User's Guide: Export Policy

  • Updated on Oct 22, 2024
  • Published on Sep 5, 2024
  • 6 minute(s) read
Prev Next

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Export Permissions User Guide. This article provides an overview of the Export Permissions feature. It explains how to manage and set permissions for securely exporting security objects, including how to configure wrapping keys, export methods, at both the group and security object levels.

2.0 Export Policy in Fortanix DSM

The Export Policy feature in Fortanix DSM allows you to control how key material is exported from the system. You can set up these permissions at both the group and security object levels to securely export the keys, either as plain text or with added encryption.

NOTE

Currently, the Fortanix DSM supports only the following three modes for wrap export policy through the DSM user interface (UI):

  • KW (Key Wrap)

  • KWP (Key Wrap with Padding)

  • ECB (Electronic Code Book)

However, you can access all the modes through the REST API method.

2.1 Export Permissions at Group Level

The Export Permissions feature of Fortanix DSM allows you to control how key material with a security object may be exported at group level.

Perform the following steps:

  1. Login to the Fortanix DSM user interface (UI) with your valid credentials.

  2. Navigate to the Groups menu item from the DSM left navigation panel. Select the required group from the list.

  3. Scroll to the end of the page and click the DEFINE button in the Export permissions section.

    Figure 1: Define Export Permissions

  4. You can select either of the following export options:

    • Export Unwrapped

    • Export Using Wrap (Recommended)

    Figure 2: Export Permissions Options

2.1.1 Export Unwrapped

When you select the Export Unwrapped option, the key may be exported as unencrypted plain text, which decreases the protection provided by the Fortanix DSM.

Perform the following steps to allow exporting keys unwrapped:

  1. Select the EXPORT UNWRAPPED option.

  2. Click the SAVE POLICY button.

2.1.2 Export Using Wrap (Recommended)

When you select the EXPORT USING WRAP (Recommended) option, the key may be exported wrapped with an encryption key. This method is recommended to maintain the security of the key material.

Perform the following steps to allow exporting keys wrapped:

  1. Select the EXPORT USING WRAP (Recommended) option.

  2. You can wrap the key with either of the following options:

    • Any key: Any accessible key with the Wrap Key permission can be used to wrap the security object.

    • Select specific keys: You can select the specific wrapping keys based on the following:

      • Select keys by Key IDs: Specify the IDs of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added with their key IDs. Use this option if you want to allow only specific versions of the wrapping key in case the wrapping key is rotated in the future.

      • Select keys by Key names: Specify the names of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added with their key names. Use this option if you want to wrap a key with the latest version of the wrapping key in case the wrapping key is rotated in the future.

    Figure 3: Key Names and IDs

  3. Click the SAVE POLICY button.

2.2 Export Permissions at Security Object Level

The Export Permissions feature of Fortanix DSM allows you to control how key material with a security object may be exported at security object level.

Perform the following steps:

  1. Login to the Fortanix DSM user interface (UI) with your valid credentials.

  2. Navigate to Security Objects menu item from the DSM left navigation panel. Select the required security object from the list.

    NOTE

    Ensure that the Export permission in the Key operation permitted section is selected during the security object creation.

  3. Scroll to the end of the page and click the EDIT button in the Define export permissions section.

    Figure 4: Edit Export Permissions

    The following form appears on the screen:

    Figure 5: Select Export Permissions

  4. By default, the Allow weakening check box and EXPORT USING WRAP (Recommended) radio buttons are selected.

  5. Click the DEFINE button to save the settings.

2.2.1 Allow Weakening Check Box

The Allow weakening option determines whether the export permissions for a key can be modified so that it is weakened or made stricter depending on the selection.

WARNING

After you clear the "Allow weakening" check box and save the policy, it cannot be selected again, as that would weaken the policy.

  • When this option is selected: When you edit the key export permissions again,

    • It allows you to add additional wrapping keys weakening your key export permissions or delete existing wrapping keys.

    • It allows you to update the export method, from wrapped export (encrypted) to unwrapped export (plain text) weakening your key export permissions, and vice versa.

  • When this option is cleared: When you edit the key export permissions again,

    • It allows you to remove existing wrapping keys but does not allow you to add new wrapping keys making the export permissions stricter.

    • It allows you to update the export method from EXPORT UNWRAPPED to EXPORT USING WRAP (Recommended) but not vice versa since the export policy can only be made stricter.

NOTE

Enabling this option provides more flexibility but lowers the security of the key export process. It is recommended to leave this option unchecked to perform a more secure key export operation.

2.2.2 Export Unwrapped

When you select the Export Unwrapped option, the key may be exported as unencrypted plain text, which decreases the protection provided by the Fortanix DSM.

Perform the following steps to allow exporting keys unwrapped:

  1. Select the EXPORT UNWRAPPED option.

  2. Click the SAVE POLICY button.

2.2.3 Export Using Wrap (Recommended)

When you select the EXPORT USING WRAP (Recommended) option, the key may be exported wrapped with an encryption key. This method is recommended to maintain the security of the key material.

Perform the following steps to allow exporting keys wrapped:

  1. Select the EXPORT USING WRAP (Recommended) option.

  2. You can wrap the key with either of the following options:

    • Any key: Any accessible key with the Wrap Key permission can be used to wrap the security object.

    • Select specific keys: You can select the specific wrapping keys based on the following:

      • Select keys by Key IDs: Specify the IDs of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added with their key IDs. Use this option if you want to allow only specific versions of the wrapping key in case the wrapping key is rotated in the future.

      • Select keys by Key names: Specify the names of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added with their key names. Use this option if you want to wrap a key with the latest version of the wrapping key in case the wrapping key is rotated in the future.

      Figure 6: Key Names and IDs

  3. Click the DEFINE button to save the settings.

NOTE

If the export permissions are defined at both the group level and security object level, both sets of permissions are enforced when exporting the security object.

For example, if the group level permissions require wrapped export with only key W1, and the security object level permissions require wrapped export with only key W2, the security object may not be exported as there is no way to satisfy both policies.

In a situation like this, a user with sufficient permissions may relax either the group or security level export permissions so they do not overlap and allow exporting the security object.