Both vendors and tenants can add KMS configurations which will be used to protect that tenant’s data. The data included in these configurations vary based on which cloud provider hosts the KMS. The information that is gathered is everything necessary for the TSP to contact the KMS and use it to wrap and unwrap encryption keys.
After the configuration information is entered, it is encrypted immediately within the browser before being saved. Neither IronCore nor the vendor’s admins will ever see any unencrypted configurations entered by tenant admins. As mentioned above, only the TSP has the ability to decrypt these KMS configurations.
KMS Configuration Assignment
Once a KMS configuration has been saved, it can be assigned to vendors or tenants. An assignment allows the associated vendor’s TSPs to decrypt the associated config and use it to make calls to the KMS.
Vendors may create assignments of a single config to multiple tenants, but currently tenants may only assign a config to a single vendor at a time. If you’d like to programmatically create many assignments and tenants, check out our Vendor API. It is only possible to create an assignment for a configuration your organization created.
Was this page helpful?