Managing DKE Endpoints

This section describes how to manage DKE endpoints from CCKM.

Microsoft Double Key Encryption (DKE) service can access CipherTrust Cloud Key Manager (CCKM) after you meet some prerequisites. Refer to Microsoft Double Key Encryption (DKE) Resources for more information about Microsoft DKE and the prerequisites.

Part of the prerequisites is creating a DKE endpoint. After you have created a DKE endpoint, you can:

• View DKE endpoints

• View and edit details of a DKE endpoint

• Enable a DKE endpoint

• Disable a DKE endpoint

• Rotate a DKE endpoint

• Delete a DKE endpoint

• Archive a DKE endpoint

• Recover a DKE endpoint

Creating DKE Endpoints

From CCKM GUI, create a DKE endpoint to make it available to the Microsoft DKE service. You can either create a new key encryption key (KEK) or select an existing KEK for the getkey and decrypt operations. If you do not specify a key, CCKM will automatically create a CipherTrust Manager key for you.

To create a DKE endpoint from the CCKM GUI:

1. Log on to the CipherTrust Manager GUI as administrator.

2. Open the Cloud Key Manager application.

3. In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.

4. Click Create Endpoint. The Add Double Key Encryption (DKE) Endpoint dialog box is displayed.

5. Under General Info, enter a unique Name and a description for the endpoint.

6. Click Next.

7. Under Endpoint Settings, provide the following settings:

   • Key URI Hostname. Enter the hostname at which CipherTrust Manager will be visible to Microsoft.

     Note

     The Key URI Hostname will be used to construct the URL Google will use to send requests to CipherTrust Manager and for JWT validations.

     The web interface of the CipherTrust Manager must have a valid TLS certificate signed by a trusted CA.

     If the SSL termination takes place at the CipherTrust Manager, the Key URI Hostname must match the FQDN of the CipherTrust Manager. If the SSL termination takes place at the load balancer in front of the CipherTrust Manager, the Key URI Hostname must match the FQDN of the public-facing load balancer. Wildcard certificates are supported.

     If you changed the web interface port within CipherTrust Manager from the default port of 443 to another port, ensure to add that same port number when configuring Key URI Hostname by specifying the new port number along with the Key URI Hostname. For example, example.com:8443.

   • Key Algorithm. The only option available for the DKE key algorithm is RSA_DECRYPT_OAEP_2048_SHA256. This box is greyed out.

   • Enable success audit events. Use this toggle to enable or disable audit recording of successful Microsoft DKE operations on this endpoint. This is optional. By default, this toggle is turned on.

8. Click Next.

9. Under Key Material, choose to either create a new key or copy an existing key.

   Note

   If you do not specify a key, CCKM will automatically create a CipherTrust Manager key for you.

   If creating a new key, select Create New Key, enter the Key Name. If copying an existing key, select Copy Existing Key, select a key from the Key drop-down list.

10. Click Next.

11. Under Authorization Parameters, provide the following settings:

    • Valid Issuer. Add a trusted issuer for the DKE endpoint.

      An example of a valid issuer is https://sts.windows.net/azure tenant ID/.

      Note

      This issuer must match the issuer within the JWT that the CCKM receives.

    • Select Authorization Method for the authorization method to the access settings of DKE keys. Select only one of the following options:

      • Use Email(s) allows your organization to authorize access to DKE keys based on email addresses only.

        If you select Use Email(s), under Add Email(s), enter the email addresses that are authorized to use the DKE key and then click Add Email(s). Your entries display under Email(s).

        Note

        The use of wildcards '*' and '?' are supported for email addresses. The following are examples of supported wildcard formats:

        • abc*@gmail.com: supports any email that starts with abc and ends with "@gmail.com".

        • abc@?.com: supports any email that starts with abc, contains "@" followed by at least one character and ends with ".com".

        • abc@?.?*: supports any email that starts with abc, contains "@" followed by at least one character, followed by the dot character (.), and ends with at least one character.

        • ?*@gmail.com: supports any email that starts with at least one character and ends with "@gmail.com".

      • Use Role ID(s) allows your organization to authorize access to keys based on Active Directory groups. The format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where x is an alphanumeric character.

        If you select Use Role ID(s), under Select Azure Connection drop-down menu, select the Azure connection to use for this DKE endpoint. Then under Add Role ID(s), add the role IDs that are authorized to use the DKE key and then click Add Role ID(s). Your entries display under Role ID(s).

