How to use KMIP client for secure key management?
Last modified date:
2025-06-09
Applicable Products
- KMIP Client
- QuTS hero h5.3.0 or later versions
About KMIP Client
KMIP Client allows your NAS to securely store and retrieve encryption keys for storage functions by connecting to a remote Key Management Interoperability Protocol (KMIP) server. Acting as an agent, KMIP Client manages communication between storage features on NAS, such as encrypted shared folders and encrypted LUNs, and the connected KMIP server.
KMIP Client supports a one-to-one connection, allowing each NAS to link to a single KMIP server at a time. Once configured, it provides centralized, secure, and compliant encryption key management for storage functions, ensuring the integrity and accessibility of encrypted data.
KMIP Client features
- Store and manage encryption keys remotely on a KMIP server, minimizing the risk of unauthorized access or key loss at the NAS level.
- Automate encryption key retrieval and application for encrypted shared folders and LUNs, improving security and user experience.
- Integrate with a Key Management System (KMS) to meet enterprise-level security and compliance standards for storage encryption.
- Maintain access to encrypted LUNs and shared folders even after system reboots, provided KMIP Client and server remain operational.
Install and Configure KMIP Client
Install the KMIP Client to enable encryption key management services, and configure it to establish secure communication with a remote KMIP server.
Prerequisites
- Log in to the NAS as an administrator.
- Verify that your NAS is running QuTS hero h5.3.0 or later.
- Confirm that a KMIP-compliant Key Management System (KMS) is properly set up and ready to connect with the NAS.
- Configure the KMS according to the vendor’s instructions, and ensure that KMIP communication is enabled over the appropriate port, typically 5696, unless otherwise specified by the KMS vendor. This port is used for mutual TLS (mTLS) communication between KMIP Client and the KMIP server.
- Create or import the necessary certificates into the KMIP server.
Install KMIP Client
- Log in to the NAS as an administrator.
- Open App Center.
- Locate the app by searching
KMIP Clientin the search field. - Click KMIP Client.
- Select the app update frequency.
- Click Install.
App Center installs KMIP Client on the device.
Access KMIP Client
You can access the KMIP Client settings through the following options:
- Control Panel > System Security > KMIP
- Open the KMIP Client application, which redirects you to the KMIP settings page in Control Panel.
Managing KMIP Client certificates
You can manage the KMIP client certificate to ensure secure, authenticated communication between your NAS and a remote KMIP server. Certificates are required to verify the identity of both devices and encrypt data exchanged over the network. You can generate a new certificate on your NAS for this purpose, or import an existing certificate from your local device. Additionally, you can view certificate details such as status, expiration date, and issuing authority, and perform actions like replacing, downloading, or deleting certificates to maintain secure, uninterrupted KMIP client connections.
Generate a new KMIP Client certificate
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - Click Add, under KMIP Client Certificate.
The Add KMIP Client Certificate window appears.
- Select Generate new certificate.
- Click Add.
The system generates a new KMIP certificate.
Import a custom certificate
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - Click Add, under KMIP Client Certificate.
The Add KMIP Client Certificate window appears. - Select Import certificate.
- In the certificate management section, click Browse next to each field:
- Certificate: Select the
.pemcertificate file. - Private key: Select the corresponding
.keyprivate key file. - Intermediate certificate (optional): If applicable, select the intermediate
.pemcertificate file.
- Certificate: Select the
- In each case, locate the appropriate file in the file selection dialog and click Open or the equivalent option to confirm the selection.
- Click Add.
The system imports and adds the KMIP certificate.
Manage certificates
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - You can perform any of the following tasks.
Task Description Action View the certificate status Check the current status and the expiration date of the installed certificate. Under KMIP Client Certificate, view the status and expiration date. Replace the certificate Upload a new certificate to update your existing one. - Under KMIP Client Certificate, click Replace.
The Replace KMIP Client Certificate window appears. - Select Generate certificate or Import certificate.
For details on importing a KMIP client certificate, see "Importing a custom certificate". - Click Replace.
Download the certificate Save a copy of your current certificate to your device. - Under KMIP Client Certificate, click Download.
- Select one or more files to download.
- Click Download.
Delete the certificate Remove the installed certificate from the system. - Under KMIP Client Certificate, click Delete.
The deletion confirmation window appears. - Click Yes.
KMIP Client performs the specified action. - Under KMIP Client Certificate, click Replace.
