Data Security Manager with Amazon XKS Using Virtual Private Cloud

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) on-premises with Amazon Web Services (AWS) External Key Store (XKS) using Amazon’s Virtual Private Cloud network to protect the data in AWS using keys stored in Fortanix DSM that users can use to perform cryptographic operations.

It also describes how to:

• Create and configure the AWS Network Load Balancer and Target Groups

• Create the VPC Endpoint Service

• Create Fortanix DSM objects

• Create the External Key Store in AWS

When using Fortanix DSM as an external key store, AWS allows two ways of communication:

• Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. You can follow the documentation link – Fortanix DSM with AWS XKS Concepts Guide and Fortanix DSM with AWS External Key Store (XKS) Integration Guide for the Public Endpoint Connectivity method.

• Using Amazon VPC endpoint service - AWS KMS connects to the XKS proxy by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your XKS proxy without using the public internet. This procedure is covered in this article.

2.0 Architecture Workflow

The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:

The components of the above diagram include:

• Amazon VPC connected to AWS XKS - needs to be created, or an existing VPC can be used. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.

• Amazon VPC endpoint service powered by AWS PrivateLink, configured with a network load balancer and target group.

• An external proxy is configured in the on-premises environment to intercept AWS KMS traffic and relay it to the Fortanix DSM service.

• Private DNS assigned to an external proxy.

• Fortanix DSM installed in the on-premises environment.

The following steps explain the workflow:

1. An AWS service or custom application sends a request for a key to AWS KMS.

2. AWS KMS retrieves the double-enveloped key from its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.

3. A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.

4. Fortanix DSM decrypts the outer envelope and returns the inner envelope to AWS KMS.

5. AWS KMS decrypts the inner envelope and returns the plaintext DEK to the calling service or application.

6. An external proxy created in the on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The certificate must include the proxy endpoint as a SAN (Subject Alternate Name).

3.0 Prerequisites

Ensure the following:

• AWS resources:

  • Network Load Balancer (NLB)
    Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html#configure-load-balancer

  • VPC (with private subnet)

  • VPC Endpoint Service (Ensure to add .TXT record as per documentation. “Domain verification status” should be "Verified")
    Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-nlb

  • KMS

  • The connection between AWS Cloud and Fortanix DSM on-premises (VPN/Direct Connect)

• On-premises resources:

  • Fortanix DSM on-premises version 4.9 and above.

  • High Availability Proxy: A minimum of two nodes is recommended to achieve high availability. 

  NOTE

  Fortanix used the HAProxy proxy service for testing.

4.0 Fortanix DSM with AWS XKS Using VPC

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting the Data Encryption Keys in AWS KMS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as Bring Your Own Key or BYOK) functionality, where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS, optionally with an expiration period, and cryptographic operations occur within an AWS data center.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating or Importing an AES Key

Perform the following steps to generate an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 5.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the AES key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

      NOTE

      Ensure that the new key has Encrypt and Decrypt key operations are allowed.

3. Click GENERATE to create the new security object.

5.5 Copying the UUID of the AES Key

Perform the following steps to copy the security object UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the security object created in Section 5.4: Creating a Security Object to go to the detailed view of the security object.

2. From the top of the security object’s page, click the COPY ID drop down menu and then select COPY UUID to copy it to use later.

5.6 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select AWS XKS as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.7 Copying the App Configuration File

Perform the following steps to copy the app configuration file from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.6: Creating an Application to go to the detailed view of the app.

2. In the INFO tab and the AWS XKS section, click VIEW INSTRUCTIONS.

3. In the AWS XKS modal window, click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format, or copy the URI and the configuration info individually and make a note of it.

   The following are the configuration values:

   • Path prefix: A fixed path containing the Fortanix DSM app UUID.

   • Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.

