Get a Quote     (408) 943-4100   TrueNAS Discord VendOp_Icon_15x15px Commercial Support
TrueNAS.com Software Systems Company Community Security iX Portal Download
TrueNAS CORE TrueNAS Enterprise TrueNAS SCALE Compare Editions TrueCommand Software Status FreeNAS
Compare Systems F-Series M-Series X-Series R-Series Mini Series
About iXsystems Our Clients Reviews Careers Awards iX Blog & News iX Website Contact Us
Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
Application Analytics Backup and Archival Cloud Data Mobility File Sharing iX Storj Media Creation Video Surveillance Virtualization
Industry Automotive Education Gaming Government Healthcare MSP Manufacturing Research & AI Media & Entertainment
Download TrueNAS CORE Download TrueNAS SCALE Get TrueNAS Enterprise Compare TrueNAS Editions Where to Buy
  1. Documentation Hub
  2. /
  3. TrueNAS SCALE
  4. /
  5. SCALE Tutorials
  6. /
  7. Credentials
  8. /
  9. Configuring KMIP
Edit page
TrueNAS SCALETrueNAS SCALE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.

Configuring KMIP

  3 minute read.

Last Modified 2023-11-17 10:51 EST
TrueNAS Enterprise
KMIP is only available for TrueNAS SCALE Enterprise licensed systems. Contact the iXsystems Sales Team to inquire about purchasing TrueNAS Enterprise licenses.

The Key Management Interoperability Protocol (KMIP) is an extensible client/server communication protocol for storing and maintaining keys, certificates, and secret objects. KMIP on TrueNAS SCALE Enterprise integrates the system within an existing centralized key management infrastructure and uses a single trusted source for creating, using, and destroying SED passwords and ZFS encryption keys.

With KMIP, keys created on a single server are then retrieved by TrueNAS. KMIP supports keys wrapped within keys, symmetric, and asymmetric keys. KMIP enables clients to ask a server to encrypt or decrypt data without the client ever having direct access to a key. You can also use KMIP to sign certificates.

Requirements

To simplify the TrueNAS connection process:

  • Have a KMIP server available with certificate authorities and certificates you can import into TrueNAS.
  • Have the KMIP server configuration open in a separate browser tab or copy the KMIP server certificate string and private key string to later paste into the TrueNAS web interface.

Connecting TrueNAS to a KMIP Server

To connect TrueNAS to a KMIP server, import a certificate authority (CA) and Certificate from the KMIP server, then configure the KMIP options.

How do I import these?

Log into the TrueNAS web interface and go to Credentials > Certificate. Click Add on the Certificate Authorities widget. Select Import CA from the Type dropdown list. Enter a memorable name for the CA, then paste the KMIP server certificate in Certificate and the private key in Private Key. Leave Passphrase empty. Click Save.

Next, click Add on the Certificates widget. Select Import Certificate from the Type dropdown list. Enter a memorable name for the certificate, then paste the KMIP server certificate and private key strings into the related TrueNAS fields. Leave Passphrase empty. Click Save.

For security reasons, we strongly recommend protecting the CA and certificate values.

Configuring KMIP in TrueNAS

Go to Credentials > KMIP.

KMIP Screen
Figure 1: KMIP Screen

Enter the central key server host name or IP address in Server and the number of an open connection on the key server in Port. Select the certificate and certificate authority that you imported from the central key server. To ensure the certificate and CA chain is correct, click on Validate Connection. Click Save.

When the certificate chain verifies, choose the encryption values, SED passwords, or ZFS data pool encryption keys to move to the central key server. Select Enabled to begin moving the passwords and keys immediately after clicking Save.

Refresh the KMIP screen to show the current KMIP Key Status.

If you want to cancel a pending key synchronization, select Force Clear and click Save.

Related Content

SCALE Tutorials
SCALE Getting Started
SCALE UI Reference
SCALE CLI Reference

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).