Exporting DSM keys to Cloud Providers for BYOK - Alibaba

1.0 Introduction

There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption.

2.0 Prerequisites

Ensure the following:

• Fortanix DSM must be accessible. For more information, refer to Section 3.1: Signing Up and Section 3.2: Creating an Account.

• Download the DSM CLI from here.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use in Section 6.0: Authenticate the Application.

4.0 Create an External Key in Alibaba KMS

Perform the following steps to create and prepare an external key for BYOK import into Alibaba Cloud KMS:

1. In the Alibaba Cloud Key Management Service (KMS), create a new key and select External as the key material source.

   

2. After creation, the key appears with the status Pending Import and the key material source set to External.

   

3. Download the key encryption material from Alibaba Cloud and use this material to wrap the key in Fortanix DSM and complete the import into Alibaba.

   • Public key

   • Import Token

     

5.0 Creating a Security Object

5.1 Import Alibaba Public Key

Perform the following steps to import the Alibaba public key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select the RSA key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click UPLOAD A FILE to import the Alibaba public key.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click IMPORT to create the new security object.

4. From the top of the security object’s page, click the copy icon next to the security object UUID to copy it to use in Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS.

   

The new security object is added to the Fortanix DSM successfully.

5.2 Generate Customer Master Key

Perform the following steps to generate a Customer Master Key (CMK) in DSM which will be wrapped later with Alibaba public key and imported into Alibaba:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the AES key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys.

      NOTE

      Ensure to select the Export permission.

3. Click GENERATE to create the new security object.

4. From the top of the security object’s page, click the copy icon next to the security object UUID to copy it to use in Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS.

   

6.0 Authenticate the Application

Run the following command to authenticate the app using the Fortanix DSM CLI:

sdkms-cli app-login --api-endpoint Fortanix Data Security Manager --api-key YOUR_APP_API_KEY

Where,

• api_endpoint is the Fortanix DSM URL.

• YOUR_APP_API_KEY is the Fortanix DSM app API key as copied in Section 3.5: Copying the API Key.

7.0 Wrap and Import Customer Master Key into Alibaba KMS

Perform the following steps to securely wrap the CMK with Alibaba’s public key and import it into Alibaba Cloud KMS:

1. Run the following command to wrap the AES key (customer master key) with the Alibaba public key:

   $ sdkms-cli wrap-key --kid <Target Key UUID in DSM > --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <UUID of Alibaba Wrapping Public Key > --out alibabawrap.key

   Where,

   • <Target Key UUID in DSM> is the UUID of the AES key in Fortanix DSM that you want to import to Alibaba KMS, as copied in Section 5.1: Import the Security Object.

   • <UUID of Alibaba Wrapping Public Key> is the UUID of the Alibaba RSA key that you imported in Fortanix DSM, as copied in Section 5.2: Generate the Security Object.

2. Run the following OpenSSL command to encode the wrapped key in base64 format:

   $ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key

3. Upload the base64-encoded wrapped key to Alibaba KMS. During the upload process, use the Import Token that you downloaded from Alibaba KMS in Section 4.0: Create an External Key in Alibaba KMS. This step completes the secure import of the externally managed key.

   

4. After a successful import, verify that the external key status in Alibaba KMS is set to Enabled.