Fortanix Data Security Manager FIPS Replication

1.0  Introduction

Welcome to the Fortanix FIPS Data Security Manager (DSM) as an External KMS guide. The purpose of this guide is to describe the steps required to achieve Fortanix FX2200 FIPS Level 3 appliances replication with multiple nodes. It also contains the information that an administrator needs to:

• Achieve replication and high-availability of Fortanix FIPS appliance

• Generate and save a key in a FIPS Cluster

• Perform crypto operations on a key generated in a FIPS 

2.0  Prerequisites

The following are requirements to set up replication with Fortanix FX2200 FIPS Level 3 appliances:

• Minimum 3-nodes non-FIPS Fortanix DSM Cluster.

  • It can be based on virtual Fortanix DSM appliances such as VMware, Azure, or AWS.

  • For enterprise customers, on-premise hardware appliances are recommended.

• Minimum 2-nodes of FIPS Fortanix DSM Hardware appliance.

3.0  Fortanix FIPS Cluster Deployment

3.1  Fortanix FIPS Level 3 Appliance Replication

3.1.1  The Problem

The Fortanix FIPS appliance is physically identical to the Non-FIPS appliance. A Fortanix FIPS appliance includes a hardened chassis with tamper prevention and tamper detection.

The Fortanix FIPS appliance also has a locked-down BIOS, locked down BMC, and the Fortanix DSM software running in FIPS mode. The FIPS boxes are unable to cluster directly with each other in FIPS mode.

3.1.2  The Solution

The replication and high availability of Fortanix FIPS appliances are facilitated by the non-FIPS cluster, while still maintaining FIPS compliance.

• The FIPS appliance architecture in Fortanix DSM is similar to the HSM Gateway architecture in Fortanix DSM. This means all the keys in the FIPS appliance can be synced as Virtual-Keys in Fortanix DSM, like the Legacy HSM use-case.

• However, no HSM Gateway software is required to be set up separately. FIPS appliances integrate with a Non-FIPS Fortanix DSM cluster by directly interfacing through the REST API.

• The master key for replication is generated inside the FIPS Fortanix DSM node only. This key never leaves the FIPS Fortanix DSM node in cleartext.

• The Data encryption keys are always created in the FIPS Fortanix DSM node.

• The Data encryption keys never leave the FIPS Fortanix DSM node in cleartext.

• The Encrypted key blobs live securely in the fault-tolerant Fortanix DSM cluster.

• The Encrypted key blobs are loaded in the FIPS Fortanix DSM node each time to be unwrapped by the Master key for cryptographic operations.

3.2  Cluster Creation and Key Transfer

3.2.1  Prepare FIPS Appliance

This step must be done on all FIPS appliances during onboarding.

1. Create an Account in FIPS Fortanix DSM, then set up account administrators.

2. Create a Group in FIPS Fortanix DSM. 

3. Enable Quorum policy in the above group.

4. Create an Application in FIPS Fortanix DSM. Make a note of the API Key of this application as it will be required to integrate with the Non-FIPS Fortanix DSM Cluster.

   

3.2.2  Cluster Master Key Replication in FIPS Appliance

1. Create a Cluster Master Key (CMK) called Cluster_Master_Key in the group created in the FIPS Appliance 1.

   1. An AES 256-bit key is required for the CMK.

   2. CMK is marked as exportable (This key cannot be accidentally exported because of the quorum policy).

      

2. In the FIPS Appliance 2, do the following:

   1. Generate an asymmetric key (RSA 2048), for example : Cluster_Transfer_Key.  

      

   2. Download the public part of this “Cluster_Transfer_Key”.  

      

3. Import the public transfer key into the FIPS Appliance 1. Enter a key name for example: Cluster-Transfer-Key.  

   

   

4. Export the “Cluster Master Key” by wrapping it with the “Cluster Transfer Key”.

   1. Create a Quorum approval request for exporting the wrapped key with the following command.

      sdkms-cli app-login --api-key <1st-fips-appliance-api-key>
      sdkms-cli wrap-key --wrapped-key-name cluster-master-key --wrapping-key-name transfer-key --alg RSA --quorum
      

      

   2. Approve the quorum approval request in the FIPS Appliance 1.

   3. After quorum approval, get the wrapped key blob.

      sdkms-cli task-result --request-id 	<quorum-task-request-id> --out wrapped_master_key.out

5. Import the wrapped CMK into the FIPS Appliance 2.

   1. Create a quorum approval request for the unwrapping of the CMK command.  

      

      sdkms-cli app-login <2nd-fips-appliance-api-key>
      sdkms-cli unwrap-key --in wrapped_master_key.out --wrapping-kid <UUID-of-transfer-key-in-2nd-fips-appliance> --alg RSA --obj-type AES --name cluster-master-key –exportable --quorum

   2. Approve the quorum approval request in the FIPS Appliance 2. The CMK is now imported into FIPS Appliance 2.

6. Delete the transfer keys from FIPS Appliance 1 and FIPS Appliance 2.

7. To share the CMK with additional FIPS appliances, follow steps 2-7.

3.2.3  Create a Cluster in Non-FIPS Fortanix Data Security Manager Appliance

1. Create a new group in the Non-FIPS Fortanix DSM cluster. Enter the group name:FIPS GROUP.

2. In the Configure as HSM/External KMS Group section, click LINK HSM/EXTERNAL KMS.

3. In the drop down menu, select Fortanix DSM as the type of HSM/External KMS group.

4. Select the Store keys locally option to generate, manage, and use keys in an external DSM hardware appliance operating in “FIPS mode” and wrap the keys to store them locally in Fortanix DSM operating in non-FIPS mode.

