Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - Google Cloud

  • Updated on Aug 20, 2025
  • Published on Jun 24, 2024
  • 2 minute(s) read
Prev Next

1.0 Introduction

There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support Bring Your Own Key (BYOK) for server-side encryption. 

2.0 Prerequisite

Ensure the following:

  • Download Fortanix DSM CLI from here.

3.0 Google Cloud

3.1 GCS (Cloud Storage)

For GCS, actual base64 customer keys are needed to be provided for every upload and download of objects to GCS.

  1. Run the following command to create a 256-bit AES key in Fortanix DSM with the EXPORT key operation enabled:

    $ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

  2. Run the following command to export this key on your application environment:

    $ python sdkms-cli export-object --name Google-Cloud-Master-Key

  3. Run the following command to add the following option to the GSUtil section of GSUtil boto configuration file:

    encryption_key = [YOUR_ENCRYPTION_KEY]
decryption_key1 = [YOUR_ENCRYPTION_KEY]

  4. Run the following command to upload and download objects in GCS with encryption with your own keys:

    $ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/
$ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

  5. GCS browser shows that the object is customer encrypted.

    gce-4.png

    Figure 1: Customer encrypted

3.2 GCE (Compute Engine)

GCE supports import of customer keys wrapped by a Google public key. Since Fortanix DSM supports wrapping natively, actual material of the customer keys are never exposed.

  1. Run the following command to create a 256-bit AES key in Fortanix DSM with the EXPORT key operation enabled:

    $ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

  2. Run the following command to fetch Google public key:

    $ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem
$ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem

  3. Run the following command to import the Google public key in Fortanix DSM:

    $ python sdkms-cli import-key --obj-type RSA --in google-cloud-csek-public.pem --name Google-Cloud-Public-Key

  4. Run the following command to wrap Fortanix DSM master key with Google public key, using Fortanix DSM:

    $ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid (kid of the Google public key) --out rsawrappedkey.txt
$ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt

  5. Set the key data in GCE as a wrapped key.

    wrapped-key-google.png

    Figure 2: Set the key data

  6. The disk says that it's encrypted with customer keys.

    gce-3.png

    Figure 3: Encryption

Related articles