Migrate DSM Source Keys
This section provides instructions to migrate the DSM source keys from CCKM Appliance to the CipherTrust Manager as a Service. This section assumes that you have already migrated only the cloud keys to the CipherTrust Manager as a Service. Refer to Migrate Cloud Keys Only.
Note
The user who performs the migration becomes the owner of the migrated keys.
Steps
The high-level steps involved are:
The steps above apply to the root domain only. To perform migration on a child domain, refer to Migration from CCKM Appliance to Child Domain.
Generate RSA Key Pair
Creating migration data from CCKM Appliance requires an RSA key pair (public and private) on the CipherTrust Manager as a Service. The public key is used to encrypt the data while the private key is used to decrypt the migrated data.
To generate an RSA key pair, run the ksctl keys create command:
./ksctl-linux-amd64 keys create --name <rsa-key-name> --alg <key-algorithm> --size <key-size>
Here,
-
--name: Name for RSA key pair. -
--alg: Algorithm for the RSA key pair. -
--size: Size for the key pair.
Example:
./ksctl-linux-amd64 keys create --name rsa-key --alg RSA --size 4096
Output:
{
"id": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"uri": "kylo:kylo:vault:keys:rsa-key-v0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.519466Z",
"name": "rsa-key",
"updatedAt": "2021-05-07T03:55:47.519466Z",
"usage": "sign",
"usageMask": 3,
"meta": {
"ownerId": "local|5e3b45c6-6f26-4413-9752-e6fd15418a61"
},
"version": 0,
"algorithm": "RSA",
"size": 4096,
"unexportable": false,
"undeletable": false,
"neverExported": true,
"neverExportable": false,
"emptyMaterial": false,
"publickey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwfd4fDEgdJydUPOkPpAL\nriQW+IpwM9oSte//pv45UXpw0wkag1FbSmEUQQMf02KdRW5so+4jrkX44gQhmDTA\namrpijweJa0HzkaqnTkMtCUtFP9nbx33JiWRSYSKqXsEJho+P9SqXz45uxf7iis5\n4NF0SpZSIYi3COH4xtJ7hK+6BXbLXBZHVpfQ6LN8p/+WDwcIIkSyWGQxj4V0xTwV\nfNBNoQrXvanrEX+nide28vuX1bJ1UzglhUwcFT12VZL8KIrkviCKMwkBNIuuiXgh\nbtYGBy84ZbPjREgaodbaU45vj38/dpusL75Q2hkUdv5mYvTqN+OPVbJrTTQFzGfw\nM3Pt86iBFfu3XH/ZMH4dbV3HHXJP7+mHI3cOhUlvojwx9hnKygn3fY4Darx/N0yr\niCp6Sz7FI3sExAAIeF+AJ7zqyXK6a/NGve5gAqt1w3fnOYIFeD8f6oXOYBFFniu3\n3uX//4WcNdgyTXKXhDsZAtaLqmHv9jIwGZ0pTlj8xefZPbkoDNON3uC92b0tzI7F\n7+IqOiEf5bg4huU/EJh8emYgU8mPZGpwPtPVUFiKmOY7EbvHS1C6RIqRE1hnCZAa\nZSMup6LLzZGvk6SM0339c5gDJuS+kGkYK/fOwuWJ7qO5m+T/27J1IoNna6JuZ9el\nZDMxs7Rqj4cdezaa3CTV4l8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"defaultIV": "78f83dddc0ee01a2ab3ff579c908a33a",
"sha1Fingerprint": "878bcd84e81c4170",
"sha256Fingerprint": "c9c2d321b21d34a3e82460df8839e55f3ebca977766658d830d5100fb29bed75",
"objectType": "Private Key",
"activationDate": "2021-05-07T03:55:43.229267Z",
"state": "Active",
"aliases": [
{
"alias": "rsa-key",
"type": "string",
"index": 0
}
],
"links": [
{
"id": "6dc578f7-1864-43a7-899a-5035d54f1772",
"uri": "kylo:kylo:vault:links:6dc578f7-1864-43a7-899a-5035d54f1772",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-07T03:55:47.531762Z",
"updatedAt": "2021-05-07T03:55:47.531762Z",
"type": "publicKey",
"source": "kylo:kylo:vault:keys:rsa-key-v0",
"sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1",
"target": "kylo:kylo:vault:keys:rsa-key-pub-v0",
"targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395",
"index": 0
}
],
"uuid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3",
"muid": "4b9e7c53-40d7-44b7-9fa1-31cf8d0237d3e129ed33-317d-4584-9cbf-d0e882f58fca"
}
In the sample output above, "sourceID": "b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1" is the private key ID. The "targetID": "bd3e3bfa246f470ea6327646b3db359fcb882a6e2a6d4f839c2138569d99e395" under "links" is the public key ID.