        To find out the role ID in Azure:

        1. Log on to the Microsoft Entra portal.

        2. In the left pane, click Identity > Users > All users.

        3. On the Users page, search for the desired user.

        4. Under Display Name, click the user name link. The details of the selected user are displayed.

        5. Click Assigned roles. The Active assignments tab shows the roles currently assigned to the user.

        6. Note down the role for which you want to find out the role ID.

        7. In the left pane, click Roles & admins > Roles & admins. The Roles and administrators page displays all roles on the right.

        8. Search and select the role you noted down earlier. The "<user role> | Assignments" page is displayed.

        9. Under Manage, click Description. The Summary of the role is displayed.

        10. Copy the value of Template ID.

12. Click Next.

13. Under Review and Add, review the details you provided for the new endpoint. These details are divided into GENERAL INFO, ENDPOINT SETTINGS, KEY MATERIAL, AUTHORIZATION PARAMETERS sections.

    Note

    After the endpoint is added, KEY MATERIAL will no longer be editable.

14. Click Add Endpoint.

    The endpoint creation starts. A Create Endpoint In Progress message is displayed on the screen. Leave the window open until the process is completed.

15. Click Close. The Add Double Key Encryption (DKE) Endpoint wizard is closed.

The newly created endpoint is displayed in the list of Microsoft DKE endpoints.

Viewing DKE endpoints

The Microsoft Double Key Encryption (DKE) page shows the list of existing DKE endpoints residing within a given URI hostname. Search for endpoints by endpoint name or key URI.

To view the list of DKE endpoints available on CCKM:

1. Open the Cloud Key Manager application.

2. In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed. The list of DKE endpoints added to CCKM is displayed. The page displays the following details:

   Field	Description
   Name	Name of the DKE endpoint.
   Key URI	Base url hostname for KeyURI.
   Status	State of the key. The status can be: • Enabled • Disabled
   KEK Name	Name of KEK.
   Key Version	Version of the key.
   Algorithm	DKE key algorithm. The only option currently supported is RSA_DECRYPT_OAEP_2048_SHA256, which is the default value.
   Authorization Method	Authorization type for DKE key: Email or Role ID.
   Creation Date	Time when the endpoint was created.
   Last Modified	Date and time the DKE endpoint was modified. Timestamp in format Day-Month-Year time in 24-hour notation.
   Description	Description for the endpoint.

To view the custom columns, click the Customize View () icon, select the desired option(s), and click OK to display the column(s).

Viewing and editing details of a DKE endpoint

After an endpoint is created, you can view and modify the endpoint details, such as the endpoint name and authorization parameters.

This section describes how to view the details of a DKE endpoint and update details relating to GENERAL INFO, ENDPOINT SETTINGS, and AUTHORIZATION PARAMETERS as needed.

To view and edit the details of Microsoft DKE endpoints on CCKM:

1. Log on to the CipherTrust Manager GUI as administrator.

2. Open the Cloud Key Manager application.

3. In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed. The list of DKE endpoints added to CCKM is displayed.

4. Click the Name link of the desired DKE endpoint.
   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click View/Edit.

The edit view of the Microsoft Double Key Encryption (DKE) page is displayed.

Under GENERAL INFORMATION

1. (Optional) Update the description of the DKE endpoint in the Description field.

2. Click Update.

Under ENDPOINT SETTINGS

1. (Optional) Enter a new Key URI hostname to use a different URI hostname.

2. (Optional) Depending on current setting, set the Enable success audit events toggle to enable or disable audit recording of successful operations related to Microsoft DKE operations on this endpoint.

3. Click Update.

Under AUTHORIZATION PARAMETERS

1. (Optional) Update the trusted issuer for the DKE endpoint in Valid Issuer.

2. (Optional) Depending on which authorization method you previously configured:

   If using Email authorization

   • In Add Email(s), enter additional email addresses and then click Add Email(s). Your new entries display under Email(s). You can also delete an email address previously added by clicking the trash can icon next to the email address you wish to delete.

   If using Role authorization

   • (Optional) In Select Azure Connection, change an Azure connection.

