Run key migration in CipherTrust Manager

To import keys into CipherTrust Manager KMS, run a migration command using the CLI tool, ksctl.

Before you begin 

Create split share keys and upload backup file

Procedure 

  1. Open a command prompt as an administrator, and change to the ksctl directory.

  2. Import the keys from the archive file:

    ksctl migrations apply --id <id> [--user <user-name> --password <user-password>] [--domains <DSM-domains>] [--group-name <DSM-group-name>] [--auto-cte-groups]

    • <id> - the hexadecimal identifies of the DSM key wrapper archive file.
    • <user-name> - Optional. CipherTrust Manager user, who will become the administrator of the created domain(s) and the owner of the migrated keys within the domain(s). If not specified, KSCTL_USERNAME in config.yaml is used, which is the default CipherTrust Administrator.

    • <user-password> - Optional. If not specified, KSCTL_PASSWORD in config.yaml is used, which is CipherTrust Administrator password.

    • <DSM-domains> - Optional, A comma-separate list of domain names that specifies which DSM domains to migrate. Omit this variable to migrate all DSM domains.

    • <DSM-group-name> and --auto-cte-groups - Optional. For the <DSM group name>, enter “CTE Clients”.

      Example: Command and process in progress

      C:\Users\se\.ksctl>ksctl migrations apply --id 9c699b40-8227-41d1-bf4e-c98cd23f9e8c --user admin --password admin --group-name "CTE Clients" --auto-cte-groups

      {

      "id": "9c699b40-8227-41d1-bf4e-c98cd23f9e8c",

      "file_size": 224256,

      "created_at": "2024-06-19T18:57:52.640195768Z",

      "status": "In progress",

      "checksum_sha256": "0e74ff4712810cb27b65a44b9d861766b94996bf544160e4f9af3097246c9a58",

      "product": "DSM",

      "backup_key_digest": "f31-cfe"

      }

  3. Check the status of the migration periodically:

    ksctl migrations status.

    When the migration is finished, the overall_status and status fields show "Completed".

  4. If the migration fails (status= Failed):

    1. Restart this procedure using the same wrapper key archive file.

    2. If it continues to fail after reboot, return to Thales DSM and create a new wrapper key and export it (see Workflow: Export keys from Thales KMS, and then restart the process in CipherTrust Manager (see Workflow: Import keys to CipherTrust Manager)

    3. If the migration continues to fail, create a new Thales DSM KMS server, restore the wrapper key archive file, and restart the migration process. See Workflow: Migrate keys from Thales DSM to CipherTrust Manager

What to do next 

Validate keys after migration