Connect to a Keystore

Before you can enroll your applications, add databases and enable encryption, you must enroll your Keystore so Baffle Manager can access and/or create data encryption keys (DEKs) that will be used to protect your data. 

Baffle Data Protection Services supports various Keystore vendors using industry standard protocols such as KMIP, PKCS#11, and REST APIs. Follow the steps below to enroll a Keystore for use with Baffle Shields and databases. 

The general procedure for connecting to a keystore is the same for all platforms.

To connect to the keystore, do the following:

  1. Display a list of configured keystores. After logging into Baffle Manager, click the key icon in the left navigation bar. If this is the first time you are enrolling a Keystore, there will only exist the “baffle_credential_store” that was created in the previous section. 

  2. Click +KEYSTORE in the top right corner to add a new Keystore.

  3. Enter a Keystore name and description.  
  4. Select the Keystore Type from the dropdown menu and enter respective parameters.
    NOTE: Keystore parameters are specific to the Keystore type or vendor. Each of the following keystores has its own specific set of options:
    – LOCAL
    – AWS KMS 
    – Azure Key Vault
    – Cloud HSM
    – IBM Key Protect
    – SafeNet KeySecure
    – Generic HSM
    – Hashicorp Vault

    LOCAL keystore configuration example

    AWS KMS keystore configuration example
    The AWS IAM role for this keystore must contain the IAM user policy flag “kms:Decrypt” to work successfully.


  5. When completed, click Add Keystore.

Next Steps:


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.