Using Fortanix Data Security Manager with Pure Storage

1.0 Introduction

This document describes how to integrate Fortanix-Data-Security-Manager (DSM) with Pure Storage to enhance data security and facilitate secure communication between the Fortanix DSM and Pure Storage systems.

The encryption process for data at rest on Pure Storage FlashArray is safeguarded by an internal mechanism that operates transparently and takes away the responsibility of key management from users. Key management involves automatic rotation of keys, periodic regeneration of keys, and the use of unreadable partitioned keys distributed across FlashArray flash modules.

In the event of a complete loss of the array, several steps are needed to reconstruct the data. This includes physically accessing most of the array modules, having access to all secure keys partitioned across all flash modules, and possessing a thorough understanding of the hidden logical structure within the internal databases.

To encrypt data, FlashArray employs three interconnected layers of internal keys. It generates the Array key using a random secret and distributes it across multiple SSDs. This method ensures that recreating the current access keys requires at least half of the array drives plus two more. Importantly, SSD keys are never revealed on any array interface, and no single SSD contains a complete encryption key.

1.1 Key Details

• Array Key

  • Created at array initialization.

  • Distributed across SSDs using a secret sharing algorithm.

  • Changed every 24 hours, as well as during configuration changes.

• Solid State Device (SSD) Key

  • Generated at boot with a hash of Array Key and SSD Key.

  • Unique per device (NVRAM and SSD).

  • Can not be read back.

• Data Encryption Key

  • Requires unlocked SSDs since it is stored and partitioned on the SSD itself.

  • Armored by array key using an AES 256 key wrap.

  • Cannot be read back.

2.0 Definitions

• Rapid Data Locking: To ensure absolute security for the array, even in the unlikely event of a total loss and faced with a highly skilled intruder possessing in-depth product-specific knowledge, Pure Storage offers Rapid Data Locking (RDL) using two optional external key technologies.

• USB-connected Spyrus Rosetta II Smartcards (YubiKey): By removing the smart card and causing a power loss to the array, a FlashArray can be entirely locked, making the data permanently unrecoverable.

• Key Management Interoperability Protocol (KMIP) remote key server: Locking down a FlashArray involves revoking a remote key and powering off the system. A secondary key, controllable by the user, is introduced to unlock the array’s flash modules. This occurs when KMIP keys are remotely accessed from a KMIP server. Without access to the server, the flash modules remain locked and cannot be unlocked upon powering on.

3.0 Prerequisites

Ensure the following:

• RDL must be enabled on Pure Storage.

• A Fortanix DSM account. For steps to create an account, refer to the Fortanix DSM Getting Started Guide.

4.0 Product Version Tested

The following product versions were tested:

• Purity OS versions 6.3 and 6.5.

• Fortanix DSM version 4.26.2359.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the KMIP option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 5.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 5.6: Generating the Certificate as the value of Common Name (CN) to generate the self-signed certificate.

5.6 Generating the Certificate

Perform the following steps to generate the certificate and sign it using the SSH command to the Pure Storage server:

1. Run the following command to create a certificate:

   purecert create cert_2 --self-signed --common-name <App_UUID>

   Replace the <App_UUID> parameter with the UUID of the app copied in the Section 5.5: Copying an App UUID.

   The following is the sample output:

   pureuser@pod-43-vfa1 purecert create cert_4 --self-signed --common-name e003132d-6d58-4e7e-a781-03fc5d8c7c21
   Name    Status       Key Size  Issued To                             Issued By                             Valid From               Valid To                 Country  State/Province  Locality  Organization        Organizational Unit  Email  Common Name
   cert_4  self-signed  2048      e003132d-6d58-4e7e-a781-03fc5d8c7c21  e003132d-6d58-4e7e-a781-03fc5d8c7c21  2024-02-29 06:01:39 UTC  2034-02-26 06:01:39 UTC  -        -               -         Pure Storage, Inc.  Pure Storage, Inc.   -      e003132d-6d58-4e7e-a781-03fc5d8c7c21

2. Run the following command to sign the created certificate:

   purecert list cert_2 –certificate

   This following is the sample output:

