Remote Keystore

vStor 4.15 introduces support for external key management using the Key Management Interoperability Protocol (KMIP). In addition to the built-in SSH-based keystore, the system can now securely store and manage encryption passphrases in an enterprise-grade KMIP-compatible key management system. This allows your organization to integrate vStor with centralized security infrastructure while preserving existing workflows and compatibility.

Users can select the desired keystore backend – KMIP (default) or SSH (legacy) – through system preferences. When KMIP is enabled, all key management operations, including storing, retrieving, listing, and deleting passphrases, behave identically to the SSH backend. Passphrases are never stored in plaintext and remain encrypted by vStor at all times. The system provides tools to configure KMIP connection parameters, verify connectivity and permissions, and view the key status for all encrypted volumes.

See also.

To learn how to configure your remote keystore, see Encryption Keystore.

Managing Encryption Passwords

Adding Passwords to Keystore

You can add encryption passwords to the Encryption Keystore in two ways:

• During volume creation, switch on the Save key in Encryption Keystore toggle.
• In the key management interface for existing volumes, if the Enable encryption toggle was on during volume creation and the volume key has not been saved in the keystore.

To add a password for an existing volume:

1. Navigate to System > System Settings tab > Encryption Keystore pane.

2. Click Manage keys. The Manage Keys dialog will open.

Tip.

If the Manage keys button is disabled, configure your Encryption Keystore first. See Encryption Keystore.

3. Hover over the volume for which you want to add the encryption key and click the + symbol.
   The Add Encryption Key dialog will open.

4. Type the encryption key specified when creating the volume.
5. Click Save.

Deleting Keys from Keystore

To remove a stored key:

1. Click Manage keys in the Encryption Keystore pane.
2. Hover over the desired volume.
3. Click the button next to the volume name.

Tip.

To delete all keys, use the Delete all keys button. You will be prompted to confirm your decision.

Copying Keys from Keystore

If you replicate an encrypted volume, accessing the data on the replica will require providing the key. Encryption Keystore allows you to retrieve the encryption key in case you need it to decrypt such a replica.

To retrieve an encryption key:

1. Hover over the desired volume.
2. Click the key symbol to retrieve the encryption key. The Retrieve Key confirmation dialog window will open.

3. Type your vStor password and the verification code, then click Retrieve key.

4. After a short while, the encryption key will be ready for retrieval. Click Copy key to copy the encryption key to clipboard, then close the dialog.

Resetting the Encryption Keystore

To reset the Encryption Keystore, use the Reset button.

You will be prompted to confirm your choice.

Use the Delete all associated keys toggle to delete all keys in the Keystore. This feature requires additional confirmation with your vStor password.

Unlocking Encrypted Volumes

To unlock a volume whose encryption key is stored in the Encryption Keystore:

1. Select the volume from the volumes list.
2. Select Unlock.
   The Volume Unlock dialog will open.
3. Instead of specifying the volume’s encryption key, select Unlock using stored key.

If you prefer not to use the stored password, you can still unlock volumes by entering the encryption password manually.

Security Considerations

• The Encryption Keystore must be properly configured before storing or using encryption passwords.
• Removing a password from the keystore does not affect the volume’s encryption settings.
• All passwords stored in the Encryption Keystore are encrypted.

Attention!

Always maintain secure backups of your encryption passwords, even when using the Encryption Keystore.