Enabling KMS

For encrypting the password hash, the AWS Key Management Service is used.

To enable the (AWS) Key Management Service proceed as follows:

  1. Open the Settings > General > System Settings > Encryption tab.

  2. Check the Use AWS Key Management Service checkbox (disabled by default).

  3. Specify the AWS account (the AWS account should be discovered first) by selecting from the AWS account dropdown (the option is disabled if no AWS accounts have been discovered or if the discovered AWS account has insufficient permissions to use KMS ). For the list of required AWS permissions for creating the (AWS) KMS Keys refer to the Feature Requirements section.

  4. Specify the AWS region by selecting from the AWS region dropdown (the option is disabled if no AWS account has been discovered).

  5. From the Key dropdown, select a key from the list of existing symmetric cryptographic keys available to the specified AWS account (the option is disabled if no keys are available).

  6. Click Apply to apply the changes.

  7. If encryption is set for a job, the password hash is generated based on the provided password. The password hash gets encrypted with the KMS cryptographic key with base64 and is saved in the recovery point metadata.

    Notes

    • If the AWS Key Management Service is enabled, the password hashes are automatically be restored in case of product reinstallation. Otherwise, passwords need to be provided manually in case the password hashes are not available.

    • The AWS Key Management Service is not applied to self-backup and system configuration encryption.

Generating New KMS Cryptographic Key

  1. Optionally, click Generate a new key to open the Cryptographic key generation dialog box.

  2. In the dialog box that appears, enter the alias and its description (optional) and click Generate to initiate generation of a new symmetric cryptographic key in the specified account. For more details, refer to the AWS::KMS::Alias page. Click the Cancel or X button to close the dialog box without applying any changes.

  3. If the key was generated successfully, the following dialog appears:

  4. If the key generation fails, a dialog box with the reason for the failure appears:

  5. Click the Close or X button to proceed with key generation.