Create Migration Data
Create the migration data for the DSM key source. Specify --key-source as dsm.
Run the command:
./ksctl-linux-amd64 migrations create --key-source dsm --public-key-id <public-key-id>
Here,
--key-source: Specifydsmas the key source.
Example:
./ksctl-linux-amd64 migrations create --key-source dsm --public-key-id c9b6922153e74c1f9be4bf9344ebf8eed827aa281be947a2b249b57f9f0c5d1c
Output:
{
"status": "In progress"
}
Get the uploadID
After you have initiated the creation of migration data for the DSM key source, get the uploadID by running the ksctl migrations status command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "9c9149ad-901b-405f-aefd-b279e6257f97",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_gcp_keys": {
"status": "",
"num_processed": 0,
"num_failed": 0,
"num_ignored": 0},
"cckm_generate_migration": {
"status": "Completed",
"uploadID": "f915a761-9fa8-449d-a969-122601ef244e"
}
}
Note down the "uploadID" value, "f915a761-9fa8-449d-a969-122601ef244e". It is required when applying the migration data. Now, you need to apply the migration data to CCKM Embedded (refer to Migrate Complete Data).
Apply Migration Data
In a clustered CipherTrust Manager as a Service environment, apply the migration data on one node only. Migrated data is automatically replicated to other nodes of the cluster.
To apply the migration data, run the command:
./ksctl-linux-amd64 migrations apply --id <uploadID> --private-key-id <private-key-id>
Here,
-
--id: uploadID returned in Check Status of uploadID. -
--private-key-id: ID of the private key of the RSA key pair. Refer to Generate RSA Key Pair for the private key ID.
Example:
./ksctl-linux-amd64 migrations apply --id f915a761-9fa8-449d-a969-122601ef244e --private-key-id b4336425a98541b68a105326be8abd777ac994f789ac46c2a79dd202bd4c33c1
Output:
{
"id": "f915a761-9fa8-449d-a969-122601ef244e",
"file_size": 70697,
"created_at": "2022-11-28T04:24:28.004216933Z",
"status": "In progress",
"checksum_sha256": "8b5839e47dfbb68b9dadb1f31e416321a5033db2b7956ddc03e07748e58258a8",
"product": "CCKM"
}
Check Migration Status
After you have applied the migration data, verify the migration status by running the ksctl migrations status command.
Example:
./ksctl-linux-amd64 migrations status
Output:
{
"id": "f915a761-9fa8-449d-a969-122601ef244e",
"overall_status": "Completed",
"source": "CCKM",
"cckm_azure_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_sfdc_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_aws_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_dsm_keys": {
"status": "Completed",
"num_processed": 100,
"num_failed": 0,
"num_ignored": 0 },
"cckm_generate_migration": {
"status": "Completed",
"uploadID": "f915a761-9fa8-449d-a969-122601ef244e"}
}
In the sample output above, "overall_status": "Completed" indicates that migration of DSM source keys from CCKM Appliance to CCKM Embedded is successful.