Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - Google Cloud

  • Updated on Mar 12, 2025
  • Published on Jun 24, 2024
  • 2 minute(s) read

1.0 Introduction

There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 

2.0 Prerequisite

Download Fortanix DSM CLI from here.

3.0 Google Cloud

3.1 GCS (Cloud Storage)

For GCS, actual base64 customer keys are needed to be provided for every upload and download of objects to GCS.

1. Create a 256-bit AES key in Fortanix DSM with the EXPORT key operation enabled.

$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

2. Export this key on your application environment.

$ python sdkms-cli export-object --name Google-Cloud-Master-Key

3. Add the following option to the GSUtil section of GSUtil boto configuration file:

encryption_key = [YOUR_ENCRYPTION_KEY]
decryption_key1 = [YOUR_ENCRYPTION_KEY]

4. Now you can upload and download objects in GCS with encryption with your own keys.

$ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/
$ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

5. GCS browser shows that the object is customer encrypted.

gce-4.png

Figure 1: Customer Encrypted

3.2 GCE (Compute Engine)

GCE supports import of customer keys wrapped by a Google public key. Since Fortanix DSM supports wrapping natively, actual material of the customer keys are never exposed.

1. Create a 256-bit AES key in Fortanix DSM with the EXPORT key operation enabled.

$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

2. Fetch Google public key.

$ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem
$ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem

3. Import the Google public key in Fortanix DSM.

$ python sdkms-cli import-key --obj-type RSA --in google-cloud-csek-public.pem --name Google-Cloud-Public-Key

4. Wrap Fortanix DSM master key with Google public key, using Fortanix DSM.

$ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid (kid of the Google public key) --out rsawrappedkey.txt
$ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt

5. Set the key data in GCE as a wrapped key.

wrapped-key-google.png

Figure 2: Set the Key Data

6. The disk says that it's encrypted with customer keys.

gce-3.png

Figure 3: Encryption

Related articles