1. Installation and Administration Guide
  2. Configure a KMA with QuickStart
  3. Create a New Cluster with QuickStart
  4. Specify Autonomous Unlocking Preference

Specify Autonomous Unlocking Preference

Specify the automnomous unlocking preference after entering the initial security officer credentials within the QuickStart wizard.

Autonomous unlocking allows the KMA to become fully operational after a reset without requiring the entry of a quorum of passphrases. You can change this option from the OKM Manager at a later time.

Caution:

While enabling autonomous unlocking is more convenient and increases the availability of the OKM cluster, it creates security risks.

When autonomous unlocking is enabled, a powered-off KMA must retain sufficient information to start up fully and begin decrypting stored keys. This means a stolen KMA can be powered up, and an attacker can begin extracting keys for the KMA. While it is not easy to extract keys, a knowledgeable attacker will be able to dump all keys off the KMA. No cryptographic attacks are needed.

If autonomous unlocking is disabled, cryptographic attacks are required to extract keys from a stolen KMA.

  1. When prompted, type y (to enable) or n (to disable). Press Enter.
  2. Proceed to Set the Key Pool Size (using QuickStart).