In typical production Encryption & Key Management (EKM) environments using the SKLES appliances, there are usually two (2) appliances – one for the Primary location and another for the Secondary (or Disaster Recovery) location. To ensure that encrypted objects on the appliance can be decrypted by either appliance in the “ trusted-cluster” , the appliance's installation wizards migrate the of Encryption Domain Key (EDK) of the first encryption-domain from the Primary to the Secondary appliance. However, some sites may need more than two appliances in production for performance and availability requirements. When there is a third, fourth or any number of additional appliances, the installation wizards are not appropriate for migrating the Encryption Domain Key (EDK) to the additional appliances. The Key Migration Tool (KMTool) addresses this use-case.
The KMTool is designed to take an EDK from any appliance and migrate it to another appliance in the cluster so that the additional appliance can decrypt objects and keys encrypted on other appliances in the cluster. The KMTool uses a similar process to the wizards and provides the same degree of security and control as the wizards in the key-migration process. This process is described below to show how an EDK can be migrated from an appliance called skles01.strongauth.com to skles03.strongauth.com. In this process, skles01 is assumed to be the Primary appliance, and skles03 is deemed to be the new appliance that is to be added to the cluster.
skles02 is assumed to have been setup as a Secondary through the installation wizard, but is not needed in this process. However, this process will work identically if skles02 is used as the source appliance instead of skles01 for the migrating the EDK to skles03.