1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Google Cloud Platform (GCP) services using a Virtual Private Cloud (VPC) network. It also contains the information that a User needs to:
Enable the Cloud Key Management Service (KMS) API in your GCP project
Obtain GCP service account email address
Configure a GCP External Key Manager (EKM) connection
Import/Create the Google Advanced Encryption Standard (AES) Key in Fortanix DSM
Create a manually managed Cloud EKM connection using VPC
Complete the GCP key setup
Fortanix DSM supports the following customer-managed encryption keys (CMEK) integration services on the Google cloud:
Cloud Logging: Log Router
Google Kubernetes Engine: Data on VM disks or Application-layer Secrets
Refer to the Cloud EKM documentation for the complete list.
1.1 Why Use Fortanix Data Security Manager With Google Cloud EKM Using VPC
Google Cloud’s External Key Manager allows services running in the Google Cloud Platform (GCP), namely Big Query and Google Compute Engine (GCE) to use an encryption key managed in an external key management service and controlled entirely by the customer. A Cloud Deployment Architect for GCP can access an EKM through a Virtual Private Cloud (VPC) network to satisfy their data sovereignty requirements.
Fortanix DSM protects all your data on-premises as well as in the cloud. It provides end-to-end security for keys and data (at-rest, in-transit, and in-use) protected with layers of defense including Fortanix Runtime Encryption®, Intel® SGX, and FIPS-validated hardware; Only authorized users can access keys.
2.0 Terminology References
Fortanix Data Security Manager (DSM)
Fortanix DSM is the cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.
GCP - Google Cloud Platform
Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage, and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators, and other enterprises IT professionals over the public internet or through a dedicated network connection.
Google KMS - Google Key Management Service
Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google cloud services that enterprises can use to implement cryptographic functions. For more information, refer to Google Cloud Key Management Service.
VPC – Virtual Private Cloud
A Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network. For more information on what a VPC network does, refer to the Google documentation here.
AES - Advanced Encryption Standard
Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:
Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).
AES is often included as part of customer compliance requirements. For more information, refer to Advanced Encryption Standard.
SGX - Software Guard Extensions
Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is potentially malicious.
FIPS - Federal Information Processing Standards
FIPS is a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
3.0 Prerequisites
Fortanix Data Security Manager
GCP Services
Google Cloud Project
AES key
The GCP Project Owner must enable the Cloud Key Management Service (KMS) API in your GCP Project. Refer to the Google documentation for steps to enable the Cloud KMS API in your GCP project.
The user trying to add the EKM Key in the GCP keyring must have a Cloud KMS Admin role.
The GCP Project Owner must enable BigQuery API access in your GCP Project.
The user using BigQuery must have permission to use BigQuery and permission to access the EKM key that Fortanix creates.
NOTE
The AES key can either be imported or created in Fortanix DSM, or automatically created using the Google EKM easy wizard integration in Fortanix DSM
4.0 Fortanix DSM with GCP Service Using VPC
4.1 Overview
With Google Cloud Platform (GCP) External Key Manager, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting GCP workloads including BigQuery and Google Compute Engine (GCE). An Administrator for GCP can deploy a VPC network to reverse proxy the EKM requests and can access an EKM through this Virtual Private Cloud (VPC) network to satisfy their data sovereignty requirements
4.2 Enable KMS API in Your GCP Project
See Google documentation for steps on how to enable Google External Key Manager API in your GCP project.
4.3 Obtain Your Google Service Account Email Address
Fortanix DSM requires the identity of the GCP service account in your Google cloud project. This service account is automatically created by GCP once the KMS API is enabled. This service account exists by default and has the appropriate permissions, which cannot be modified. This service account will also not be viewable from your IAM; it is a backend service account controlled by GCP. This is in the format of the following email address, using your own project-number, where specified:
service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com
In the example above, PROJECT-NUMBER is the project number of your Google Cloud Platform project.
You can look up your project number using the following instructions:
Creating and managing projects | Resource Manager Documentation | Google Cloud
4.4 Configure GCP External Key Manager Connection
Set up Cloud External Key Manager (Cloud EKM) to connect to your external key management (EKM) provider over a Virtual Private Cloud (VPC) network. See Google documentation for steps to Create an EKM Connection.
