in the left navigation bar. If this is the first time you are enrolling a Keystore, there will only exist the “baffle_credential_store” that was created in the previous section.
- Click +KEYSTORE in the top right corner to add a new Keystore.
- Enter a Keystore name and description.
- Select the Keystore Type from the dropdown menu and enter respective parameters.
NOTE: Keystore parameters are specific to the Keystore type or vendor. Each of the following keystores has its own specific set of options:
– AWS KMS
– Azure Key Vault
– Cloud HSM
– IBM Key Protect
– SafeNet KeySecure
– Generic HSM
– Hashicorp Vaule
LOCAL keystore configuration example
AWS KMS keystore configuration example
NOTE: The AWS IAM role for this keystore must contain the IAM user policy flag “kms:Decrypt” to work successfully.
- When completed, click Add Keystore.
- Continue with Connect to a Data Store.