1.0 Introduction
This article describes the Fortanix DSM group “key encryption key” (KEK) feature. This feature allows users to establish a group-level root-of-trust and ensures that all keys generated inside a group always stay encrypted by a symmetric master key (KEK) that the user configured at the group level. If the group KEK is rotated, then new keys in the group will be encrypted with the new version of KEK while older keys in the group stay encrypted with the older KEK. If the group KEK is disabled/deleted/destroyed/revoked, then all the keys in the group will be rendered unusable. The user also cannot generate new keys in the group.
2.0 Creating a KEK and Configure a Group with KEK
2.1 Creating a Group with KEK
To create a group with KEK, follow the steps below:
In the Fortanix DSM UI, click the Groups tab, and then click
to create a new group.
Enter a name for the group. For example, KEKGroupA.
Enter a description to help you identify that this is a group with KEK. (Optional)
Click CREATE GROUP to create the group.
Click the Security Objects tab, and then click
to create a new key.
Enter a name for the key. For example, KEK-A.
Ensure that the KEK group that you have created is selected under the Select group for the object section.
To configure the key, you can do one of the following:
Select IMPORT to start the key import workflow.
Select AES as the key type.
Select Raw as the value format.
Click UPLOAD A FILE and select the key file that you want to import.
Disable the Audit log option for the key.
Click IMPORT to import the key.
Select GENERATE to start the key generation workflow.
Select AES as the key type.
For Key size, leave it as the default 256 bits.
Disable the Audit log option for the key.
Click GENERATE to create the key.
NOTE
It is mandatory to disable the Audit log option while creating the group KEK key (AES key). Otherwise, the KEK key will not appear for selection in the Configure a KEK from an existing group wizard.
Disabling the Audit log for the group KEK key will also avoid a large volume of logs from being generated since a KEK can wrap a large number of keys.
2.2 Configuring a Group with KEK
To configure a group with an existing KEK, follow the steps below:
In the Fortanix DSM UI, click the Groups tab, and then click
to create a new group.
Enter a name for the group. For example, NormalGroup.
Enter a description to help you identify that this is a group with KEK. (Optional)
In the Configure a KEK from an existing group section, click CONFIGURE A KEK.
Select the group that contains the KEK you want to use for this group.
From the KEK list that appears for that group, select a KEK.
Click SAVE to create the group.
NOTE
If the group that is configured with a KEK has some existing keys already, these keys will not be encrypted with the configured KEK. Only new keys that are created after configuring the group with KEK will be encrypted with the KEK.
Go to the group detailed view to check the following:
The key ID and key name of the KEK associated with the group.
If the KEK has been rotated, then this page will also show the key IDs and names of the older keys.
If the KEK is disabled, this page will display the message: “This Group’s KEK is disabled. All the key operations in this Group are no longer available.”
3.0 User Key Operations on a KEK
3.1 Setting the Key Rotation Policy for a KEK
To set the key rotation policy for a KEK:
Click the Groups tab, and then click the group name from the table to go to the group detailed view page.
Click the KEY ROTATION tab.
In the Key rotation policy section, click ADD POLICY.
Enter the policy details. For example: Rotate all keys in this group every 7 days starting 10/15/2022 12:00 pm.
If you select Deactivate original key after rotation check box, all the existing keys encrypted/wrapped by this KEK will be rendered unusable upon rotation.
Click SAVE POLICY to save the policy.
3.3 Rotating a KEK
To rotate a KEK:
Click the Security Objects tab, and then click the KEK name to go to the KEK detailed view page.
Click ROTATE KEY, and on the “Key Rotation” modal window click ROTATE KEY again.
NOTE
This page has a check box that states Deactivate the key after rotation. If you select this check box, all the existing keys encrypted/wrapped by this key will be rendered unusable upon rotation.
3.4 Replacing the KEK of a Group
To replace a group’s KEK:
Click the Groups tab, and then click the group name that is configured with a KEK to go to the group detailed view page.
