Fortanix FX2200 Series II Appliance - Physical Security Guide

1.0 Introduction

Welcome to the Fortanix FX2200 Series II Appliance - Physical Security Guide. This article serves the purpose of providing instructions on the secure operation of the Fortanix FX2200 Series II Appliance with Fortanix-Data-Security-Manager (DSM) software throughout its entire lifecycle.

The Fortanix FX2200 Series II Appliance with DSM software functions as a cryptographic module, also known as a Hardware Security Module (HSM). It includes several physical security attributes aimed at safeguarding the confidentiality and integrity of cryptographic keys and cryptographic operations performed within the appliance during its operational lifespan.

The appliance has been certified to FIPS 140-2 Security Level 3, certificate #4139, as detailed at:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4139.

NOTE

Fortanix DSM was previously called Fortanix SDKMS at the time of certification.

It is recommended to carefully read and adhere to the guidelines in this manual to ensure consistent application of proper security procedures.

1.1 Intended Audience

This guide is designed for technical personnel who will bear the responsibility for unpacking, installing, configuring, managing, and/or inspecting the hardware appliances.

2.0 Manufacture and Distribution

The appliance is manufactured under tight process and quality controls within a secure environment. Prior to leaving the factory, tamper-evident labels are attached to protect against tampering through the life of the appliance. Appliances are shipped directly to customers using trusted couriers.

3.0 Receipt, Unpacking, and Initial Inspection

Upon receipt of the appliances, they should be immediately moved into a secure area with controlled access before they are opened and unpacked.

The appliances should only be opened and unpacked by authorised personnel in a secure, environmentally controlled area. Check the correct number of appliances have been received and notify Fortanix immediately of any missing boxes. Before opening the boxes, check for any external signs of damage and report to Fortanix immediately with photographic evidence.

The serial numbers of the appliances should be checked against the shipping advice from Fortanix, and any discrepancies reported immediately. Both the appliance and the tamper evident seals should be inspected for any signs of damage or tampering, and the serial numbers of the seals checked against the details communicated by Fortanix. Any problems should be reported to Fortanix immediately with photographic evidence.

NOTE

Under no circumstances should customers break the tamper seals, this will render the appliance insecure and invalidate the warranty.

4.0 Installation and Configuration

NOTE

Installation and configuration should be only performed by authorized and trained personnel in accordance with the relevant Fortanix documentation.

Once the appliances have been racked, powered up, and access to the IPMI port is available, we recommend that you schedule a video conference with a Fortanix Customer Success engineer to help you with the installation and configuration of the appliances.

5.0 Secure Operation

The appliance must be operated and maintained through-life in accordance with the manufacturer's instructions at all times. The operating temperature and supply voltage ranges should not be exceeded. Only authorized personnel should be permitted physical access to the appliance. The appliance and its tamper-evident seals should be inspected on a regular basis for any signs of tampering. If tampering is suspected, the appliance should be immediately removed from service and advice sought from Fortanix.

6.0 Faults

Any faults should be reported to Fortanix by raising a support ticket. The only user-serviceable components are the dual-redundant, hot-swappable PSUs. If the appliance is under support and needs to be replaced, Fortanix will provide instructions for returning the faulty unit.

If tamper detection is enabled and the appliance detects a physical tamper event, it will stop working. We recommend that you contact Fortanix support for further advice if this happens.

7.0 Decommissioning

If the appliance is no longer required, it should be recycled according to local waste electronic equipment guidelines. There is no need to sanitize the hard disk since all sensitive data is encrypted. However, if the unit has been configured with a personalization key, this can be securely wiped by powering off the device and keep it powered off for 100 hrs.  

If the device is operational and you want to delete the encrypted data, ensure that the node is removed from the cluster and then run the following command on the removed node to delete the data from the appliance or device:

sdkms-cluster reset --delete-data

If the device is not operational, then contact to Fortanix support for further assistance.

NOTE

If the decommissioning is needed as part of the Return Merchandise Authorization (RMA), then return the appliance back to Fortanix.

8.0 FIPS Security Guidance  

This section contains extracts from the FIPS Security Policy available at:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4139

The cryptographic module comprises of different components that are designed for production-grade use. Its robust enclosure is non-transparent within the visible spectrum. The removable covers are safeguarded by tamper-evident seals, which requires a periodic inspection by the Crypto Officer. If these seals are found to be broken or missing, it is the responsibility of the Crypto Officer to immediately cease the module operations and arrange for its replacement by Fortanix.

The module incorporates tamper response and zeroization circuitry. This specialized circuitry promptly erases all plaintext secret, private keys, and CSPs in the event of cover removal. It is important to note that the tamper response and zeroization circuitry remains active even when plaintext secret, private cryptographic keys, or CSPs are stored within the cryptographic module.

Additionally, the ventilation holes are designed to prevent any unnoticed physical probing inside the enclosure.

8.1 Secure Operation Rules

The Crypto Officer is required to follow the vendor procedural control guidelines to set up and install the module after it is received.

Perform the following steps:

1. Ensure that the module unpacking is performed in a secure location accessible only to authorized personnel.

2. The installation must be carried out by authorized personnel who has Crypto Officer role in the organization. The installation must be carried out in a secure location which is accessible only by authorized personnel.

3. Log in to Fortanix DSM using default credentials.

4. Change the default password promptly.

5. Configure networking interfaces as required.

6. Set up and configure the Network Time Protocol (NTP) for accurate timekeeping.

7. Execute a predefined set of setup commands provided by the vendor to customize the module's configuration.

8. After setup, run the 'version' command to check the firmware version.

9. Verify that the module is operating in the required Federal Information Processing Standards (FIPS) mode.

8.2 Tamper Evident Labels

The following guidelines should be considered when producing an Operational Policy for the environment for which the module is deployed.

Upon receipt of the appliance, the serial numbers of the appliances and of the tamper-evident labels should be validated against the information provided by the vendor over a secure channel. The Crypto Officer should examine the enclosure for any evidence of tampering, damage to the two tamper-evident labels and any physical damage to the enclosure material.

The Crypto Officer should perform further periodic examinations. The frequency of a physical inspection depends upon the information being protected and the environment in which the unit is located. At a minimum, it would be expected that a physical inspection would be made by the Crypto Officer at least monthly.

The tamper-evident labels are affixed during manufacturing phase at the Fortanix and are completed with serialization. They are not available for ordering or replacement through Fortanix. These labels are intentionally designed to remain intact throughout the module's entire lifespan.

You can see their placement in the following image:

The following image illustrates the tamper label, which, once tampered with, displays "VOID" markings, and cannot be reattached.

The two tamper seals are positioned on the lid and stretched across the lid's seam to reach the module chassis, as depicted in the following image. The sole method to remove the cover is to damage the tamper seals.

NOTE

Module hardness testing was conducted at an ambient room temperature of 80.4°F, and no guarantee is offered regarding Level 3 hardness compliance at any different temperature.

9.0 Sealing Key Policy  

The choice of sealing key policy has important security implications. To learn how to configure the sealing the key policy, refer to Section 5.3.5: Sealing Key Policy in Fortanix Data Security Manager Installation Guide.

NOTE

If the Sealing Key Policy is set to "Personalization Key" or "Recovery Key" then avoid powering down the unit for more than 24 hours. This is because the Personalization Key is stored in battery-backed RAM, which can only protect against short-duration power outages. If the Personalization Key is lost due to an extended power outage or accidental tampering, you can recover it if using the "Recovery Key" option. Otherwise, you need to wipe the unit and reconnect it to the cluster.