In this deployment, we will be setting up 2 hosts with 1 Customer Key Server (CKS) instances each in 1 location. Each CKS will listen on its own designated port per host.
The setup will assume:
- Load Balancer
- Public DNS: cks.example.com
- Public Port: 443
- Host A
- Internal DNS: cksa01.example.com (Optional)
- Internal Port: 443
- Host B
- Internal DNS: cksb01.example.com (Optional)
- Internal Port: 443
- Install Docker
- Install Docker Compose
- Download Install Script
- Run Install Script
- Docker Compose Up
Install Docker and Docker Compose
If completed during prerequisites, you can skip to "Download and Execute Installed"
#Install Docker CE
sudo curl -sSL https://get.docker.com/ | sh
#Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#Confirm working installation
Download and Execute Installer
If SELinux is in use please reference this article.
wget https://cdn.virtru.com/apps/cks/latest/cks-install.sh -O cks-install-wizard.sh
To run the installer in offline mode first follow prerequisites listed here. Then execute:
bash <your-cks-install-script.sh> -o true
The installer will create all appropriate directories. The recommended install root directory:
Transport Security (TLS Certificate)
During the install, the installer validates the TLS certificate for transport security. When prompted, copy the required file to the appropriate directory.
cat [path-to-private-key] [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > ssl.pem
Note: the order of certs in the ssl.pem matters. The certificate for your CKS FQDN must be before the intermediate certificates for your CA.
CKS Re-Wrap Keys (RSA key pair)
The CKS Re-Wrap keys are used to rewrap/unwrap a message key.
The CKS can use:
- New Generated - Will generate new keys for use with the CKS.
- Existing - Copy existing key keypair
cp [path-to-public-key] rsa001.pub
cp [path-to-private-key] rsa001.pem
CKS Re-Wrap Key Storage
The CKS Re-Wrap keys are used to rewrap/unwrap a message key. The storage and management options of the keys are:
- In Memory as an Environment Variable
- On disk
The CKS can log directly to:
- The docker standard out
- Remote Syslog server
The host of the CKS.
Only enter the Fully Qualified Domain Name of the host (FQDN).
Once completed the wizard will create the following:
- The environment variables for the CKS and its companion containers.
- A token-store/tokens.json that defines the HMAC token used to authenticate to your CKS deployment.
- It is also automatically loaded into the environment variables in env/cks.env.
- A docker-compose.yml file to run the deployment.
- RSA Key Pair if existing keys were not used.
- TLS certificate if and an existing certificate was not used.
Email send_to_virtru.tar.gz to Virtru
Once the wizard completed successfully, a file, send_to_virtru.tar.gz will be in your /var/virtru/cks/ directory. This file will contain the required information so that Virtru can communicate with your CKS appliance.
Send the file using Virtru encryption to your account representative at Virtru.
Once the wizard has completed, the CKS is ready to turn on and verify connectivity.
cd /var/virtru/cks docker-compose up -d