Creating KMS Keys

Here you'll find instructions for creating a cloud managed key for different cloud providers. The key is used as a part of the Vault auto-unseal process for users that choose to bundle Vault with their Garden Enterprise installation.

AWS Key Management Service

For auto-unsealing Vault on AWS, you'll need to first create a KMS key. Below you'll find a step-by-step guide for doing that.

Note that you may do things differently in your organization which is fine, as long as you have the following values at hand during the Garden Enterprise installation:

  • The AWS KMS ID of the KMS Key you intend to use.

  • The AWS Region where the key was created.

  • The AWS Access Key ID of the principal assigned to the key.

  • The AWS Secret Access Key of the principal assigned to the key.

Policy Principal

For auto-unsealing Vault on AWS, you'll need a policy principal that has permissions to perform cryptographic operations on a symmetric KMS key.

These permissions are:

[
  "kms:Decrypt",
  "kms:DescribeKey",
  "kms:Encrypt",
  "kms:GenerateDataKey*",
  "kms:ReEncrypt*
]

How you create and manage the principal depends on your organization, but one approach is to create an IAM user with the appropriate permissions and assign it as the KMS key principal.

Create an AWS KMS key via the AWS console

Go to the Key Management Service page in your AWS console and click Create key.

Make sure the key type is Symmetric:

Click Next.

Add a label

Add a label to your key so that you can identify it later:

The next steps pertain to defining administrative and/or usage permissions for the key. If and how you do this depends on your organization and is out of scope for this guide.

Review and Edit Key Policy

Review the key policy and assign the policy principal (from the Policy Principal section above).

And that’s it.

During the installation of Garden Enterprise you will be asked to provide the IAM credentials for the policy principal, and the ID of the KMS key just created.

Google Cloud Key Management

For auto-unsealing Vault on GCP, you'll need to create a KMS key and configure the permissions of the instance groups service account to encrypt and decrypt that key. Below you'll find a step-by-step guide for doing that.

Note that you may do things differently in your organization which is fine, as long as you have the following values at hand during the Garden Enterprise installation:

  • GCP Region

  • GCP Project

  • GCP Key Ring

  • GCP Crypto Key

In order for your GKE cluster nodes to be able to access the API for fetching the KMS key for encryption/decryption you need to give the node pools service account the permissions to do so. You can either create a service account with the correct permissions in the IAM section or if you choose to use the Compute Engine default service account make sure to allow it full access to all Cloud APIs when creating the cluster.

Create a GCP KMS key via the GCP console

Go to the Cryptographic Keys page in your GCP console and click Create key ring. Add a name for your new key ring and set the key ring location to the same location your GKE cluster uses.

Next create a key in that key ring with the purpose symmetric encrypt/decrypt.

Allow your service account to use the key for encryption/decryption

Select the created key and under the permissions tab choose Add a member. The member is the service account you have associated with your GKE clusters instance group. If your are not sure which one it is, go to Kubernetes Engine and check the node pool configuration of your cluster. Give your service account the role Cloud KMS CryptoKey Encrypter/Decrypter.

And that’s it.

During the installation of Garden Enterprise you will be asked to provide the key ring and crypto key name of the KMS key just created.

Azure Key Vault

For auto-unsealing Vault on Azure, you'll need to create an Azure Key Vault Instance and an app registration in Azure Active Directory. Then you'll need to add that service principle into the access policies of the key vault. Below you'll find a step-by-step guide for doing that.

Note that you may do things differently in your organization which is fine, as long as you have the following values at hand during the Garden Enterprise installation:

  • Azure Application Client Id

  • Azure Application Client Secret

  • Azure Account Tenant Id

  • Azure Vault Name

  • Azure Key Name

Create an app registration

Go to the App Registrations page in Azure Active Directory and add a new registration.

After registering the application go to the API permissions tab and configure your apps access to Azure Vault Key.

Next navigate to Certificates & secrets and add a new client secret. You will need the Application Client Id and Application Client Secret for your Garden Enterprise installation.

Add an Azure Key Vault instance

Go to the Key Vaults page and create a new key vault. Enter your subscription, key vault name and region in the basics section and then navigate to the Access policy tab and choose the configuration template Key, Secret & Certificate Management. Then select the principal to be the app that you registered earlier.

Add a KMS key for auto-unsealing Garden Enterprise Vault

Once you have created your Azure Key Vault instance, add a key into it by navigating to the Keys tab in the Azure Key Vault instance and click Generate/Import. Your new key should be an RSA key, permit all operations and be enabled.

Once you have done that, take note of your Azure Vault Name and Azure Key Name and you should be all set.

Last updated