Workflow: Export keys from Thales KMS

In Thales DSM, create a wrapper key for two custodians and export the wrapper key to an archive file, then extend the key rotation schedule to prevent keys from rotating during the migration to CipherTrust Manager.

Workflow 

1. Set two custodians

   Custodians are responsible for managing and protecting the wrapper key. For migration, change the number of custodians to two, to avoid breaking it into too many shares.

2. Create a wrapper key and get key share IDs

   In Thales DSM, create a wrapper key and export it for the two custodians to an archive file. The wrapper key secures (wraps) your encryption keys for export and grants its custodians the ability to export and import keys.

3. Export the wrapper key

   After creating the DSM wrapper key, export it from Thales DSM to an archive file. This file serves both as a backup of your encryption keys and is required for importing the keys into CipherTrust Manager to complete the key migration.

4. Extend key rotation schedules

   To prevent rotation while you migrate keys to the other KMS, in Thales DSM, extend the expiration date of the rotatable keys used for the recording solution. Set the new expiration far enough in the future to cover the estimated migration time and any unexpected delays.