User's Guide: Export Policy

Prev Next

1.0 Introduction

This article provides an overview of the Fortanix-Data-Security-Manager (DSM) Export Permissions feature. It explains how to manage and set permissions for securely exporting security objects, including how to configure wrapping keys and export methods at both the group and security object levels.

2.0 Export Permissions in Fortanix DSM

The Export permissions feature in Fortanix DSM allows you to control how key material is exported from the system. You can configure these permissions at both the group and security object levels to securely export the keys, either as plain text or with added encryption.

NOTE

Currently, the Fortanix DSM supports only the following three modes for wrap export policy through the Fortanix DSM user interface (UI):

  • KW (Key Wrap)

  • KWP (Key Wrap with Padding)

  • ECB (Electronic Code Book)

However, all export modes are accessible through the REST API.

2.1 Export Permissions at Group-Level

The Export permissions feature of Fortanix DSM allows you to control how key material associated with a security object may be exported at the group level.

Perform the following steps:

  1. Log in to the Fortanix DSM user interface (UI) with your valid credentials.

  2. Navigate to the Groups menu item from the DSM left navigation panel and select the required group from the list.

  3. Scroll to the bottom of the page and click DEFINE in the Export permissions section.

    Figure 1: Define export permissions

  4. You can select either of the following export options:

    • Export Unwrapped

    • Export Using Wrap (Recommended)

    Figure 2: Export permissions options

2.1.1 Export Unwrapped

When you select the Export Unwrapped option, the key may be exported as unencrypted plain text, which reduces the level of protection provided by Fortanix DSM.

Perform the following steps to allow exporting keys unwrapped:

  1. Select the EXPORT UNWRAPPED option.

  2. Click SAVE POLICY.

2.1.2 Export Using Wrap (Recommended)

When you select the EXPORT USING WRAP (Recommended) option, the key is exported wrapped with an encryption key. This method is recommended to maintain the security of the key material.

Perform the following steps to allow exporting keys wrapped:

  1. Select the EXPORT USING WRAP (Recommended) option.

  2. You can wrap the key with either of the following options:

    • Any key: Any accessible key with the Wrap Key permission can be used to wrap the security object.

    • Select specific keys: You can select the specific wrapping keys using one of the following methods:

      • Select keys by Key IDs: Specify the IDs of the wrapping keys to use for exporting. The selected keys will be identified by their key IDs. Use this option if you want to allow only specific versions of the wrapping key, especially if the wrapping key may be rotated in the future.

      • Select keys by Key names: Specify the names of the wrapping keys to use for exporting. The selected keys will be identified by their key names. Use this option if you want to always use the latest version of the wrapping key when it is rotated.

    Figure 3: Key names and IDs

  3. Click SAVE POLICY.

2.2 Export Permissions at Security Object-Level

The Export Permissions feature of Fortanix DSM allows you to control how key material within a specific security object may be exported at security object-level.

Perform the following steps:

  1. Log in to the Fortanix DSM user interface (UI) with your valid credentials.

  2. Navigate to the Security Objects menu item from the DSM left navigation panel. Select the required security object from the list.

    NOTE

    Ensure that the Export permission in the Key operation permitted section is selected during the security object creation.

  3. Scroll to the end of the page and click EDIT in the Define export permissions section.

    Figure 4: Edit export permissions

    The following form appears on the screen:

    Figure 5: Select export permissions

  4. By default, the Allow weakening check box and EXPORT USING WRAP (Recommended) radio buttons are selected.

  5. Click DEFINE to save the settings.

2.2.1 Allow Weakening Check Box

The Allow weakening option determines whether the export permissions for a key can be modified so that it is weakened or made stricter, depending on the selection.

WARNING

After you clear the Allow weakening check box and save the policy, it cannot be selected again, as that would weaken the policy.

  • When this option is selected: When you edit the key export permissions again,

    • You can add additional wrapping keys, which may weaken your key export permissions, or delete existing wrapping keys.

    • You can change the export method from wrapped export (encrypted) to unwrapped export (plain text), which weakens your key export permissions, and vice versa.

  • When this option is cleared: When you edit the key export permissions again,

    • You can remove existing wrapping keys, but you cannot add new ones, thereby making the export permissions stricter.

    • You can change the export method from EXPORT UNWRAPPED to EXPORT USING WRAP (Recommended), but not vice versa, as the export policy can only be made stricter.

NOTE

Enabling this option provides more flexibility but lowers the security of the key export process. It is recommended to leave this option unchecked to perform a more secure key export operation.

2.2.2 Export Unwrapped

When you select the Export Unwrapped option, the key material may be exported as unencrypted plain text, which reduces the protection provided by the Fortanix DSM.

Perform the following steps to allow exporting keys unwrapped:

  1. Select the EXPORT UNWRAPPED option.

  2. Click SAVE POLICY.

2.2.3 Export Using Wrap (Recommended)

When you select the EXPORT USING WRAP (Recommended) option, the key may be exported wrapped with an encryption key. This method is recommended to maintain the security of the key material.

Perform the following steps to allow exporting keys wrapped:

  1. Select the EXPORT USING WRAP (Recommended) option.

  2. You can wrap the key using either of the following options:

    • Any key: Any accessible key with the Wrap Key permission can be used to wrap the security object.

    • Select specific keys: You can select the specific wrapping keys based on the following:

      • Select keys by Key IDs: Specify the IDs of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added by their key IDs. Use this option if you want to allow only specific versions of the wrapping key in case the wrapping key is rotated in the future.

      • Select keys by Key names: Specify the names of the wrapping keys to be used to wrap when exporting a key. The selected keys will be added by their key names. Use this option if you want to wrap a key with the latest version of the wrapping key in case the wrapping key is rotated in the future.

      Figure 6: Key names and IDs

  3. Click DEFINE to save the settings.

NOTE

If the export permissions are defined at both the group-level and security object-level, both sets of permissions are enforced when exporting the security object.

For example, if the group-level permissions require wrapped export with only key W1, and the security object-level permissions require wrapped export with only key W2, the security object may not be exported, as there is no way to satisfy both policies.

In a situation like this, a user with sufficient permissions may relax either the group or security object-level export permissions so they do not overlap and allow exporting the security object.