Fortanix DSM - Azure Managed HSM Group Setup Guide

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Azure Key Vault (AKV) Managed Hardware Security Module (HSM) Key Management Service (KMS) User Guide. This article describes how to set up a Azure AVK group for Azure Managed HSM using Fortanix DSM.

The Fortanix solution for AKV Managed HSM KMS offers complete Bring Your Own Key (BYOK) and lifecycle management and automation of Azure Managed HSM keys and allows users to manage all keys centrally and securely.

This guide will walk you through setting up an Azure Managed HSM group which will be used for both CNKMS and BYOK workflows.  

1.1 Types of Azure BYOK Flows

  1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1 compliance).

  2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance).

  3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM.

  4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, Bring Your Own Key (BYOK), Bring Your Own KMS (AWS XKS) or Bring Your Own Encryption (BYOE), or BYOE is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. For more information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI guide.

4.0 Fortanix DSM Azure Managed HSM Group Setup

4.1 Azure Application Configuration

The tool requires Azure credentials to authenticate and interact with Azure Managed HSM. Perform the following steps to obtain the necessary credentials:

  1. Log in to https://portal.azure.com/.

  2. Create a new resource group.

    Figure 1: Create a Resource Group

  3. Register an application (app).  

    azure_byok1.png

    Figure 2: Initiate App Registration

    azure_byok2.png

    Figure 3: Register an App

    azure_byok3.png

    Figure 4: App Registered

  4. Upload a client certificate for the above application.  

    Image_004_.png

    Figure 5: Client Certificate for the App

  5. Create a client secret for the above application.

    Image_002_.png

    Figure 6: Client Secret for the App

  6. Give the app permission to access the Azure Key Vault.  

    azure_byok4.1.png

    Figure 7: Key Vault Permission to Access App

    Azure_App_Perm.png

    Figure 8: Key Vault Permission to Access App

  7. Create an Azure Managed HSM Key Vault using Azure CLI.

  8. Add a Managed HSM contributor role to the resource group created in Step 2.

    Figure 9: Access Managed HSM Contributor Role

  9. Provided the Managed HSM Crypto Service Encryption UserManaged HSM Crypto Officer, and Managed HSM Administrator roles for the application in Azure Local RBAC.  

    azure_byok5.1.png

    Figure 10: Provide Access to Roles in Azure RBAC

    Figure 11: Added the App to the Role

4.2 Prerequisites

To configure the Azure Managed HSM Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

  • The API permissions of the app to access the Key Vault. Refer to Figures 7 and 8 above for more details.

  • Adding the app to the Managed HSM Crypto Service Encryption User, Managed HSM Crypto Officer, and Managed HSM Administrator roles in Azure Local RBAC. Refer to Figure 10 above for more details.

  • Assign the Key Vault Contributor role to the app registration.

    1. In the Azure portal, open your Key Vault.

    2. Navigate to Access Control (IAM)Add Add role assignment.

    3. In the Add role assignment window, select the Role as Key Vault Contributor option.

    4. Click the Next button.

    5. Select the previously created app registration, under Members to complete the operation.

    AzureKMS2.png

    Figure 12: Add Role Assignment

4.3 Configure the Azure Managed HSM

Perform the following steps to create an Azure Managed HSM group:

  1. Navigate to the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to create a new Azure Managed HSM group.

  2. In the Add new group form, do the following:

    1. Enter a name and description for your group.

    2. Click the LINK HSM/EXTERNAL KMS button to select the Azure Managed HSM type, so that Fortanix DSM can connect to it.

    3. Select Azure Managed HSM option from the drop down.

    4. In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful Managed HSM connection.

      You can choose from the following Azure services:

      • global Azure

      • Azure for US Government

      Select the “global Azure” option to authenticate and upload the key material to any non-US government Azure service or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government.

      NOTE

      To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Provider’s documentation about access to these environments.