Configure and manage KMIP server connections
To ensure secure communication between your NAS and a remote KMIP server, you can configure and manage the KMIP client connection settings. This allows the system to securely handle encryption keys through the KMIP protocol. The configuration process includes enabling or disabling the KMIP Client, as well as setting up, editing, and testing the connection between the NAS and the KMIP server. Additionally, you can clear the KMIP server connection settings when necessary to ensure your security settings remain current.
Important
- The connection cannot be saved if the server is offline, unreachable, or not running a KMIP service. Verify the server address, port (default: 5696), and ensure KMIP services are enabled.
- Both the NAS and KMIP server must have valid, non-expired certificates installed. The connection will fail if the client or server certificate is missing, invalid, or expired.
- Authentication will fail if the client certificate or server settings are misconfigured. Verify client credentials, certificate assignments, and authentication settings on both devices before attempting to connect.
Configure the KMIP server connection settings
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - Click Configuration Wizard.
The KMIP Server Connection Settings window appears.
- Enter the hostname or IP address of your KMIP server.
- Define the port number for KMIP server connections using mutual TLS. The default port is 5696.
- Enter an identifiable label for the KMIP server that is 0-50 characters in length.
- Select a trusted CA certificate to authenticate the identity of the KMIP server during connection.NoteThis is necessary if the server uses a self-signed certificate, which is not issued by a trusted certificate authority.
- Click Connect.
The Trust KMIP Server Certificate window appears. - NoteTo reconfigure the KMIP server connection settings, click Edit in the KMIP server section.
- Review the certificate details and then click Trust.
Enable or disable the KMIP Client service
Test the KMIP server connectivity
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - Click Test Connection in the KMIP server section.
The system initiates a connection test between the client and KMIP server, and updates the Last connection field with the latest result.
Reset the KMIP server connection settings
Important
Resetting the KMIP server connection settings will prevent the device from accessing any encryption keys previously stored on the configured KMIP server. Ensure all required keys are securely backed up or migrated before proceeding.
- Open KMIP Client.
KMIP Client redirects you to the KMIP page in Control Panel. - Click Reset in the KMIP server section.
A confirmation message appears. - Click Confirm.
The system resets the KMIP server connection settings.
Use cases for KMIP Client with Storage Manager
- Store encrypted keys for LUNs and shared folders
- In the Global Settings page in Storage Manager, enable the Store the Encryption Key on KMIP Server option to store encryption keys on the KMIP server. This requires an active KMIP Client connection. When enabled, encrypted shared folders and LUNs can store and retrieve encryption keys via the KMIP Client and be unlocked automatically on startup through the KMIP service. For details, see "Storage global settings" topic in the Storage Manager chapter in the QuTS hero User Guide.
- In the Global Settings page in Storage Manager, enable the Store the Encryption Key on KMIP Server option to store encryption keys on the KMIP server. This requires an active KMIP Client connection. When enabled, encrypted shared folders and LUNs can store and retrieve encryption keys via the KMIP Client and be unlocked automatically on startup through the KMIP service. For details, see "Storage global settings" topic in the Storage Manager chapter in the QuTS hero User Guide.
- Remove the stored KMIP encryption key automatically when deleting an encrypted LUN or shared folder
- If the Store the Encryption Key on KMIP Server setting is enabled, when an encrypted shared folder is deleted, the associated encryption key will be removed from the KMIP server.
- Unlock an encrypted or LUN shared folder automatically upon system startup
- When creating a new encrypted LUN or shared folder, you can choose to unlock it on startup via KMIP. If the connection to the KMIP server is down, the Unlock with encryption key stored in KMIP server option will be disabled. For details, see "Managing LUN encryption" or "Managing shared folder encryption" in the Storage Manager chapter in the QuTS hero User Guide.
- When creating a new encrypted LUN or shared folder, you can choose to unlock it on startup via KMIP. If the connection to the KMIP server is down, the Unlock with encryption key stored in KMIP server option will be disabled. For details, see "Managing LUN encryption" or "Managing shared folder encryption" in the Storage Manager chapter in the QuTS hero User Guide.
Important
- KMIP Client must be enabled in Control Panel > Security and the global setting must be activated in Storage Manager for these features to work.
- Ensure the connection between the KMIP Client and the KMIP server is stable to use functions like key storage, unlocking, and encryption management.
- KMIP Client cannot be disabled while any application functions are actively using KMIP services.
- The KMIP server connection settings can only be cleared after the KMIP Client is disabled. Once cleared, associated encryption key records on the NAS become unusable.
- After clearing the KMIP server connection settings, any encrypted shared folders that previously stored their encryption keys on the KMIP server will no longer be able to retrieve those keys, even if the KMIP Client is later re-enabled and reconnected to the same KMIP server.