6.0 Configure HAProxy Service in Fortanix DSM On-Premises

It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.

apt-get install haproxy

Edit the configuration /etc/haproxy/haproxy.cfg. The following is an example of the HAProxy configuration:

global
         log /dev/log local0 info
         stats socket [email protected]:9999 level admin
         stats socket /var/run/haproxy.sock mode 666 level admin
         stats timeout 2m
defaults
         log global
         option tcplog
         timeout client  10s #Applies to all FrontEnd
         timeout connect 10s #Applies to all Backend
         timeout server  10s #Applies to all Backend
frontend stats
   bind *:1936
   mode http
   stats uri /
   stats show-legends
   stats refresh 5s
   no log
frontend https
         bind *:443
         mode tcp
         default_backend bk_app
backend bk_app
         mode tcp
         server testdsm  10.197.192.40:443 check

6.1 Create and Configure AWS Network Load Balancer and Target Groups

6.2 Create VPC Endpoint Service

Perform the following steps to create the VPC endpoint service:

1. Go to VPC in the AWS Console and click Endpoint services. Select Create.

2. In the Create endpoint service form, do the following:

   1. Enter a logical name for the VPC endpoint service.

   2. Select Load balancer type as Network.

   3. Then select the load balancer created above under Available load balancers.

      

   4. In the Additional settings section, do the following:

      1. Clear the Acceptance required option.

      2. Select the Associate a private DNS name with the service option.

      3. Enter the Proxy DNS for the Private DNS name field.

      4. Select IPV4 as the Supported IP address types.

      5. Click Create.

         

      6. After the VPC endpoint is created, it will generate the domain verification name and value. The Domain verification status shows “pendingVerification”. You must copy the Domain verification name and Domain verification value and create a TXT record on Route 53 under your domain. After the successful verification, the Domain verification status shows “Verified”.
         Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html

         

      7. You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.

         1. In the navigation pane, choose Endpoint services.

         2. Select the endpoint service and select the Allow principals tab.

         3. To add permissions, click Allow principals.

         4. In the Principals to add section, enter the ARN of the principal.

            

6.3 Create External Keystore in AWS KMS

Perform the following steps to create an external keystore in AWS KMS:

1. Go to Key Management Service in the AWS console and select External key stores.

   1. Click the Create option to create the external key store.

      1. Enter a logical name for the Key store name field.

      2. Select the VPC endpoint service in the Proxy connectivity section.

      3. Select the VPC endpoint service created in the previous section.

      4. In the Proxy URI endpoint field, enter the proxy DNS name.

      5. Upload the configuration file from Fortanix DSM that you copied to the clipboard in Section 5.6: Creating an Application. This will populate the fields in the Proxy Configuration section.

      6. Click Create external key store.

         

2. After the external key store is created, click the keystore and check the Connection State.
   It should show as Connected. This might take a while. If it shows a status other than Connected, then troubleshoot the connectivity.

   

3. Now, the KMS key can be created in this key store.

   1. Click Create a KMS key in this keystore.

      1. In the Key configuration form, enter the Fortanix DSM key UUID as copied in Section 5.5: Copying the Security Object UUID in the External key ID field.

      2. Confirm the use of an external key store and click Next.

         

   2. Enter the key Alias and click Next.

      

   3. Select the Key administrators from the list, click on the check box for the Key deletion based on your requirements, and click Next.

      

      

      • Key Administrative permissions: AWS IAM users or roles who can manage the AWS external keystore key from the console.

      • Key Usage Permissions: AWS IAM users or roles who can use the key for cryptographic operations.

   4. Finally, review the Key configuration and click Finish.

      

7.0 Using the XKS Key to Encrypt S3 Bucket

7.1 Create an S3 Bucket

This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.

1. Create an S3 bucket, Amazon S3 → Buckets → Create bucket.

   

2. Upload a file to S3 and check the Fortanix key access logs.

   

   

   

7.0 References

• AWS XKS troubleshooting guide: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html

• Support key types with AWS external keystore: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html

• Support key types with AWS external keystore: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html

• Controlling access to your External keystore: https://docs.aws.amazon.com/kms/latest/developerguide/authorize-xks-key-store.html