   -----BEGIN CERTIFICATE----- MIIEETCCAvmgAwIBAgIQdc+ZQexf9kNeiP6Wv2H+8zANBgkqhkiG9w0BAQsFADBp MS0wKwYDVQQDDCQxNzhiNDBlYy1jOGEwLTQ5M2ItOWMzNC01MmFlNjhhYWY5ZjIx GzAZBgNVBAsMElB1cmUgU3RvcmFnZSwgSW5jLjEbMBkGA1UECgwSUHVyZSBTdG9y YWdlLCBJbmMuMB4XDTI0MDIwNzE4NDcwNloXDTM0MDIwNDE4NDcwNlowaTEtMCsG A1UEAwwkMTc4YjQwZWMtYzhhMC00OTNiLTljMzQtNTJhZTY4YWFmOWYyMRswGQYD VQQLDBJQdXJlIFN0b3JhZ2UsIEluYy4xGzAZBgNVBAoMElB1cmUgU3RvcmFnZSwg SW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNNWV7/1ZV45ZkK Kil9UCNbc7V6L2A93FXSXI+HLlJeNU3tEqDX415lsnvFzyLym9fWN+KhaVvaMyrR pwjTRT4Yc7eOJp4oCKnkx8UHFRCH3rXKTgMIvnGvO2RZ7h9/zSApUjYg/n0hW20p SkiN86AkavLme3YRo8wbJgdFlNWpFRZrP/mCzVN0tuKFrNrzk4CQZON8nLznjGM4 jA7ARUYqp06mSgt5PgVTuwSkzRaK6AHndh6cB+prrubamQGKagg4bVtXGCXzUCBT mjx29mW2BezLaUy4FEa7wGKnB6eVBewRMizUSJ/jdRI5ZiXWSg+S+zuN8bbwZc6l durLEuUCAwEAAaOBtDCBsTAvBgNVHREEKDAmgiQxNzhiNDBlYy1jOGEwLTQ5M2It OWMzNC01MmFlNjhhYWY5ZjIwHwYDVR0jBBgwFoAUBr4thauvoLBSh/YDwuCbRuEC ULUwHQYDVR0OBBYEFAa+LYWrr6CwUof2A8Lgm0bhAlC1MAwGA1UdEwEB/wQCMAAw DgYDVR0PAQH/BAQDAgKkMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjANBgkqhkiG9w0BAQsFAAOCAQEAYvxQsQkrNHsSkGrivI6uUme0qbGIEMhAmlAu r9kpF532FIGkbA2wwP6wF6whY2fdsJsDNy2jH4UqpfXKHwBBM1h1CnVp2313SPOh DZuH1Vt/QXUPhdiSsWVQiWVltbzulOR4tOTwe2EnZ6Qhun+T3jsndQYjwH4ICp3P 0UCRPAe+Yq9yydUGf8nI13nP85Mz7bRDQbVjIplMRlyazyifJBKYVBCl7jswLpQ6 iYsfpjeF7K6CYdp8rMkxJSaE3Ne9SrOid4YuTRrz5o1dQzjbm2WL4+xnuycUCAWM BjUja98j17eweqsYRdMdUZ1WhDDyS7vp/A3Em3t9oICRzO6x+A== -----END CERTIFICATE-----

5.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 5.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

6.0 Connecting to the KMIP Server

Run the following command to connect to the KMIP server:

purekmip create kmip_srvr --uri amer.smartkey.io:5696 --certificate cert_3 --ca-certificate
Please enter CA certificate followed by Enter and then Ctrl-D:
-----BEGIN CERTIFICATE----- 
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 
-----END CERTIFICATE----- 
Name URI Certificate Ca Certificate Configured kmip_srvr amer.smartkey.io:5696 cert_3 True

7.0 Verification

Perform the following steps to verify if the integration was performed successfully.

1. Run the following command to verify the KMIP server connection:

   purekmip test kmip_srvr

   Output:

   Name       URI                   Status  Details
   kmip_srvr  sit.smartkey.io:5696  OK

2. Run the following command to enable the security token:

   purearray enable security-token --kmip kmip_srvr

   Output:

   Enabled  Type  Signature                                                         Server
   True     KMIP  fb2aade21650857a11bf77d64dc14135c28692d45cabaefb241e00a49c0b9a87  kmip_srvr

   

3. Run the following command to list the security tokens:

   purearray list --security-token

   Output:

   Enabled  Status   Type  Signature                                                         Server
   True     enabled  KMIP  fb2aade21650857a11bf77d64dc14135c28692d45cabaefb241e00a49c0b9a87  kmip_srvr

4. Run the following command to test the security token integration:

   purearray test security-token

   The following is the sample output:

   Name  Uri   Status  Type  Error Message  Signature
   CT0   sit.smartkey.io:5696  OK   KMIP   77ce7612c04ba7593d24de780922f151b10bce066976ffa32bc7930e75420c55

   NOTE

   It is recommended to allow up to 30 minutes for the purearray test command to accurately reflect the configuration.

7.1 Key Control

The following scenarios show how Fortanix DSM can control Pure Storage using the RDL feature to deactivate the keys in DSM.

1. Deactivate the key in Fortanix DSM as shown below.  

   

2. Go to the Pure Storage console and notice the following message when you click the RDL section.  

   

   This shows that after the key is deactivated in Fortanix DSM, you will not be able to perform any operation as Pure Storage will not be able to find the matching key and will result in a key mismatch error as shown in Figure 6 above.