5. In the Add new HSM/external KMS section, add the details of the FIPS Appliance 1. The following is the required information:

   1. DNS name of the FIPS Appliance 1 For example: fips-node1. <FORTANIX_DSM_URL>

      NOTE

      Do not add “https” before the DNS name.

   2. The API key created of the FIPS Appliance 1 (refer to Section 3.2.1).

   3. Now any key (internal/external) that is created in the FIPS GROUP will be encrypted/wrapped by this CMK created in FIPS Appliance 1(n) Starting the 3.22 release, it is possible to create more than one CMK and explicitly specify the CMK name while using the Fortanix DSM REST API option, where the Group configuration API will also accept the name of the specific CMK which can be passed as a parameter in the API.  

      

6. Click ADD NODE to add the details of the other FIPS appliance nodes in the same manner.  

   

7. Verify the connection by clicking the TEST CONNECTION button.  

   

8. Click SAVE to save the group.

If you want to use load balancing for the FIPS appliances, refer to Section 4.0 for instructions to set it up.

3.3  Generate a Key in FIPS Cluster

Once the replication completes, you can create and maintain keys for the complete FIPS cluster usage.

3.3.1  Key Generation

1. A new key generation operation is requested in the Non-FIPS Fortanix DSM Cluster. This operation is performed in the Group backed by the FIPS cluster.

2. The request is automatically forwarded to one of the reachable FIPS appliances.

3. FIPS appliance generates a new key.

   NOTE

   The key generation happens within the FIPS boundary.

4. The FIPS appliance wraps the new key with the CMK and returns it back to the Non-FIPS Fortanix DSM cluster.

5. The Non-FIPS Fortanix DSM cluster now saves this wrapped key as a special virtual key in the Group. This virtual key contains the encrypted key material in addition to metadata.

6. Virtual keys are readable inside any of the FIPS appliances due to the presence of CMK. If any FIPS appliance becomes unavailable, the key is still usable by other FIPS appliances.  

   

3.3.2  Crypto Operations

Every crypto operation in this FIPS-backed group is forwarded to one of the FIPS appliances. The encrypted key material of the virtual key selected for operation is also sent to the FIPS appliance. The crypto operation is a 2-step process within the FIPS appliance:

1. Decrypt the encrypted key material using the CMK of the FIPS appliance.

2. Perform the desired crypto operation using the decrypted key.

4.0  Deploying FIPS Level 3 Appliance with Load Balancing

In the method described in Section 3.0, to perform key generation and crypto operation, a request is forwarded to a FIPS node in a serial order, where the request is sent to the first FIPS node configured until it goes down or stops responding, after which the request is forwarded to the next node. In this method, the load is not balanced equally on the nodes and one node is flooded with many requests. To solve this, you can also set up your FIPS appliances on a load balancer for the following advantages:

• If you want to connect to a FIPS node based on the region where the request is pushed to the region that is faster to reach, thereby reducing the latency.

• If you want to connect to a healthy FIPS node for crypto operations.

To set up a load balancer:

1. Create a new group in the Non-FIPS Fortanix DSM cluster. Enter the group name: FIPS GROUP.

2. In the Add new HSM/external KMS section, add the details of the Load balancer. The following is required information:

   1. “DNS name” or “IPV4 address + port number” of the load balancer endpoint. For example: fipsl3.lb.fortanix.com

      NOTE

      Do not add “https” before the DNS name.

3. To add the FIPS Appliances on the load balancer:

   1. Add the API key created on the FIPS Appliance 1 (refer to Section 3.2.1).

   2. Click ADD API KEY to add the API key of the FIPS Appliance 2, and so on.
      Note that the ADD NODE button below disappears when you click the ADD API KEY button indicating that the load balancer is being configured for the FIPS appliances.

   

4. Verify the connection by clicking TEST CONNECTION.

5. Click SAVE to save the group.

If you do not want to configure the load balancer and add the FIPS nodes individually, follow the steps in Section 3.2.3.

5.0  Backup in FX2200 FIPS Appliance

5.1  Introduction

The backup and restore mechanism in the regular FX2200 appliance is designed to back up the entire cluster data for disaster recovery purposes. This is done by performing a restore on an FX2200 appliance that was part of the cluster before the backup was taken. This procedure is described in detail in the Fortanix DSM Backup and Restore Guide.

The backup and restore mechanism in the FX2200 appliance running the FIPS software version is different from the mechanism in the FX2200 appliance running non-FIPS software.

5.2  Deployment Mechanism

Refer to Section 3.0 for the details of recommended deployment mechanism for FIPS FX2200 appliances.

The most important data in the FX2200 appliance are the security objects. The deployment mechanism described in this guide provides a mechanism for replicating the master key. Every key generated in the FIPS FX2200 appliance is wrapped and stored in the non-FIPS FX2200 appliances where they are replicated and backed up as well.

This mechanism takes care of disaster recovery for security objects. The items that are not backed up with this mechanism are the configuration and setups (users, groups). In the case of the FX2200 FIPS appliance requiring replacement, one can set up a new FX2200 FIPS appliance and create the user and groups again, and then import the master key using the mechanism described in this guide. With this, the recovery will be completed and the wrapped keys stored in the non-FIPS FX2200 appliance can be used again for performing cryptographic operations in the FIPS FX2200 appliance.