1.0 Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) Google Cloud Platform (AWS) Bring Your Own Key (BYOK) User Guide. This article describes how to perform BYOK lifecycle management in GCP KMS using Fortanix DSM.
The Fortanix solution for GCP Key Management Service (KMS) offers complete Bring Your Own Key (BYOK), as explained in this article, as well as Cloud Native Key Management Service (CNKMS) with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, BYOKMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
For BYOKMS using AWS External Key Store (XKS), refer to the Fortanix DSM with AWS External Key Store.
3.0 GCP Key Ring Group Setup and Cloud Native Key Management
For details on how to set up an GCP Key Ring group in Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Key Management Service Setup.
For details on how to perform native key lifecycle management in GCP Key Ring using Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Cloud Native Key Management.
4.0 Fortanix GCP BYOK Workflows Overview
Generate key: Navigate to a source key in Fortanix DSM and copy the key into an GCP CDC group to create a linked key and a BYOK key in GCP KMS.
Disable/Enable: Navigate to the detailed view of the key in the GCP CDC group and disable or enable it from Fortanix DSM.
5.0 Fortanix DSM GCP KMS Security Objects
After the GCP CDC group connects to GCP KMS using the provided connection details, the keys from GCP KMS are stored in the Fortanix DSM GCP CDC group as virtual keys. A virtual key is a reference that includes key information and attributes but does not contain the actual key material, which remains securely stored in the key ring of the location and project provided in the GCP KMS.
5.1 Bring Your Own Key - Copy Key to GCP KMS
Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured GCP KMS. The Copy Key to GCP feature will copy a security object from one regular Fortanix DSM group to another regular/GCP KMS Fortanix DSM group.
This feature has the following advantages:
Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.
The following action happens during copy key operation:
A new key will be created in the target group: The new key will have the same key material as the original.
The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
The Source key will also have basic metadata-based information about the linked keys such as:
Copied by <user-name/app id>
Date of Copy <time stamp>
Target copy group name
NOTE
The name of the copied key is suggested automatically to you as
[original key name]_[copy1,2,...], but you can replace it with an alternative unique name, if required.
Perform the following steps to copy a key from a regular Fortanix DSM group to a GCP KMS group:
Generate an AES key in Fortanix DSM, if the key is not already present. To create the key, refer to the Generate Security Objects.
Go to the detailed view of the key and click the COPY KEY button available on the top right of the screen.
NOTE
To copy a key from a regular Fortanix DSM group to a GCP KMS group, the key must be AES 256. In Fortanix DSM, GCP KMS supports only AES 256 keys during copy or import operations.
The AES 256 key to be copied must have the “Export” permission enabled or the copy key operation will fail.
The COPY KEY button will be disabled for all the GCP KMS virtual keys.
In the COPY KEY window, do the following:
Hover on the name of the key and use the edit
icon to update the name of the key, if required.Click the Import key to HSM/External KMS check box to filter the groups to show only GCP KMS groups. Select the GCP KMS group for the new key into which the copied key should be imported.
Enter the GCP key name.
Update KEY PERMISSIONS if you want to modify the permissions of the key.
Click the CREATE COPY button to create a copy of the key.
The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key.
NOTE
If you want to maintain a copy of the key material in Fortanix DSM, then you can import a regular AES 256 key into Fortanix DSM using the “import key” workflow and then copy this key into GCP KMS using the “copy key” workflow.
The audit logs for a copied key in the GCP-backed group will display detailed entries, including the wrapping key type, key size, and wrapping mechanism, provided that audit logging is enabled for the source key.
5.2 Bring Your Own Key - Import Key
This action will import the configured key type into the key ring in one of the GCP KMS regions and represent it as a virtual key in the GCP KMS group. The virtual key will point to the actual key in GCP KMS, storing the key material. It only holds key information and attributes, not the key material. The import action will not store a copy of the key material in Fortanix DSM.
Perform the following steps to import a key in Fortanix DSM:
Navigate to the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to create a new key.
In the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only GCP KMS groups in the Select group list.
In the GCP group list, select the GCP CDC group into which the keys will be imported. The keys will be imported into the region that was selected in the GCP group.
Select the IMPORT radio button to initiate the import key in the GCP KMS workflow.
Enter the GCP key name. This name will be stored in the GCP Key Ring and used to correlate different versions of the key. All versions will share the same GCP key name.
In the Choose a type section, select the key type for the new GCP KMS key
NOTE
For Fortanix DSM, the allowed key type for a GCP KMS key generated using the import Key button in Fortanix DSM is AES 256.
