Exporting DSM keys to Cloud Providers for BYOK - Alibaba

Prev Next

1.0 Introduction

There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption.

2.0 Prerequisites

Ensure the following:

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 2: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 3: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to use in Section 6.0: Authenticate the Application.

4.0 Create an External Key in Alibaba KMS

Perform the following steps to create and prepare an external key for BYOK import into Alibaba Cloud KMS:

  1. In the Alibaba Cloud Key Management Service (KMS), create a new key and select External as the key material source.

    Figure 4: Create an external key

  2. After creation, the key appears with the status Pending Import and the key material source set to External.

    Figure 5: Pending import status

  3. Download the key encryption material from Alibaba Cloud and use this material to wrap the key in Fortanix DSM and complete the import into Alibaba.

    • Public key

    • Import Token

      Figure 6: Download key material

5.0 Creating a Security Object

5.1 Import Alibaba Public Key

Perform the following steps to import the Alibaba public key in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

    Figure : Adding security object

  2. On the Add new Security Object page, do the following:

    1. Security Object name: Enter the name for your security object.

    2. Group: Select the group as created in Section 3.3: Creating a Group.

    3. Select the IMPORT radio button.

    4. In the Choose a type section, select the RSA key type.

    5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click UPLOAD A FILE to import the Alibaba public key.

    6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

  3. Click IMPORT to create the new security object.

  4. From the top of the security object’s page, click the copy icon next to the security object UUID to copy it to use in Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS.

    Figure 8: RSA key imported

The new security object is added to the Fortanix DSM successfully.

5.2 Generate Customer Master Key

Perform the following steps to generate a Customer Master Key (CMK) in DSM which will be wrapped later with Alibaba public key and imported into Alibaba:

  1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

    Figure 9: Adding security object

  2. On the Add new Security Object page, do the following:

    1. Security Object name: Enter the name for your security object.

    2. Group: Select the group as created in Section 3.3: Creating a Group.

    3. Select GENERATE.

    4. In the Choose a type section, select the AES key type.

    5. In the Key Size section, select the size of the key in bits.

    6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys.

      NOTE

      Ensure to select the Export permission.

  3. Click GENERATE to create the new security object.

  4. From the top of the security object’s page, click the copy icon next to the security object UUID to copy it to use in Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS.

    Figure 10: AES key generated

The new security object is added to the Fortanix DSM successfully.

6.0 Authenticate the Application

Run the following command to authenticate the app using the Fortanix DSM CLI:

sdkms-cli app-login --api-endpoint Fortanix Data Security Manager --api-key YOUR_APP_API_KEY

Where,

7.0 Wrap and Import Customer Master Key into Alibaba KMS

Perform the following steps to securely wrap the CMK with Alibaba’s public key and import it into Alibaba Cloud KMS:

  1. Run the following command to wrap the AES key (customer master key) with the Alibaba public key:

    $ sdkms-cli wrap-key --kid <Target Key UUID in DSM > --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <UUID of Alibaba Wrapping Public Key > --out alibabawrap.key

    Where,

  2. Run the following OpenSSL command to encode the wrapped key in base64 format:

    $ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
  3. Upload the base64-encoded wrapped key to Alibaba KMS. During the upload process, use the Import Token that you downloaded from Alibaba KMS in Section 4.0: Create an External Key in Alibaba KMS. This step completes the secure import of the externally managed key.

    Figure 11: Import key material form

  4. After a successful import, verify that the external key status in Alibaba KMS is set to Enabled.

    Figure 12: External key status