Prerequisites are designed to ensure all items required to deploy the Customer Key Server (CKS) are available to ensure a smooth deployment.
Create an A record for your public ip that the CKS will point to.
All traffic will be encrypted via TLS by a Public Certificate Authority (CA) signed certificate.
Recommended Distributed Configuration
Highly available load balancer connected to:
- 2 or more hosts
- (Optional) 2 or more locations
- (Optional) HSM Array
Optional Minimum Configuration
Highly available load balancer connected to 2 hosts with a single container per host. Additional resources and hosts are recommended. Additional resources will enhance the resiliency of the environment.
Access and rights to make decisions and configuration changes regarding the following Services will allow a smooth and expedient Virtru CKS setup. Failure to secure approval and/or access to any item may cause a delay in the Virtru CKS deployment and/or testing.
| Syslog/SIEM System
The CKS is distributed as a `docker` image via Virtru's Private DockerHub Repository.
Please create an account with Docker Hub here: https://hub.docker.com/signup
Once your account has been created, send your Docker Hub username to your Virtru Deployment Team. Your account will be given access to download the appropriate Virtru CKS Images.
To install docker on your host please follow the docker documentation for installation
Linux 64 bit OS that meets the Docker Minimum Requirements
Docker Compose is a tool used by Virtru to automate the deployment of the CKS. The use of Docker Compose is required to ensure all parameters are met and to ensure a smooth deployment.
Docker Compose can be installed here: https://docs.docker.com/compose/install/#install-compose
The hosts will need to be able to communicate with Docker Hub. Virtru does not support the "sideloading" of the CKS Docker Images
Egress Firewall Requirements
Please see the Virtru Endpoints Guide.
Ingress Firewall Requirements
||Inbound ports to map to Containers|
Please see our Host reference article for recommended linux host setup
CKS can be deployed as a standalone instance or in a High Availability (HA) configuration behind your favorite load balancer (example: HAProxy, Nginx, DNS Round Robin or any other commercial load balancer). As the CKS is stateless, there are no Inter-CKS communication requirements.
Deploying a single CKS is highly discouraged. If any maintenance or unforeseen issues arise, Virtru Encrypted email will not readable be able to be decrypted until the CKS functionality is restored.
Virtru Recommends at least 1 CKS container on 2 different hosts along with a backup and recovery plan.
Please note that Load Balancer specific steps are outside the scope of this document. Please consult your Load Balancer manual for more information.
You can make the load balancer configurations after you have successfully installed CKS on individual servers.