4.5 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
4.5.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
4.5.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
4.5.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
4.5.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of the service account email you acquired before.
NOTE
The app name must match the email address of an existing Google Service Account.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default Google Service Account as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 4.5.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The user can allow access to wrap/unwrap keys for the following types of key access justifications options:
NOTE
Selecting the allowed key justification reasons below defines an access policy for the app.
Accept All: Select Accept All to allow access for all the justification reasons provided below. You can also customize your selection and select specific justification criteria for access.
Customer-initiated support – Support initiated from the customer, for example, Case Number: ####.
Customer-initiated access – Customer or a third-party authorized by customer's IAM policy perform any access to the customer's data.
Google-initiated service – Google-initiated access, for example, to perform system management and troubleshooting which includes:
Backup and recovery from outages and system failures
Investigation to confirm that the customer is not affected by suspected service issues
Remediation of technical issues, such as storage failure or data corruption
Google-initiated review – Google-initiated access for security, fraud, abuse, or compliance purposes including:
Ensuring the safety and security of customer accounts and content
Confirming whether the content is affected by an event that may impact account security (for example, malware infections)
Confirming whether the customer is using Google services in compliance with Google Terms of Service
Investigating complaints by other users and customers, or other signals of abusive activity
Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
Google-initiated system operation – Google-initiated access for security, fraud, abuse, or compliance purposes.
Third-party data request – Customer-initiated access by Google to respond to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs, in this case, may not be available if Google cannot legally inform the customer of such a request or process.
Unspecified reason – Indicates the actor accessing the data provided no access reason for the request. This may have been due to a transient error, a bug, or some other unexpected circumstance.
No justification reason expected – Indicates no reason is expected for this key request as the service in question has never integrated with Key Access Justification or is still in the pre-GA state and therefore may still have residual methods that call the External Key Manager but does not provide a justification.
Modified customer-initiated access – A customer uses their account to perform any access which is authorized by their own IAM policy; however, a Google administrator has reset the superuser account associated with the user’s organization within the last 7 days.
Modified Google-initiated system operation – Google initiated access of customer data to perform indexing, structuring, precomputation, hashing, sharding and caching to optimize the structure and quality of data for future uses by the customer.
Google responses to production alert – indicates Google-initiated access to main system reliability.
Allow missing justification: Select this option to allow access even if a justification reason is not provided.
The new application has been added to the Fortanix DSM successfully.
4.5.5 Creating a Security Object
Perform the following steps to generate or import an AES key in the Fortanix DSM:
Generating the Security Object:
Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects to generate a security object.
.png?sv=2022-11-02&spr=https&st=2025-04-13T04%3A32%3A23Z&se=2025-04-13T04%3A56%3A23Z&sr=c&sp=r&sig=9Gt5i%2BA1YxUvAxLjpuUVBH5%2BurEL3hc1ifXULeXSnP4%3D)
Figure 4: Generate Security Object
On the Add New Security Object page, enter the following details:
Security Object name: Enter the name of your security object.
Group: Select the group as created in Section 4.5.3: Creating a Group.
Select the GENERATE radio button.
Choose a type: Select the AES key type.
Key Size: Indicates the size of the key in bits.
Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
NOTE
Ensure that the Encrypt and Decrypt permissions are selected.
Click the GENERATE button to create the new security object.
The new security object is created in the Fortanix DSM successfully.
Importing the Security Object:
Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects to import a security object.
(3).png?sv=2022-11-02&spr=https&st=2025-04-13T04%3A32%3A23Z&se=2025-04-13T04%3A56%3A23Z&sr=c&sp=r&sig=9Gt5i%2BA1YxUvAxLjpuUVBH5%2BurEL3hc1ifXULeXSnP4%3D)
Figure 5: Import Security Object
On the Add New Security Object page, enter the following details:
Security Object name: Enter the name of your security object.
Group: Select the group as created in Section 4.5.3: Creating a Group.
Select the IMPORT radio button.
Choose a type: Select the AES key type.
Key Size: Indicates the size of the key in bits.
In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.
Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
NOTE
Ensure that the Encrypt and Decrypt permissions are selected.
Add the required attributes if required using ADD ATTRIBUTES.
Enter the key Deactivation Date and key Activation Date.
Click the IMPORT button to create the new security object.
