Exporting DSM keys to Cloud Providers for BYOK - Alibaba

1.0 Introduction

There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption.

2.0 Prerequisite

Download DSM CLI from here.

3.0 Alibaba

  1. Create an external key in Alibaba.

    1. Create a new key by selecting key material source as “External”.

    2. Newly created key should show up with status as “Pending Import” and key material source as "External".

  2. Download key encryption material.
    Download the key encryption material, you will need it for key wrapping in DSM and key importing into Alibaba.

    • Public key

    • Import Token

  3. Import Alibaba public key into DSM.
    Import the public key from previous step into DSM as RSA key.

  4. Create Customer Master Key in DSM.
    Create a new AES key and make sure to select the “exportable” option.

  5. Authenticate the app.

    sdkms-cli app-login --api-endpoint Fortanix Data Security Manager --api-key YOUR_APP_API_KEY

    Where,

    • YOUR_APP_API_KEY is the API key of an app in Fortanix DSM.

  6. Wrap customer master key with Alibaba public key.

    1. Use DSM-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.

      $ sdkms-cli wrap-key --kid <Taget Key UUID in DSM > --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <UUID of Alibaba Wrapping Public Key > --out alibabawrap.key

      Where,

      • <Target Key UUID in DSM> is the UUID of the key in Fortanix DSM that you want to copy to Alibaba KMS.

      • <UUID of Alibaba Wrapping Public Key> is the UUID of the public key imported into Fortanix DSM user interface (UI) in Step 3.

    2. Apply base64 encoding on wrap key.

      $ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
  7. Upload key into Alibaba KMS.
    Import the encoded wrap key into Alibaba. You will also need the import token which we downloaded from Alibaba in Step 2.

  8. Alibaba KMS should have external key enabled now.
    With successful import your external key should be "Enabled" now.