Create split share keys and upload backup file

The wrapper key and migration split key divide a single key into multiple shares, with a minimum number of shares required to reassemble the key. This configuration, called M of N, provides more security as a different custodian holds and controls each share.

Before you begin 

Create split keys

Procedure 

  1. Run the command: ksctl migration-split-keys shares create --name <name> --share-key <share-key>

    Replace the following placeholders:

    • <name> - name provided in the preceding command.

    • <share-key> - wrapper key copied from each custodian's (system administrators) Thales DSM dashboard.

      This command is executed once for each custodian, for a total of two (2) times. The key shares are saved in the “Export wrapper keys” section.

      The following are sample of the commands and the successful results:

      C:\Users\se\.ksctl>ksctl migration-split-keys shares create --name Migraiton1 --share-key 00000000c8558e5ee927367b52d3300f49e98047e43adb40ceb16aad6988428f0d94cc6e43c2a21c2ce6c58fe5194492fe6b0eafd55f10e997e5f12dccff26eef1d95a34bdcbc791

      {

      "name": "1368a0d0-22ff-44e3-ab26-f6775a703137"

      }

      C:\Users\se\.ksctl>ksctl migration-split-keys shares create --name Migraiton1 --share-key 00000001009a5dec401cd09d1ab433f494365cb383850aa80c9084b2efe47154685c324cb04981c0e228bf94884db08b3961c818fa8347eb39afe5fd0d1afa2b3fff9d7efe66c72e

      {

      "name": "cc45c291-5206-4032-9617-08c519797277"

      }

  2. Upload backup file to CipherTrust. Type ksctl migrations upload --file <filename> [--chunk-size <upload_chunk_size_in_bytes>].

    • <filename> - backup file name was generated by utilizing backups from Thales DSM.

    • <upload_chunk_size_in_bytes> - optional and used if the backup is too large and to identify errors while uploading. The parameter can be specified to upload in chunks.

      The following is sample of the command and the successful result:

      C:\Users\se\.ksctl>ksctl migrations upload --file migration_ann-thales-kms.lab.local_240619.tar

      {

      "id": "9c699b40-8227-41d1-bf4e-c98cd23f9e8c",

      "file_size": 224256,

      "created_at": "2024-06-19T18:57:52.640195768Z",

      "checksum_sha256": "0e74ff4712810cb27b65a44b9d861766b94996bf544160e4f9af3097246c9a58",

      "product": "DSM",

      "backup_key_digest": "f31-cfe"

      }

    Note the ID from the output to use in the “Run migration” step.

What to do next 

Run key migration in CipherTrust Manager

Related topics 

Workflow: Import keys to CipherTrust Manager