Skip to main content

User Guide

Key Management Environment Configuration

There are various settings that need to be configured for any type of Key Management System (KMS) that is enabled in an Environment:

Setting

Description

Key Management System

Select which type of Key Management System should be used. There are three KMS options available depending on if you are using Hadoop:

  • Hadoop (default Hadoop KMS)

  • Ionic Machina (optional KMS for use with Hadoop)

  • AWS Secrets Manager (can be used with or without Hadoop)

If None is selected, then any hashing rules, encryption rules, derived tokenization and HDFS Token Vault encryption will not be available for this Environnment.

KMS Location

Hadoop KMS URL : The URL of the Hadoop KMS. (If Hadoop is selected as the KMS.)

Ionic Machina Persistor Path : The path to the Ionic Machina Persistor. (If Ionic Machina is selected as the KMS.)

Note

For more information about setting up Ionic Machina as the KMS for the Privitar platform, see the separately provided Ionic Machina Reference Guide. (Please contact Privitar for further information about Ionic Machina integration.)

Key Management Environment Configuration . (If AWS Secrets Manager is selected as the KMS.)

The details required are:

  • AWS Region; set this to the AWS region that you will use to access the AWS Secrets Manager. For example, us-west-2. To ensure consistent hashing, it is important to use AWS Secrets Manager from the same region. If the region is not defined, the default region will be used by the Privitar processing engine (for example, POD, Hadoop nodes or SDK) which might be subject to change.

  • AWS Endpoint; set this to the url of the AWS endpoint that is used to make a private connection between your VPC and AWS Secrets Manager. When you use a VPC service endpoint, communication between your VPC and Secrets Manager occurs entirely within the AWS network, and requires no public Internet access. For security, it is recommended that this endpoint is created. For more information, see AWS Secrets Manager - User Guide.

  • AWS KMS Key; the master key that AWS Secrets Manager will use to protect every secret that it stores. It is recommended to define a master key. For more information, see AWS KMS Developer Guide.

  • AWS Secret tags; the tags that will be attached to any secrets created by the Privitar Platform.

For AWS Secrets Manager in Glue Environments, the KMS is not configurable via the UI or API and the configuration will be as follows:

  • AWS Region; is always the same as the region of the Glue Environment

  • AWS Endpoint; this is the default endpoint and not configurable for Glue environments

  • AWS KMS Key; AWS account's default CMK (the one named aws/secretsmanager) for the region

  • AWS Secrets tags; tags are the ones provided to cloud formation as the TAGS parameter

Note

AWS Secrets Manager provides full support for the Hash Text rule. Support for other Privitar rules and functions has not been tested. It is recommended that these functions are not used in a production environment.

In this section: