Fortanix DSM - AWS KMS BYOK (Bring Your Own Key)

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Amazon Web Services (AWS) Bring Your Own Key (BYOK) User Guide. This article describes how to perform BYOK lifecycle management in AWS Key Management Service (KMS) using Fortanix DSM.

The Fortanix solution for AWS offers complete BYOK, as explained in this article, as well as Cloud Native Key Management Service (CNKMS) and Bring your own KMS (BYOKMS), with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

3.0 AWS KMS Group Setup and Cloud Native Key Management

For details on how to set up an AWS-backed group in Fortanix DSM, refer to the Fortanix DSM - AWS Key Management Service CDC Group Setup.

For details on how to perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the Fortanix DSM - AWS KMS Cloud Native Key Management.

4.0 Fortanix AWS BYOK Workflows Overview

  • Generate key: Navigate to a source key in Fortanix DSM and copy the key into an AWS CDC group to create a linked key and a BYOK key in AWS KMS.

  • Rotate source key: Rotate the source key that was originally generated in "Fortanix DSM” and click “rotate linked/copied keys”.

  • Disable/Enable: Navigate to the detailed view of the key in the AWS CDC group and disable or enable it from Fortanix DSM.

  • Schedule key deletion: AWS will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the AWS CDC group, and in the AWS KEY DETAILS tab, schedule the key for deletion.

  • Delete Key Material: This is only available for BYOK and allows you to ignore the mandatory wait time of Schedule key deletion but keeps the key ARN in place, so when you restore the Key Material, no updates need to be made to services.

5.0 Fortanix DSM AWS KMS Security Objects

After the AWS CDC group connects to AWS KMS using the provided connection details, the keys from AWS KMS are stored in the Fortanix DSM AWS CDC group as virtual keys. A virtual key is a reference that includes key information and attributes but does not contain the actual key material, which remains securely stored in AWS KMS.

For steps to create an AWS CDC group, refer to AWS CDC Group Setup Guide.

WARNING

If you experience rate-limiting issues when performing BYOK bulk operations concurrently, you should request a quota limit increase from AWS, specifically for the GetParametersForImport API.

5.1 Bring Your Own Key - Copy Key to AWS to Create a Linked Key

Use this option when you want to create a key in Fortanix DSM and then import it into the configured AWS KMS. The Copy Key to AWS feature allows you to transfer a security object from one regular Fortanix DSM group to another, including to an AWS CDC Fortanix DSM group.

This feature has the following advantages:

  • Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.

  • Maintains a link of various copies of the same key material to the source key for ability to name, and rotate keys everywhere all at once, as well as audit and tracking purposes. Key Rotation at the Source key even handles updating the AWS Alias

  • The Linked Keys approach tends to be a bit easier to manage than AWS native Multi-Region Keys and Multi-Account Keys by handling AWS Alias updates, and showing the keys in AWS KMS where Fortanix can still disable, enable and delete keys and key material

  • In AWS, the BYOK keys also further improve your security posture by allowing you to remotely delete key material from a key instantly in AWS. AWS limits your ability to delete a key by creating a 7 day “Key Undo” wait time, this is because AWS wants to protect against accidental deletion. However, with BYOK keys, AWS knows you have another copy of the key and will let you delete key material instantaneously, a great additional security measure not available with native KMS.

  • Zero Trust Quorum - Key functions like disabling keys or scheduling the deletion of keys can be done from Fortanix and protected by Quorum. Most customers choose to limit their IAM to only allow Fortanix and perhaps 1 “Break Glass Account” to Create, Disable/Enable, Scheduled Delete, and Delete key material.

The following action happens during copy key operation:

  • A new key will be created in the target group: The new key will have the same key material as the original.

  • The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.

  • The source key will also have basic metadata-based information about the linked keys such as:

    • Copied by <user-name/app id>

    • Date of Copy <time stamp>

    • Target copy group name

NOTE

The name of the copied key is suggested automatically to you as [original key name]_[copy1,2,...], but you can be replace it with an alternative unique name, if required.

Perform the following steps to copy a key from a regular Fortanix DSM group to an AWS CDC group:

  1. Generate an AES, RSA, or EC key in Fortanix DSM, if the key is not already present. To create the key, refer to the Generate Security Objects.

    WARNING!

    The “Export” permission must be enabled when creating this key for the 'Copy Key' operation to work.

  2. Go to the detailed view of the key and click the COPY KEY button available on the top right of the screen.

    NOTE

    • The allowed key types for an AWS key generated using the copy key workflow are:

      • AES 256

      • RSA key pairs: 2048, 3072, or 4096 with public exponent 3 or 65537

      • EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1

    • The COPY KEY button will be disabled for all the AWS KMS Virtual-Keys.

  3. In the COPY KEY window, do the following:

    1. Hover on the name of the key and use the edit AzureKMS28.pngicon to update the name of the key, if required.

    2. Click the Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS CDC/Azure HSM groups. Select the AWS CDC group for the new key into which the copied key should be imported.

    3. In the AWS Aliases section, click the ADD ALIAS button to add an alias(es).

    4. Update the Key operated permitted if you want to modify the permissions of the key.

    5. Enable the toggle button for Multi-region primary key to create an AWS multi-region primary key. For more details, refer to Section 5.4: Multi-Region Primary Keys.

    6. In the Deactivation Date section, you can modify the value of the deactivate date if one was set for the source key, or leave it as default. This date can be modified within this window, but once the key is copied, the setting becomes permanent and cannot be changed.

  4. Click the CREATE COPY button to create a copy of the key.

The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key.

NOTE

  • If you want to maintain a copy of the key material in Fortanix DSM, then you can import a regular AES 256, RSA, or EC key into Fortanix DSM using the “import key” workflow and then copy this key into AWS using the “copy key” workflow.

  • If you encounter the error as "You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls," during an AWS BYOK operation, then update your AWS quota. For more information, refer to AWS Request Quotas.

  • The audit logs for a copied key in the AWS-backed group will display detailed entries, including the wrapping key type, key size, and wrapping mechanism, provided that audit logging is enabled for the source key.

5.2 Bring Your Own Key - Import Key

This action imports the key into the AWS KMS regions, creating a virtual key in the corresponding AWS CDC group. The virtual key in the Fortanix AWS CDC group points to the actual key in the AWS KMS but only stores key information and attributes, not the key material. The import action does not store the copy of the key material in Fortanix DSM.

Perform the following steps to import a key in Fortanix DSM:

  1. Navigate to the Security Objects menu item in the DSM left navigation page and click the + button on the Security Objects page to create a new key.

  2. In the Add New Security Object form, do the following:

    1. Enter a name for the Security Object (Key).

    2. Select the This is an HSM/external KMS object check box to filter the groups to show only AWS KMS groups in the Select group list. 

    3. In the AWS group list, select the AWS CDC group into which the keys will be imported. The keys will be imported into the region that was selected in the AWS CDC group.

    4. Select the IMPORT radio button to initiate the import key in the AWS workflow.

    5. In the AWS Aliases section, click the ADD ALIAS button to add an alias(es).

    6. In the Choose a type section, select the key type for the new AWS KMS key.

      NOTE

      The allowed key type for an AWS key generated using the Import key workflow are:

      • AES 256

      • RSA key pairs: 2048, 3072, or 4096 with public exponent 3 or 65537

      • EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1

      Sometimes keys of type AES, RSA, or EC that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select The key has been encrypted check box.

    7. In the Select Key Encryption Key section, enter or select a Key ID or security object name that will be used to unwrap (decrypt) the encrypted key in the file, which will later be stored securely in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.

    8. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.