These key types can further be restricted by setting a Cryptographic policy for the account or group or a Key Metadata Policy for the group. For more details about the Cryptographic policy, refer to User's Guide: Crypto Policy.
The key types can also be restricted by setting a key metadata policy for the group. For more details about the Key metadata policy, refer to User's Guide: Key Metadata Policy.
Sometimes AES keys to be imported from a file are previously wrapped (encrypted) by a Fortanix DSM key to ensure they don't travel over TLS in plain text. In these cases, select the The key has been encrypted checkbox.
Enter or select a Key ID or security object name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which then be securely stored in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.
Select the mode of operation.
Enter the Key Check Value (KCV).
In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.
Select the permitted key operations.
Add custom attributes by clicking the ADD ATTRIBUTE button.
NOTE
The custom attributes also depend on the Key metadata policy for the group. If the GCP KMS group has a key metadata policy configured with restrictions for custom attributes, then these rules will be applied while creating the security object.
To store audit logs for the object in the group, enable the toggle for Keep detailed log for the object. The initial state of the toggle is based on the parent Crypto policy if any.
Click the IMPORT button to import the key.
The security key is successfully imported.
5.3 Sync Keys
Perform the following steps to edit the GCP connection details:
Go to the GCP group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new virtual keys.
Fortanix DSM will then connect to GCP, fetch all available keys, and store them as virtual keys.
NOTE
When keys are synced with GCP KMS, the metadata of the existing keys for the configured service account and region are downloaded and represented as virtual keys in Fortanix DSM. The actual key material for those keys is always stored in GCP KMS.
Clicking SYNC KEYS only returns the keys from GCP KMS that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
The time taken to sync keys from GCP KMS to Fortanix DSM is a function of the number of keys in the GCP KMS and the network latency between the GCP location and Fortanix DSM. It can take several minutes if there are hundreds of keys and there is significant network latency
5.4 Attributes/Tags Tab
This tab contains all the attributes and tags of the GCP key. This tab contains all the attributes and tags of the GCP key. A tag serves as an optional metadata label for a GCP resource. You can add new attributes using the ADD CUSTOM ATTRIBUTE button. These custom attributes are user-defined security object attributes that augment the security object's metadata.
5.5 GCP Key Details
This tab displays details of the GCP key name and GCP protection level. For more details about GCP protection level, refer to the Google documentation.
5.6 Security Objects Table View
After you add new GCP keys, navigate to the Security Objects menu item in the DSM left navigation bar to view all the security objects from all the groups (GCP and non-GCP).
In the table, you will notice that every key belongs to a group and some keys which are virtual keys added from a GCP, belongs to a group with a special symbol 
. The table shows all keys, whether they belong to a GCP CDC group or not.
6.0 Rotate a Key in GCP CDC Group
The following section explains the key rotation in the GCP CDC group. A key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.
NOTE
When performing key rotation in GCP KMS, including normal rotation, linked key rotation, or rotate to DSM key, specifying the Key ring name is no longer required. The rotated key automatically inherits the following details from the previous key version:
Key Ring Name
GCP Key Name
GCP Protection Level
6.1 Rotating Keys in Fortanix DSM Source Group
When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then you are given the option to select the linked keys for the key rotation. If these linked keys are part of a GCP CDC group, rotating the linked keys also rotates the keys in GCP KMS by making nested copies of the keys in the configured GCP KMS.
Perform the following steps to rotate a key in Google Cloud Platform:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM Source Key and click the ROTATE KEY button.
In the KEY ROTATION window, select the Rotate linked keys check box.
For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.Select the GCP virtual keys to rotate with the Fortanix DSM source key and click the ROTATE KEY button.
TIP
When performing the key rotation operation, ensure that the selected key size is supported by GCP KMS.
On the Rotate key window, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
After the keys are rotated, click the OK button.
You can schedule a key rotation policy for the Fortanix DSM source key to automatically and periodically rotate linked GCP KMS keys that are copies of the source key.
Perform the following steps to schedule a key rotation policy for the source key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM source key.
In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.
Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
Click the SAVE POLICY button to save the policy.
For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.
6.2 Rotating GCP Native Key to Fortanix DSM Owned Keys
When a GCP virtual key whose key material is owned by GCP KMS is rotated, you are given an option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key is created, with the corresponding key in GCP KMS, which has the key material of the Fortanix DSM-backed key. As a result, the GCP virtual key is backed by a Fortanix DSM source key.
Perform the following steps to rotate a virtual key with Fortanix DSM backed key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a GCP virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menus.
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated GCP virtual key and click the GCP KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.