Export the wrapper key

After creating the DSM wrapper key, export it from Thales DSM to an archive file. This file serves both as a backup of your encryption keys and is required for importing the keys into CipherTrust Manager to complete the key migration.

For high availability, you only need to back up the keys (export the wrapper key) on the primary Thales DSM server.

Before you begin 

Create a wrapper key and get key share IDs

Procedure 

  1. Log on to Thales Vormetric Data Security Manager (DSM) as a system administrator.

  2. For a high availability system, make sure the cluster is synchronized:

    • In Thales DSM, from Dashboard, under High availability, look at the status.

    A green status indicates that both the primary and secondary servers are in sync

  3. Go to System and select Manual Backup and Restore.

  4. Make sure that the “Wrapper key exists with identifier xxx-xxx” shows the identifier that you created previously.

  5. Under Manual Backup and Restore, navigate to Backup , and select Migration to CipherTrust Manager as the backup type.

    Screenshot of manual backup and restore

  6. Select OK.

    The system exports the keys into a .tar archive and saves it to the following location: C:\Users\<username>\Downloads\, where <username> refers to the currently logged-in user.

  7. After a few minutes, verify that the upgrade file has been successfully saved to your Downloads folder.

    The filename follows this format: migration_<hostname>_<DDMMYY>.tar

    Example: C:\Users\SystemAdministrator\Downloads\migration_rs-thales4.lab.local_12062025.tar

    Screenshot of High Availability status in green

What to do next 

Workflow: Import keys to CipherTrust Manager

Related topics 

Workflow: Export keys from Thales KMS