External Key Managers

External key managers are solutions that store and allow the creation, modification, deletion, and retrieval of cryptographic keys. You can implement external key managers as software or combined hardware/software solutions. Systems performing encryption or decryption interact with external key managers to remotely create, modify, and delete keys on an external key manager, or retrieve those keys to use for encryption and decryption. External key managers are also referred to as "external keystores."

Powertech Encryption for IBM i supports but does not require the use of an external key manager. You can use external key managers to store data encrypting keys, called "symmetric keys," in Powertech Encryption for IBM i. The local key store on the IBM i where the symmetric key "resides" contains a reference to the symmetric key.

The most widely used protocol for communication between a system that performs encryption and an external key manager is the KMIP protocol, which Powertech Encryption supports.

You must configure external key managers in Powertech Encryption for IBM i to use one or multiple external key managers from Powertech Encryption for IBM i. The configuration contains information, such as the IP address and protocol used, to interface with the external key store. After you configure and verify the connection to the external key manager, you can create symmetric keys that are stored on that external key manager and function the same as other symmetric keys. You do not need to do additional tasks.

In most scenarios, communication between Powertech Encryption for IBM i and the external key manager will be encrypted at the transport level by the use of TLS. This communication requires set up of TLS in the IBM i's Digital Certificate Manager.

See the following references for more information: