User's Guide: Export Key

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) Export Key feature.

It also contains the information related to:

  • Export key as encrypted key material

  • Export key as clear key material

  • Export key as components

2.0 Export Key

This section explains how you, as a group administrator, can export a key in Fortanix DSM, including the requirements for different key types and the available formats.

WARNING

The EXPORT KEY button will be disabled:

  • If the key type is LMS or XMSS.

  • If the key does not have the Export permission selected.

2.1 Export as Encrypted Key Material

Fortanix DSM allows you to export a key AS ENCRYPTED KEY MATERIAL by selecting a wrapping key to encrypt it before export. This ensures that the exported key remains protected and can only be decrypted by an authorized entity with the correct wrapping key.

WARNING

The export AS ENCRYPTED KEY MATERIAL will be disabled:

  • If Quorum approval policy is not set in the group.

  • The Wrapping key must have the WrapKey permission.

It is assumed that:

  • A key with Export key permissions exists in the group.

  • The group, Group1, has the following Quorum approval policy configured: the members Approver1 and Approver2 form a quorum group, and 1 out of the 2 member’s approvals are required to approve an operation in the group.

In the following example:

  • As a group administrator, you create an export key AS ENCRYPTED KEY MATERIAL request.

  • The goal is to export an AES key named AES_Key in Group1 so that you can download the key.

Perform the following steps to export a key:

  1. Go to the detailed view of the created key, AES_Key.

  2. Scroll to the end of the page and click EXPORT KEY.

    NOTE

    The EXPORT KEY button is enabled only if the key type is AES, DES, DES3, HMAC, EC, ARIA, EC-KCDSA, KCDSA, SEED, BIP32, BLS, ML-KEM, ML-DSA and XMSS. However, the XMSS key can only be exported using the Fortanix REST API and is not exportable through the Fortanix DSM user interface (UI).

  3. In the EXPORT KEY window, do the following:

    1. Select the AS ENCRYPTED KEY MATERIAL radio button.

    2. Select Wrapping Key: Select a key with the WrayKey permission to wrap (encrypt) the AES_Key before export.

    NOTE

    Only AES keys can be used as wrapping keys.

    1. Cipher mode: Select the cipher mode of encryption that should be applied to the key material. There are three types of encryption cipher modes to choose from:

      1. ECB (Electronic Codebook Mode) – In this method, plain text is divided into blocks of size 64 bits each. Each such block is encrypted independently of other blocks. For all blocks, the same key is used for encryption.

      2. KW (Key Wrap Algorithm) – In this method, symmetric encryption is used to encapsulate the key material.

      3. KWP (Key Wrap with Padding) – In this method, additional padding of bits or bytes is appended to the encapsulated key material.

      NOTE

      A cipher mode of operation may not be available for selection based on the source and selected wrapping key combination.

  4. Click SUBMIT EXPORT REQUEST to submit the export request.

    Figure 1: Export Key as Encrypted Key Material

2.2 Export as Clear Key Material

Fortanix DSM allows you to export a key AS CLEAR KEY MATERIAL to export the keys in formats such as Hex, Base64, or Raw.

It is assumed that:

  • A key with Export key permissions exists in the group.

  • The group, Group2, does not have a Quorum approval policy configured.

In the following example:

  • As a group administrator, you create an export key AS CLEAR KEY MATERIAL request.

  • The goal is to export an RSA key named RSA_Key in Group2 so that you can download the key.

Perform the following steps to export a key:

  1. Go to the detailed view of created key, RSA_Key.

  2. Scroll to the end of the page and click EXPORT KEY.

    NOTE

    The EXPORT KEY button is enabled only if the key type is RSA, DSA, or Secret.

  3. In the EXPORT KEY window, do the following:

    1. Select the AS CLEAR KEY MATERIAL radio button.

    2. Select the format in which the key must be exported. The available options are Hex, Base64, and Raw.

  4. Click DOWNLOAD THE KEY to download the key material in the format selected in Step 3(b).

    NOTE

    If a Quorum approval policy is set in the group and you export an RSA, DSA, or Secret key, it will still be exported AS CLEAR KEY MATERIAL. To know the detailed steps on how to download the key, refer to Section 2.3: Download the Key from Tasks Tab.

2.3 Download the Key from Tasks Tab

You can download the key material from the Tasks tab in Fortanix DSM UI.

Perform the following steps to download the key material:

  1. After the export key AS ENCRYPTED KEY MATERIAL or AS CLEAR KEY MATERIAL request is created, a quorum approval request is sent to the quorum members that form the group Quorum approval policy.

  2. The approvers, Approver1 and Approver2, receive a notification regarding the export request for the key. One of the approvers can either APPROVE or DECLINE the request from TASKS PENDING Import/Export tab or the DSM Home page in the Fortanix DSM UI.

    If at least one quorum member approves, the request is accepted. If an approver clicks DECLINE, the request is permanently rejected, and the key cannot be exported. Once the request is declined, it cannot be reapproved, even if other quorum members have approved it.

    Figure 2: Approve Export Request

  3. After the Quorum approval request is accepted, you can download the key material from TASKS COMPLETED Import/Export tab or the DSM Home page in the Fortanix DSM UI.

  4. Click DOWNLOAD THE KEY to retrieve the key in the encrypted format.

    Figure 3: Download the Key

  5. Click DOWNLOAD THE KEY again to securely retrieve the key.

    1. If you are exporting the key AS CLEAR KEY MATERIAL, the export key details include export format.

      Figure 4: RSA Key Details

    2. If you are exporting the key AS ENCRYPTED KEY MATERIAL, the export key details include: wrapping key used for encryption, Key Check Value (KCV), and export format.

      Figure 5: AES Key Details

  6. After the key is downloaded, a tick mark appears in the Download column.

2.4 Export Key as Components

The Export Key as Components feature allows a user to export a key as components to other users such that each user has a component of the key. To export a key as components:

  • A Key Custodian policy should be set at the group level.

  • A Quorum Policy should exist for the group.

  • In the absence of the above policies, the Export Key button will be disabled.

For the complete end-to-end workflow of the “Export key by component” feature, refer to the article User's Guide: Key Components.