The new security object is added to the Fortanix DSM successfully.
4.6 Enable GCP Service to Access AES Key in Fortanix DSM Using VPC
GCP services need a URL to access a key stored in Fortanix DSM through the VPC network. This is known as the external_key_uri .
The following is the format of the Google EKM URI using a VPC network.
/v0/key/path/<key_id>Where
<key_id>is the UUID of the AES key.
To obtain the
external_key_uriof the AES key using a VPC network from the DSM Security Objects table:From the Fortanix DSM Security Objects table, click the AES key created earlier.
In the detailed view of the AES key, click COPY KEY PATH FOR EKM VPC in the COPY ID drop down menu.
Figure 6: Get the Google EKM VPC URI
Use the above resource URL to create a manually managed cloud EKM using the VPC key created above.
4.7 Create a Manually Managed Cloud EKM Using VPC Key
Refer to Google documentation for steps to create a manually managed cloud EKM using the VPC key.
In Step 9 from the link above, for the Key Path field, enter the key path for EKM VPC copied in the Section 4.6: Enable GCP Service to Access AES Key in Fortanix DSM Using VPC.
5.0 Edit Authentication Method for an Existing App
To change the authentication method for an existing app to Google Service Account from the detailed view of an app.
In the detailed view of an app, click the INFO tab and in the API Key section click the Change authentication method drop-down menu.
Figure 7: Change Authentication Method
Select Google Service Account and click SAVE to save the setting.
Figure 8: Select Authentication Method
In the Configure authentication method window, select the key justification reasons, and click UPDATE. Refer to Section 4.5.4: Creating an Application to learn about the justification policies.
NOTE
The app name must match the email address of an existing Google Service Account.
Figure 9: Select Key Justification Reason
The application is updated with the new authentication method.
Figure 10: Authentication Method Updated
6.0 Edit Key Access Justification Reason for an Existing App
You also have the option to edit the key justification reason for an existing app.
In the detailed view of an app, click the INFO tab and in the Google Service Account section, click the SHOW INSTRUCTIONS button.
Figure 11: Edit Existing Key Justification Reason
In the Google Service Account window, click the EDIT button.
Figure 12: Edit Key Justification Reason
Edit the allowed justification reason and click SAVE AND CLOSE to save the new updates.
7.0 Add Key Access Justification Policy for an Existing Key (Optional)
You can also change the authentication method for an existing key from the Security Objects page.
NOTE
Fortanix DSM first checks the provided access reason against the app level policy.
If the provided access reason passes at the app level, then Fortanix DSM checks it against the key level policy.
If the provided access reason passes at both the app level and key level, Fortanix DSM executes the operation.
If the provided access reason passes at the app level but fails at the key level, Fortanix DSM throws an error: “Request violates security object's access reason policy.”
On the Security Objects page, select the key for which you want to change the key justification policy.
Figure 13: Select the Key
In the detailed view of the key, click the KEY ACCESS JUSTIFICATION tab, and then click ADD POLICY to add a new key access justification policy.
Figure 14: Change Key Authentication Method
By default, the Accept All option is selected. Click Save to apply all the defined access justification policies to the key.
Figure 15: Change Key Authentication Method (Default Settings)
To change the applicable policies, clear the Accept All option, select the access justification policies that you want to apply to the key, and then click Save. Refer to Section 4.5.4: Creating an Application to learn about the justification policies.
Figure 16: Update Key Policies
The key is updated with the new justification policy.
8.0 Edit Key Level Justification Policy for an Existing Key
You can also edit and change the authentication method for an existing key from the detailed view of a security object. After you have applied the policies to a key, you will see the EDIT POLICY button.
On the Security Objects page, select the key for which you want to edit the key access justification reason. In the detailed view of the key, the KEY ACCESS JUSTIFICATION tab, and then click EDIT POLICY.
Figure 17: Edit Key Authentication Method
Clear the default policies you want to remove, select the policies you want to add, and then click SAVE.
Figure 18: Update Key Policies
The key is updated with the new access justification policy.
9.0 References
Google Cloud Key Management Service
GCP Key Manager Service API
Fortanix DSM Getting started
User's Guide: Getting Started with Fortanix Data Security Manager - UI
Advanced Encryption Standard
Enable Billing in GCP