    9. Select the permitted key operations under Key operations permitted section.

    10. In the AWS KMS auto-rotation section, select the check box to automatically rotate the key by specifying the required rotation interval in the input field. By default, the key rotation is set to occur every 90 days, but this can be modified as needed, with a minimum interval of 90 days and a maximum of 2560 days. For more information about this feature, refer to Section 5.3: AWS KMS Auto-Rotation.

    11. Add key tags if required using the ADD TAG button. For more details, refer to Section 5.6: Attributes/Tags Tab.

    12. Enable the toggle button for Multi-region primary key to create an AWS multi-region primary key. For more details, refer to Section 5.4: Multi-Region Primary Keys.

  3. Click the IMPORT button to import the key.

The security key is successfully imported.

5.3 AWS KMS Auto-Rotation

AWS KMS allows you to configure a key rotation policy for keys generated in the AWS KMS keystore ensuring that the rotation is fully managed by AWS KMS while the key material remains exclusively within AWS KMS. This policy is independent of the Fortanix DSM key rotation policy.

You can enable the AWS KMS auto-rotation feature while importing or generating a key in AWS KMS. You can also configure this policy from the key details page in Fortanix DSM. By default, the key rotation is set to occur every 90 days, but this can be modified as needed, with a minimum interval of 90 days and a maximum of 2560 days.

NOTE

Enabling the AWS KMS auto-rotation policy automatically disables the DSM Key rotation policy. At any given time, only one policy can be active, and the key will follow that rotation policy.

To configure DSM’s Key rotation policy, delete the AWS KMS auto-rotation policy by clicking the EDIT button and clearing the check box for rotation.

5.4 Multi-Region Keys

Fortanix DSM allows you to mark an AWS virtual key as a multi-region primary key, enabling the creation of replicas in other AWS KMS regions and making the primary key a multi-region key.

NOTE

Replicas of a multi-region key cannot be created from Fortanix DSM.

Multi-Region keys in AWS KMS are keys located in different AWS Regions that can be used interchangeably. They share the same key material and key ID across regions, allowing encryption in one region and decryption in another without the need for re-encryption or cross-Region calls to AWS KMS. Multi-Region keys support all cryptographic operations available with single-Region keys.

Additionally, Fortanix DSM also allows you to rotate the multi-region primary keys in AWS KMS:

  • Rotation of Multi-region Keys: You can now rotate the multi-region primary keys that were generated or imported into an AWS KMS externally backed DSM group using the ROTATE KEY link available under the key name.

  • Linked-Key Rotation for Copied Keys: You can rotate a key copied from a normal DSM group to an AWS KMS externally backed DSM group as a multi-region primary key using the Rotate linked keys check box. This will rotate the primary and all replicas in AWS KMS to the new key value.

5.5 Sync Keys

Perform the following steps to edit the AWS connection details:

  1. Go to the AWS group detailed view.

  2. Click the HSM/KMS tab.

  3. Click the SYNC KEYS button to import the new virtual keys.

Fortanix DSM will then connect to AWS, fetch all available keys, and store them as virtual keys.

NOTE

  • When keys are synced with AWS KMS, the metadata of the existing keys for the configured service account and region are downloaded and represented as virtual keys. The actual key material for those keys is always stored in AWS KMS.

  • Clicking SYNC KEYS only returns the keys from AWS that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.

  • If some keys were marked as multi-Region primary keys or multi-Region replica keys in AWS KMS before the scan, then clicking SYNC KEYS will identify these keys and mark them as multi-Region primary keys or multi-Region replica keys respectively.

  • The time taken to sync keys from AWS KMS to Fortanix DSM is a function of the number of keys in the AWS KMS and the network latency between the AWS location and Fortanix DSM. It can take several minutes if there are hundreds of keys and significant network latency.

  • The AWS CDC groups have a scan limitation. When the AWS KMS region has more than 100 keys, only 100 virtual keys are created during the group scan.

  • If a key in AWS KMS keystore has auto-rotation feature enabled, the AWS KMS auto-rotation feature will be enabled in the KEY ROTATION tab of the synced virtual key in Fortanix DSM after the sync operation.