   • In Add Role ID(s), enter additional role IDs and then click Add Role ID(s). Your entries display under Role ID(s). You can also delete a role ID previously added by clicking the trash can icon next to the role ID you wish to delete.

3. Click Update.

Enabling a DKE endpoint

From the Microsoft Double Key Encryption (DKE) page, you can enable a DKE endpoint. Enabling a DKE endpoint allows the getkey and decrypt/unwrap operations for the given Microsoft DKE endpoint.

To enable a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to enable.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the Actions drop-down menu, select Enable. The Enable Endpoint dialog box displays.

   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Enable. The Enable Endpoint dialog box displays.

3. Click Enable to proceed. After the endpoint is successfully enabled, a message displays indicating "Successfully enabled Microsoft DKE endpoint".

Disabling a DKE endpoint

From the Microsoft Double Key Encryption (DKE) page, you can disable a DKE endpoint. Disabling a DKE endpoint disallows the getkey and decrypt/unwrap operations for the given Microsoft DKE endpoint.

To disable a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to disable.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the Actions drop-down menu, select Disable. The Disable Endpoint dialog box displays.

   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Disable. The Disable Endpoint dialog box displays.

3. Click Disable to proceed. After the endpoint is successfully disabled, a message displays indicating "Successfully disabled Microsoft DKE endpoint".

Rotating a DKE endpoint

From the Microsoft Double Key Encryption (DKE) page, you can rotate a DKE endpoint, which adds a new KEK version to this endpoint. Subsequent encrypt/wrap operations this endpoint performs will use the new version of the key. Decrypt/Unwrap operations will use whichever version of the key was originally used to encrypt/wrap.

Rotating a DKE endpoint's KEK can be done even if the endpoint is disabled. Rotating the KEK regularly is a security best practice.

To rotate a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to rotate.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the VERSIONS, click Rotate. The Rotate Endpoint dialog box displays.
   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Rotate. The Rotate Endpoint dialog box displays.

3. Click Rotate to proceed. After the endpoint is successfully rotated, a message displays indicating "Successfully rotated Microsoft DKE endpoint". The new key version displays in list of key versions under the VERSIONS of the edit view of the Microsoft Double Key Encryption (DKE) page.

Deleting a DKE Endpoint

From the Microsoft Double Key Encryption (DKE) page, you can delete a DKE endpoint. The getkey and decrypt operations associated with this endpoint are also deleted from the database as part of the deletion. Essentially, the record of this endpoint is deleted from the database and CCKM. A deleted endpoint is no longer included in the list DKE endpoints displayed on the Microsoft Double Key Encryption (DKE) page.

To delete a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to delete.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the Actions drop-down menu, select Delete. The Delete Endpoint dialog box displays.

   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Delete. The Delete Endpoint dialog box displays.

3. Enable the I wish to delete this endpoint checkbox and click Delete. After the endpoint is successfully deleted, a message displays indicating "Successfully deleted Microsoft DKE endpoint".

Archiving a DKE Endpoint

From the Microsoft Double Key Encryption (DKE) page, you can archive a DKE endpoint. Archiving allows you preserve a record of this endpoint in “Archived” state, which can be recovered thereafter.

To archive a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to archive.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the Actions drop-down menu, select Archive. The Archive Endpoint dialog box displays.

   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Archive. The Archive Endpoint dialog box displays.

3. Enable the I wish to archive this endpoint checkbox and click Archive. After the endpoint is successfully archived, a message displays indicating "Successfully archived Microsoft DKE endpoint".

Recovering a DKE Endpoint

From the Microsoft Double Key Encryption (DKE) page, you can recover a DKE endpoint. Recovering a DKE endpoint in an archived state allows you enable the endpoint thereby allowing subsequent requests for the getkey and decrypt/unwrap operations for the endpoint.

To recover a DKE endpoint on CCKM:

1. Click the Name link of the desired DKE endpoint you wish to recover from an archived state.
   The edit view of the Microsoft Double Key Encryption (DKE) page displays.

2. Under the Actions drop-down menu, select Recover. The Recover Endpoint dialog box displays.

   Alternatively, click the overflow icon () corresponding to the desired DKE endpoint, and click Recover. The Recover Endpoint dialog box displays.

3. Enable the I wish to recover this endpoint checkbox and click Recover. After the endpoint is successfully recovered, a message displays indicating "Successfully recovered Microsoft DKE endpoint".