Best practices for key location access control and backup

This topic provides information about the best practices for saving, backing up, and restoring CloudLink Center machine encryption keys.

You are responsible for your encryption keys and for ensuring that the appropriate access control and backup policies and procedures are in place to protect the keys against loss or theft. If your keys become unavailable, you cannot access any data that was encrypted using those keys.

CloudLink Center backups are critical for restoring CloudLink Center. Have a backup of CloudLink Center so that you can deploy a new server and restore CloudLink Center. If you are using the local database, volume encryption keys or device encryption keys are stored in CloudLink Center. Backups are the only method of restoring keys so that you can access encrypted data.

NOTE: Ensure that you meet all prerequisites for restoring CloudLink Center from backup, otherwise you cannot access encrypted data after restoring from a backup file.

For more information about CloudLink Center backups and restoring from a backup file, seeBack up and restore CloudLink Center.

The following identifies the key protectors that are available for each type of key location.

Key Protector—CloudLink Vault
  • Local database key location—Yes
  • Microsoft Active Directory key location —No
  • Amazon S3 key location—No
  • S3-compatible bucket key location—No
Key Protector—SafeNet LunaSA
  • Local database key location—Yes
  • Microsoft Active Directory key location —No
  • Amazon S3 key location—No
  • S3-compatible bucket key location—No
Key Protector—Microsoft Azure or Azure Stack Key Vault
  • Local database key location—Yes
  • Microsoft Active Directory key location —No
  • Amazon S3 key location—No
  • S3-compatible bucket key location—No
Key Protector—KMIP key manager
  • Local database key location—Yes
  • Microsoft Active Directory key location —Yes
  • Amazon S3 key location—Yes
  • S3-compatible bucket key location—Yes
Key Protector—Password
  • Local database key location—Yes
  • Microsoft Active Directory key location —Yes
  • Amazon S3 key location—Yes
  • S3-compatible bucket key location—Yes