5.6 Attributes/Tags Tab

This tab contains all the attributes and tags of the AWS key. A tag serves as an optional metadata label for an AWS resource. You can add new tags by clicking the NEW TAG button and include custom attributes using the ADD CUSTOM ATTRIBUTE button. These custom attributes are user-defined security object attributes that augment the security object's metadata.

5.7 AWS Key Details

This tab displays the information about the AWS Key Aliases, Key ARN for Key ID, and the AWS key policy.

  • If the AWS virtual key is a multi-region primary key, then the Key ARN section will also display the key ARNs of the replica keys.

  • If the AWS virtual key is a multi-region replica key, then the Key ARN section will also display the key ARN of the primary key.

The AWS KEY DETAILS tab also contains SCHEDULE KEY DELETION and DELETE KEY MATERIAL options as explained in Section 5.9: Schedule to Delete a Key in AWS KMS and Section 5.11: Delete Key Material in AWS KMS, respectively.

5.8 Security Objects Table View

After you add new AWS keys, navigate to the Security Objects menu item to view all the security objects from all the groups (AWS and non-AWS).

In the table, you will notice that every key belongs to a group and some keys which are virtual keys added from an AWS, belongs to a group with a special symbol GCPKey.png. The table shows all keys, whether they belong to an AWS CDC group or not.

5.9 Schedule to Delete a Key in AWS KMS

When you delete a key from an AWS KMS, the action removes the actual key from the configured AWS environment, and the key will appear as disabled in the security objects table.

Perform the following steps to delete a key from an AWS KMS:

  1. Navigate to the Security Objects menu item and go to the detailed view of a AWS virtual key and select the AWS KEY DETAILS tab.

  2. Click the SCHEDULE KEY DELETION link button.

  3. In the Schedule Key Deletion in the AWS KMS window, enter a waiting period (in days) to confirm if the AWS key is still needed, ensuring the value falls between 7 to 30 days only.

    NOTE

    Data encrypted with the key becomes unusable once the key is deleted.

  4. Select the confirmation “I understand that the data encryption with the object can no longer be used once the object is scheduled for deletion.” checkbox.

  5. Click the SCHEDULE KEY DELETE button to mark the key for deletion.

    NOTE

    You can cancel the key deletion at any time before the waiting period ends using the CANCEL KEY DELETION IN AWS link on the top of the screen in the detailed view of the AWS virtual key.

After the key is permanently deleted from AWS KMS, the Delete Key button is enabled in the detailed view of the virtual key in Fortanix DSM.

5.10 Delete a Key in AWS Group

NOTE

The DELETE KEY option is enabled only when the key is permanently deleted from AWS KMS.

When you delete a key from an AWS CDC group, the action only removes the virtual key in Fortanix DSM and does not delete the actual key in the configured AWS.

Perform the following steps to delete a virtual key:

  1. Select the AWS key that you want to delete.

  2. In the detailed view of the key, scroll down and click the DELETE KEY button.

5.11 Delete Key Material in AWS KMS

When the allowed key types of AES, RSA, or EC are copied into AWS KMS from Fortanix DSM, the key material is stored in two places, the source key in the regular Fortanix DSM group and in the configured AWS KMS for a specific account and region. This key is represented as a virtual key in the AWS CDC group.

A virtual key is only a virtual representation of the actual AWS KMS key that contains the key information and key attributes; however, this virtual key does not contain the key material. Users may want to delete the key material from the configured AWS KMS to maintain a single copy of key material stored securely in the source key in the regular Fortanix DSM group.

NOTE

  • The Delete Key material feature is enabled only for the following allowed key types that have been externally imported into AWS KMS.

    • AES 256

    • RSA key pairs: 2048, 3072, or 4096 with public exponent 3 or 65537

    • EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1

  • The Delete key material feature is visible only for BYOK keys, that is, for keys that were copied from Fortanix DSM.

