Skip to main content
This section explains how to create a new HSM Protected key group on the KMES and how the different key operations work for pushing keys to AWS KMS.
If you have a firewall in your environment, ensure that it allows the *.amazonaws.com:443 endpoint to pass from the KMES to the internet. If you need a more specific endpoint, refer to the following documentation: https://docs.aws.amazon.com/general/latest/gr/kms.html

Create a new HSM Protected key group

Key groups act as both a container for keys and a template for creating keys within the key group, enabling you to define various key HSM Protected attributes, such as the type of key, the key rotation schedule, and the service to use (such as Amazon Web Services). Perform the following steps to create an HSM Protected key group:
1
Log in to the KMES Series 3 application interface by using the default admin identities.
2
Go to Key Management > Keys.
3
Right-click the Key Group background, select Add> Key Group, and select the following options:
OptionRequired configuration
Key TypeSymmetric.
Storage LocationHSM Protected.
The AWS KMS integration does not support asymmetric keys.
4
Select [ OK ] to continue.
5
In the next window, set up the parameters for the key group. On the Group tab, make the following changes:
OptionRequired configuration
NameChoose a descriptive name.
ServiceAmazon Web Services.
CredentialSelect [ Select ] and choose the credential you created from the CSV.
Key TypeAES.
Key LengthAES-256.
Key UsageEncrypt + Decrypt.
Rotate KeyLeave the box checked if you want the key group to rotate keys on a schedule.
Rotate EverySet the desired rotation interval.
Keep key valid forSet the length of time that keys created in the key group should remain valid.
6
Do not change the Info tab default settings.
7
In the AWS Properties tab, make the following changes:
OptionRequired configuration
AliasChoose a nickname.
DescriptionOptional.
RegionSelect the AWS region where you created the KMS key.
Active Key IDEnter the Key ID formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
PolicySelect [ Import Policy ] and then select the policy that you saved as a JSON file. The policy specifies the permissions for accessing the customer master key in AWS.
Disable key after rotatingOptional.
8
Select [ OK ] to finish creating the HSM Protected Key Group.

Push keys to AWS KMS

You can perform the following operations on keys that are part of an AWS HSM Protected key group:
OperationDescription
Rotate an HSM Protected Key GroupThis forces you to generate a new key on the KMES and then upload it to AWS with the alias configured under the AWS Properties tab assigned to the key. On the Customer managed keys page in AWS KMS, you can see that the old key ID loses the alias when rotated, and the most recently created key receives the alias.
Synchronize an HSM Protected keyThis updates the given key ID in AWS with the selected key. For example, you can delete the key material from AWS for a key. Then, you can right-click that same key in the KMES, synchronize it, and re-add the key material. You can also delete key material from AWS by checking the appropriate check box when synchronizing in the KMES.
For this integration, the only way that you should keys inside an AWS HSM Protected Key Group is by force rotating the key group or simply waiting for a key rotation to occur based on the configured rotation schedule.

Rotate the HSM Protected key group

The following process demonstrates how to force rotate the HSM Protected key group to generate and push the first key to AWS KMS:
1
Make sure to set the KMES as the designated device for rotating key material (under Administration > Configuration > HSM Protected Key Options).
2
Go to Key Management > Keys.
3
Right-click on the HSM Protected key group that you created in the previous section, and select Cloud> Force Rotate.
4
A job runs to rotate and synchronize this key to the AWS KMS account specified for the key group. To monitor job progress, go to Logging and Reporting > Jobs and double-click on the Rotate HSM protected keys job that just began.
If the synchronization succeeds, a message similar to the following displays:
None
2021-12-10 21:45:32 Rotating 1 HSM Protected keys...
2021-12-10 21:45:33 Rotated HSM protected key group ig-demo
5
After the job finishes, go to Key Management> Keys and select the key group of the key you just synchronized. Notice that the key now displays under the key group.You can also see the key in AWS KMS under Customer managed keys, with the alias that you configured on the AWS Properties tab for the key group.
6
Right-click the AWS HSM Protected key group again and select Cloud> Force Rotate. The newly generated key displays along with the first key generated in the key group.In AWS, this new key is assigned the alias configured for the HSM Protected key group, and the previously active KEY ID loses the alias.

Synchronize an HSM Protected key

Synchronizing a key means synchronizing or deleting key material for any of the previously active Key IDs. The following process demonstrates how to synchronize an HSM Protected key:
1
Select the AWS HSM Protected key group.
2
Right-click one of the previously active key IDs and select Cloud > Synchronize.
3
Select one of the following actions:
  • Delete Key Material
  • Update Policy(selected by default)
  • Import Key Material(selected by default)
You should import key material only if the key material was deleted for the associated Key ID previously, either in AWS KMS or through the Delete Key Material option.
A new job executes and displays on the Logging and Reporting > Jobs page, where you can track the progress of the operation.