1.0 Introduction
Welcome to the Fortanix Data Security Manager (DSM) Google Cloud Platform (GCP) Cloud Native Key Management Service (CNKMS) User Guide. This article describes how to perform native key lifecycle management in GCP KMS using Fortanix DSM.
The Fortanix solution for GCP Key Management Service (KMS) offers complete CNKMS, as explained in this article, as well as Bring Your Own Key (BYOK), with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
3.0 Fortanix CNKMS Workflows Overview
Generate key: Navigate to a CDC group, select "Generate in GCP", select a supported algorithm type and key size, and click Generate to generate the key in the GCP Key Management Service (KMS) key repository.
Disable/Enable: Navigate to the detailed view of the key in the GCP CDC group and disable or enable it from Fortanix DSM.
4.0 Fortanix DSM GCP KMS Security Objects
After the GCP CDC group connects to GCP KMS using the provided connection details, the keys from GCP KMS are stored in the Fortanix DSM GCP CDC group as virtual keys. A virtual key is a reference that includes key information and attributes but does not contain the actual key material, which remains securely stored in the key ring of the location and project provided in the GCP KMS.
4.1 Create a Key in GCP KMS Group - Generate Key
Perform the following steps to create a key in Fortanix DSM user interface (UI):
Navigate to the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to create a new key.
In the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only GCP KMS groups in the Select group list.
In the GCP KMS group list, select the GCP CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the GCP KMS group.
Select the GENERATE IN GCP radio button to initiate the generate key in the GCP KMS workflow.
Enter the required GCP key name. This name will be stored in the GCP Key Ring and used to correlate different versions of a key. All versions will share the same GCP key name.
In the Choose a type section, select the key type for the new GCP KMS key.
NOTE
For Fortanix DSM, the allowed key type for a GCP KMS key generated using the Generate Key workflow in Fortanix DSM is AES 256.
These key types can further be restricted by setting a cryptographic policy for the account or group. For more details about the crypto policy, refer to User's Guide: Crypto Policy.
The key types can also be restricted by setting a key metadata policy for the group. For more details about the Key metadata policy, refer to User's Guide: Key Metadata Policy.
Enter the Key size.
Select the permitted key operations under the Key operations permitted section.
Add custom attributes using the ADD ATTRIBUTE button.
NOTE
The custom attributes also depend on the Key metadata policy for the group. If the GCP KMS group has a key metadata policy configured with restrictions for custom attributes, then these rules will be applied while creating the security object.
To store audit logs for the object in the group, enable the toggle for Keep detailed log for the object. The initial state of the toggle is based on the parent Crypto policy if any.
Click the GENERATE button to generate the key in GCP KMS.
The new GCP KMS key is created and represented with a special symbol 
to denote it is of type HSM/External KMS. In the detailed view of the GCP key you will notice the following things:
The group to which it belongs (in the Group field). It also shows if the group is mapped to a GCP KMS or not using the special icon
.How the key was created (in the Created by field). If it is a GCP KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
The new GCP KMS key is in an Enabled state by default which means that all the Encrypt and Decrypt operations can be performed on the actual key in the GCP KMS according to the key permissions. Click the toggle for Enabled to disable it. This will disable the GCP KMS key temporarily.
The new key will be added to the Security Objects table.
TIP
You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click ADD SECURITY OBJECT button, and follow Steps 2-3 above.
4.2 Sync Keys
Perform the following steps to edit the GCP connection details:
Go to the GCP group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new virual keys.
Fortanix DSM will then connect to GCP, fetch all available keys, and store them as virtual keys.
NOTE
When keys are synced with GCP KMS, the metadata of the existing keys for the configured service account and region are downloaded and represented as virtual keys in Fortanix DSM. The actual key material for those keys is always stored in GCP KMS.
Clicking SYNC KEYS only returns the keys from GCP KMS that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
The time taken to sync keys from the GCP KMS to Fortanix DSM is a function of the number of keys in the GCP KMS and the network latency between the GCP location and Fortanix DSM. It can take several minutes if there are hundreds of keys and there is significant network latency
4.3 Attributes/Tags Tab
This tab contains all the attributes and tags of the GCP key. A tag serves as an optional metadata label for a GCP resource. You can add new tags using the NEW TAG button and add custom attributes using the ADD CUSTOM ATTRIBUTE button. These custom attributes are user-defined security object attributes that augment the security object's metadata.
4.4 GCP Key Details
This tab displays details of the GCP key name and GCP protection level. For more details about GCP protection level, refer to the Google documentation.
4.5 Security Objects Table View
After you add new GCP keys, navigate to the Security Objects menu item in the DSM left navigation bar to view all the security objects from all the groups (GCP and non-GCP).
In the table, you will notice that every key belongs to a group and some keys which are virtual keys added from a GCP, belongs to a group with a special symbol . The table shows all keys, whether they belong to a GCP CDC group or not.
5.0 Rotate a Key in GCP CDC Group
The following section elaborates on key rotation in a GCP CDC group. A key rotation occurs when you aim to retire an encryption key and substitute it by generating a new cryptographic key.
NOTE
When performing key rotation in GCP KMS, including normal rotation, linked key rotation, or rotate to DSM key, specifying the Key ring name is no longer required. The rotated key automatically inherits the following details from the previous key version:
Key Ring Name
GCP Key Name
GCP Protection Level
5.1 Rotating GCP Native Key* with Another Native Key
*Native key is one where the key material was generated by GCP KMS.
When you rotate a virtual key in a GCP CDC group, the action will rotate the key inside the GCP KMS by generating another new version of the key within the configured GCP KMS.
Perform the following steps to rotate a key in GCP:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a GCP virtual key and click the ROTATE KEY button.
In the KEY ROTATION window, the Generate new key radio button is selected by default.
Click the ROTATE KEY button to rotate a virtual key.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
A new rotated key is now generated.
5.2 Rotating GCP Native Key to Fortanix DSM Owned Keys
When a GCP virtual key whose key material is owned by GCP KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in GCP KMS, which has the key material of the Fortanix DSM-backed key. As a result, the GCP virtual key is backed by a Fortanix DSM source key.
Perform the following steps to rotate a virtual key with Fortanix DSM backed key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a GCP virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menu.
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated GCP virtual key and click the GCP KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.
6.0 GCP Key Ring Group Setup and BYOK
For details on how to set up an GCP Key Ring group in Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Setup.
For details on how to perform BYOK key lifecycle management in GCP Key Ring using Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Bring Your Own Key.