    5. Use the credentials created in Section 4.1: Azure Application Configuration to set up an Azure-backed Fortanix DSM group. Azure subscriptions have a trust relationship with Azure AD.

      In the Authentication section, enter the Azure Managed HSM account credentials:

      • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.

      • Client ID: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.

      • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the Managed HSM associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.

      You can authenticate with Azure Managed HSM using either of the following options:

      • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.

      • Token authentication certificate configuration: Click the + ADD AUTHENTICATION CERTIFICATE button to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Managed HSM and vice versa. Ensure that the certificate file is in cer, pem, or crt format.

        NOTE

        Refer to Figure 3 and 5 in Section 4.1: Azure Application Configuration to get the Tenant ID, Client ID, and Client Secret.

    6. Click the SAVE button.

  3. Add a TLS configuration (optional). For more details, refer to Section 4.4: Add TLS Configuration (Optional).

  4. Click TEST CONNECTION to test your Azure Managed HSM connection. If Fortanix DSM connects to Azure using your connection details, then it shows the status as “Connected” with a green tickAWS_43a.pngand fetches the Managed HSM associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign  AWS_44a.png.

4.4 Add TLS Configuration (Optional)

NOTE

If you are using a configuration such as a proxy for the Azure Managed HSM connection, use this section to add certificates so that Fortanix DSM would allow the use of a custom certificate.

In the TLS configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the Azure Managed HSM. Fortanix’s external Managed HSM solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Managed HSM.

  1. Validate Host - Select the Validate Host check box to verify if the certificate that the Azure Managed HSM provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.

  2. You can select either of the following two certificates:

    1. Global Root CAs - This option is for a self-signed certificate from an internal CA. By default, every Azure Managed HSM group is configured with a Global Root CA Certificate.

    2. CLIENT CERTIFICATE and PRIVATE KEY: Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Managed HSM and vice versa.

    3. Custom CA Certificate: This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.

    4. CA CERTIFICATE: You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Managed HSM group.

    5. CLIENT CERTIFICATE and PRIVATE KEY: A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Managed HSM and vice versa.

  3. Click the SAVE button.

4.5 Select Azure Managed HSM Instance

Azure Managed HSM provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Azure Managed HSMs only support HSM-protected keys.

For more details about the types of resources that Azure Managed HSM provides, refer to Azure documentation.

  1. When the Azure Managed HSM is connected successfully, it will enable the Managed HSM Instance section.

  2. From the list of Managed HSM for the Subscription ID entered, select an HSM instance.

  3. Click the SAVE button to save the group.

4.6 Not Connected Scenario

When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Managed HSM. If that happens, it displays a “Not Connected” status with a  warning symbol AWS_44a.png.

4.7 HSM/KMS Tab

The group details now include an HSM/KMS tab displaying information about your KMS.

The HSM/KMS tab displays the details of the Azure Service Type, including the connection details of the Tenant ID, Client ID, Client Secret, Subscription ID, and Managed HSM Instance. You can edit these connection details here.

NOTE

You can only edit the Tenant ID, Client ID, and Client Secret to update the Azure Managed HSM connection details. The Azure Manage HSM Instance is non-editable.

After editing and saving, click the TEST CONNECTION button to check the connection.

Click the SYNC KEYS button to sync keys from the configured Azure Managed HSM to the Azure-backed Managed HSM Fortanix DSM group.

4.8 Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol AWS_46.pngnext to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external Managed HSM group.

4.9 User’s View

Navigate to the Users menu item in the DSM left navigation bar and click the user that says “You” on the Users page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to Azure KMS, displaying their status as "connected" or "not connected."

5.0 Azure Managed HSM Group BYOK and Cloud Native Key Management

For details on how to perform native key lifecycle management in Azure Managed HSM using Fortanix DSM, refer to the Fortanix DSM - Azure Managed HSM Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in Azure Managed HSM using Fortanix DSM, refer to the Fortanix DSM - Azure Managed HSM Bring Your Own Key.