CipherTrust Manager Administration
The CipherTrust Manager is built on prevailing cloud-based technologies, providing a cloud friendly, key management solution. It employs a REST interface and a microservice based architecture, allowing for easy deployment and scalability within your environment. With this new architecture, the CipherTrust Manager simplifies administration, helps ensure compliance, and maximizes security by providing centralized management of keys, policies, and essential functions.
Product references made in this document
CipherTrust Manager - refers to all platforms running the CipherTrust Manager software.
Virtual CipherTrust Manager k170v and Virtual CipherTrust Manager k470v (or simply k170v and k470v) - refer specifically to virtual and private cloud instances running the CipherTrust Manager Software.
k170v is intended for simplified and centralized key management. For example, k170v is suited to lab environments, low transaction encryption use cases, and storage encryption key management with KMIP (Key Management Interoperability Protocol). k170v allows for the usage of four CPUs or fewer. k170v is applied as a license.
k470v is intended to support high transaction-per-second encryption operations as is typically required from the CipherTrust Data Security Portfolio suite. k470v allows for the usage of more than four CPUs. k470v is applied as a license.
CipherTrust Manager k470, k570, and k160 Appliances (or simply k470, k570, and k160) - refers specifically to the k470, k570, and k160 physical appliances running the CipherTrust Manager Software.
SafeNet KeySecure Classic (or simply KeySecure Classic) - refers to the previous generation of SafeNet KeySecure Appliances (models k450 and k460). You can migrate data from these appliances to CipherTrust Manager k470 and k570 physical appliances.
This document is intended for personnel responsible for maintaining your organization's security infrastructure. This includes security officers, key manager administrators, and network administrators.
All products manufactured and distributed by Thales Group are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only.
It is assumed that users of this document are proficient with security concepts.
CipherTrust Manager offers robust capabilities for managing cryptographic keys across their lifecycle, including key generation, key import and export, and key rotation. With the CipherTrust Manager, all cryptographic keys are stored in a centralized, hardened appliance to simplify administration while ensuring tight security for the broadest array of data types.
Customers can deploy multiple CipherTrust Manager appliances in a clustered configuration with real-time replication of keys, policies, and configuration information across multiple appliances - enabling complete disaster recovery and business continuity. For large distributed enterprises that use multiple encryption solutions, keys can be centrally managed without making any perceptible impact on system performance.
CipherTrust Manager offers key management capabilities that can be integrated with virtually any commercial encryption product. Supported technologies include:
SafeNet Luna Network HSM, TCT Luna T-Series Network HSM, and AWS HSM partitions
Database encryption, including native database encryption
File and storage level encryption solutions
The CipherTrust Manager supports a wide range of open standard cryptographic interfaces, including PKCS #11, JCE, and .NET. The CipherTrust Manager also supports the Key Management Interoperability Protocol (KMIP). Further, customers and partners can take advantage of the REST interface to develop their own custom software utilizing the enterprise key management functionality of the CipherTrust Manager.
CipherTrust Manager offers a range of robust security features:
Granular Attribute Based Access Control (ABAC) authorization capabilities
Secure key distribution through support of TLS
Secure storage of key encryption keys on a SafeNet Luna Network HSM
CipherTrust Manager's NAE-XML interface is an adapter layer that translates XML requests into CipherTrust Manager's REST API. However, the REST API is structured differently than NAE-XML. The functions and configuration of CipherTrust Manager is modeled as a set of resources that can be managed via the REST API. The REST API online documentation goes into more detail about the specific attributes of the resources, and what operations you can perform on them.
The CipherTrust Manager also includes a CLI toolkit, named ksctl, that can be downloaded and run locally to perform management functions. ksctl exclusively uses the REST API to communicate with the CipherTrust Manager. Many examples make use of ksctl. For more information on ksctl, go to CLI toolkit.