TrueNAS CORE Nightly Development DocumentationThis content follows experimental early release software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.
Configuring KMIP
3 minute read.
TrueNAS EnterpriseKMIP is only available for TrueNAS Enterprise licensed systems. Contact the iXsystems Sales Team to inquire about purchasing TrueNAS Enterprise licenses.
The Key Management Interoperability Protocol (KMIP) is an extensible client/server communication protocol for storing and maintaining keys, certificates, and secret objects. KMIP on TrueNAS Enterprise integrates the system within an existing centralized key management infrastructure and uses a single trusted source for creating, using, and destroying SED passwords and ZFS encryption keys.
Keys can be created on a single server and then retrieved by TrueNAS. Keys wrapped within keys, symmetric, and asymmetric keys are supported. Alternately, KMIP can be used for clients to ask a server to encrypt or decrypt data without the client ever having direct access to a key. KMIP also can be used to sign certificates.
To connect TrueNAS to a KMIP server, import a Certificate Authority (CA) and Certificate from the KMIP server, then configure the KMIP options.
For security reasons, we strongly recommend protecting the CA and Certificate values.
Go to System > KMIP.
Enter the central key server Server host name or IP address and the number of an open connection Port on the key server. Select the Certificate and Certificate Authority that you imported from the central key server. To ensure the Certificate and CA chain is correct, set Validate Connection and click SAVE.
When the certificate chain verifies, choose the encryption values, SED passwords, or ZFS data pool encryption keys to move to the central key server. Set Enabled to begin moving the passwords and keys immediately after clicking SAVE.
Refresh the KMIP screen to show the current KMIP Key Status.
If you want to cancel a pending key synchronization, set Force Clear and click SAVE.