Using Fortanix Data Security Manager with BeyondTrust Password Safe

1.0 Introduction

This article describes the steps to integrate Fortanix-Data-Security-Manager (DSM) with BeyondTrust Password Safe. The integration is based on PKCS#11.

Password Safe allows users and applications to check out passwords or sessions using passwords. Password Safe is also responsible for rotating the passwords for the privileged accounts it manages. For check-out operations, the passwords stored in Password Safe must be decrypted. The new value must be encrypted when Password Safe rotates or changes a password.  While Password Safe can use self-generated keys to encrypt and decrypt passwords, there are benefits associated with externalizing all encryption and decryption operations to Fortanix Data Security Manager. 

Customers can benefit from the ability to monitor key usage and the ability to invalidate a key, even if they cannot get access to Password Safe. Externalizing Password Safe keys to Fortanix DSM gives customers more security controls and flexibility, opening up use cases like BYOK (Bring Your Own Key) and HOYK (Hold Your Own Key).

This quick, step-by-step guide will show you how to set up a simple integration that will let Password Safe send encryption and decryption operations to Fortanix DSM from the outside. More advanced configuration options, including the configuration of the HSM Gateway to allow the use of third-party on-premise or cloud-based HSM solutions, can be found here: https://support.fortanix.com/

2.0 Product Tested Version

The following product versions were tested:

• Fortanix DSM 4.14 and higher.

• Password Safe (BeyondInsight) 21.3 and higher.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be uses later.

4.0 Configuring PKCS#11

Perform the following steps:

1. Now download the latest Fortanix PKCS#11 Windows 64-bit client on your BeyondInsight server or appliance. Refer to the PKCS#11.

2. After installing the MSI (Microsoft Software Installer) on your BeyondInsight server or appliance, you should be able to find the PKCS#11 driver and a README.txt file.

   

3. Configure the HSM Credentials using the BeyondInsight Configuration tool. The PIN is the API key of the Fortanix DSM app that you noted in Step 3 of the Section 3.5: Copying an API Key.

4. Now in Password Safe, test and change the password for a Managed Account using the Change Password option. You should see a successful message at the bottom for each test and change password action.

   

5. In Fortanix DSM, you should be able to find the new key created by Password Safe, with the name we used in Step 3 above.

   

   NOTE

   • Managed Account passwords are encrypted by Fortanix DSM using the above encryption key, and when passwords are checked out, requests for decryption are submitted to Fortanix DSM.

   • When Managed Account passwords are rotated, requests for encryption of the password values stored in Password Safe are submitted to Fortanix DSM after the target apps and systems are updated.

6. The activity logs for the Security-object in Fortanix DSM should confirm that Decryption (Test Password) and Encryption (Change Password) operations are performed by Password Safe.

   

5.0 Frequently Asked Questions (FAQs)

1. How often does the Beyond Trust Password Safe server communicate with Fortanix DSM to obtain the encryption key?

   To obtain the encryption key, the Beyond Trust Password Safe server communicates with Fortanix DSM in the following scenarios:

   • Every time Password Safe generates a new secret (password, SSH key, etc.). This results in the generation of an encrypted value in Fortanix DSM that Password Safe stores in its database.

   • Every time Password Safe needs the decrypted value of a secret, for example, to support a credential or session (using credential) check-out.

   • Every time Password Safe validates or checks a credential value in a Managed System to validate if its database and Managed Account values match. This is an option for Managed Accounts.

2. Is the encryption key cached at the Beyond Trust Password Safe?

   No, the encryption key is not cached at the Beyond Trust Password Safe. When the key is needed to encrypt or decrypt secrets, communication is required with Fortanix DSM to perform encryption or decryption using the key, within Fortanix DSM or a managed HSM through the Gateway.

3. Is each secret in Beyond Trust Password Safe encrypted with a unique key in Fortanix DSM?

   No, Beyond Trust Password Safe uses the same key from Fortanix DSM to encrypt each secret.

4. Does the Fortanix HSM store a master encryption key that encrypts the data and passwords?

   Yes, the key as shown in Figure 7 is the master key used for encryption and decryption of secrets.

5. What happens when you perform a reverse migration where the integration between Password Safe and Fortanix DSM is disabled?

   If the integration is disabled:

   • Password Safe will be unable to decrypt the passwords encrypted by Fortanix DSM, so checking-out or comparing current values is not possible.

   • Password Safe can trigger the rotation of password values (both within the Password Safe and for values in target systems and apps) to new values it encrypts with its key. Password Safe can decrypt the password values after rotation, allowing normal operation to resume.