Under the group name, click EDIT next to the label “This group is encrypted by Key Encryption Key”.
On the “Edit KEK” modal window, select the option Replace with another KEK.
Select the group that contains the KEK you want to use.
From the list of KEK in this group, select the KEK you want to use.
Click SAVE to set the new key as the KEK for the group.
NOTE
The old KEK can still be used to encrypt and decrypt the existing keys in the group while the new KEK will be used to encrypt and decrypt the new keys in the group.
If A KEK key is compromised, you can do one of the following:
Either rotate the KEK and disable/deactivate the older version of the KEK. In this method, the existing keys configured with the older KEK will all be rendered unusable. This is the preferred method.
Delete KEK from this group and generate a new KEK. To do this, all keys that were encrypted with this key have to be deleted first, thereby breaking the association between the KEK and groups.
3.4 Removing the KEK from a Group
To remove the KEK from a group:
Click the group name containing the KEK to go to the group detailed view page.
Under the group name, click EDIT next to the label “This group is encrypted by Key Encryption Key”.
Select Remove KEK associated with the group.
Click SAVE to remove the KEK from the group.
3.5 Deactivating, Disabling/Enabling, Deleting, or Destroying a KEK
To deactivate, disable/enable, delete, or destroy the KEK from a group:
Click the Security Objects tab, and then click the KEK name to go to the KEK detailed view page.
Click
(Enable/Disable toggle bar) to enable or disable the KEK.
To deactivate the KEK:
In the Expires section, click DEACTIVATE NOW.
In the modal window, select the check box next to “I understand that deactivation is irreversible, and the object cannot be activated back.”
Click DEACTIVATE to deactivate the KEK.
To delete or destroy a key click DELETE KEY or DESTROY KEY respectively at the bottom of the KEK detailed view page.
NOTE
Fortanix DSM does not allow users to destroy a key that is also associated with other groups.
4.0 Quorum Approval Scenarios
4.1 Assumptions
For the purpose of this section, we are using the following naming conventions:
KEKGroupA - This is a group that contains an AES 256 key and has a Quorum approval policy configured.
KEKGroupB - This is another group that contains an AES 256 key and has a Quorum approval policy configured.
KEK-A – This is an AES 256 key that is added to the KEKGroupA group.
KEK-B – This is an AES 256 key that is added to the KEKGroupB
NormalGroupA – This is a normal group that will configure a KEK key and also has a Quorum approval policy configured.
4.2 Creating a Group with KEK
If a group “KEKGroupA”, has a key “KEK-A” in it. If another group “NormalGroup” is configured with “KEK-A” as its KEK key, then this action triggers a Quorum approval request to the approvers of the group “KEKGroupA” and “NormalGroup”.
4.3 Removing KEK from a Group
If a group “KEKGroupA”, has a key “KEK-A” in it. If another group “NormalGroup” is configured with “KEK-A” as its KEK key (generates a Quorum approval request to the approvers of both the groups). Now, if “KEK-A” is removed as the KEK of “NormalGroup”, then:
A Quorum approval request is generated to the approvers of “KEKGroupA” because “KEK-A” is being removed.
A Quorum approval request is generated to the approvers of “NormalGroup” because the “NormalGroup” is being updated.
4.4 Replacing KEK of a Group
If a group “KEKGroupA”, has a key “KEK-A” in it. If another group “KEKGroupB”, has a key “KEK-B” in it. If the third group “NormalGroup” is configured with “KEK-A” as its KEK key (generates a Quorum approval request to the approvers of “KEKGroupA” and “NormalGroup” groups). Now, if the KEK key “KEK-A” of the “NormalGroup” is replaced with the KEK key “KEK-B” then:
A Quorum approval request is generated to the approvers of “KEKGroupA” because “KEK-A” is being removed.
A Quorum approval request is generated to the approvers of “KEKGroupB” because “KEK-B” is being added as a KEK.
A Quorum approval request is generated to the approvers of “NormalGroup” because the “NormalGroup” is being updated.