Perform the following steps to delete the key material of the AWS virtual key:

  1. Go to the detailed view of a virtual key in the AWS CDC group and select the AWS KEY DETAILS tab.

  2. Click the DELETE KEY MATERIAL link to delete the key material in AWS KMS.

  3. In the Delete Key Material in AWS KMS window, select the check box to confirm your understanding about the action.

  4. Click the DELETE KEY MATERIAL button to confirm the action.

  5. The status of the key in the AWS KMS changes to “Pending import”. Select the confirmation “I understand that the data encryption with the object can no longer be used once the object is scheduled for deletion.” checkbox.

After the key material is deleted from AWS KMS, it can be reimported back into AWS KMS to reverse the key material deletion.

Perform the following steps to reimport the key material:

  1. Go to the detailed view of the virtual key and click the REIMPORT KEY MATERIAL link on top of the screen.

  2. The key material is reimported successfully.

6.0 Rotate Key in AWS CDC Group

The following section explains the key rotation in AWS CDC group. A key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.

NOTE

When performing key rotation in AKV, including normal rotation, linked key rotation, or rotate to DSM key, specifying the Azure key name is no longer required. The rotated key automatically inherits the following details from the previous key version:

  • Azure Key Name  

  • Azure Key Resource ID

  • Azure Key Version Number

  • Key Backup Information

6.1 Rotating Keys in Fortanix DSM Source Group

When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then you are given the option to select the linked keys for the key rotation. If these linked keys are part of an AWS CDC group, rotating the linked keys also rotates the keys in AWS KMS by making nested copies of the keys in the configured AWS KMS.

Perform the following steps to rotate a key in AWS KMS:

  1. Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM source key and click the ROTATE KEY button.

  2. In the KEY ROTATION window, select the Rotate linked keys check box.
    For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

  3. Select the AWS virtual keys to rotate with the Fortanix DSM source key and click the ROTATE KEY button.

    NOTE

    • In the KEY ROTATION window, if the user edits the default key size of the source key from AES, RSA, or EC key to anything other than the allowed values, then selecting the “Rotate linked keys“ option disables the AWS virtual keys. AWS KMS only supports the following allowed key types:

      • AES 256

      • RSA key pairs: 2048, 3072, or 4096 with exponents as 3 and 65537

      • EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1

    • Linked keys that are not AWS KMS keys will still be available for rotation with the new key size value.

  4. On the Rotate key window, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.

  5. After the keys are rotated, click the OK button.

You can schedule a key rotation policy for the Fortanix DSM source key to automatically and periodically rotate linked AWS KMS keys that are copies of the source key.

Perform the following steps to schedule a key rotation policy for the source key:

  1. Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM source key.

  2. In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.

  3. Enter the key rotation schedule by specifying the rotation frequency, start date, and time.

  4. Click the SAVE POLICY button to save the policy.

  5. On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.

For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

6.2 Rotate AWS Native Key to Fortanix DSM Owned Key

When an AWS virtual key whose key material is owned by AWS KMS is rotated, you are given the option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and performs the rotation, a new virtual key is created, with the corresponding key in AWS KMS, which has the key material of the Fortanix DSM-backed key. As a result, the AWS virtual key is backed by a Fortanix DSM source Key.

Perform the following steps to rotate a virtual key with Fortanix DSM backed key:

  1. Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of an AWS virtual key and click the ROTATE KEY button.

  2. In the Key Rotation window, the Generate new key radio button is selected by default.

  3. Select the Rotate to DSM key check box.

  4. Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menus.

  5. Click the ROTATE KEY button.

  6. On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.

The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated AWS virtual key and click the AWS KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.

7.0 Troubleshooting

This section lists issues along with possible workarounds that you might encounter while performing some operations.

Problem

Solution

While performing the “sync key” operation, a “400 status code and response error” occurs if the short-term access token expires during the synchronization of a group linked to AWS KMS.

Increase the timeout of the temporary session token beyond the expected duration of the sync key operation.