Fortanix DSM with AWS External Key Store (XKS) - Concepts

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) with Amazon Web Services (AWS) Key Store (XKS) documentation.

The Fortanix DSM integration with AWS XKS enables organizations to protect the data in AWS with keys stored in Fortanix DSM.

This article describes the following topics:

  • DSM with AWS XKS use cases.
  • Advantages of DSM with AWS XKS integration.
  • DSM with AWS XKS workflow.
  • DSM with AWS XKS integration.

2.0 DSM with AWS XKS - Use Cases

The Fortanix DSM with AWS XKS integration provides Fortanix customers the ability to migrate privacy-sensitive workloads for highly regulated industries, such as financial services and healthcare, to the public cloud and comply with the highest data privacy regulations. 

3.0 DSM with AWS XKS - Advantages

The following are the advantages of Fortanix DSM with AWS XKS integration:

  • The users have complete custody of their keys and full control over the data encryption policies within AWS. This control helps them in specifying the location of the keys, and from where they may be accessed.
  • Fortanix DSM offers comprehensive audit logs, so the users may demonstrate that their security controls adhere to regulations like the GDPR.
  • AWS provides strong key protection, and Fortanix does not compete with these functions. Instead, Fortanix provides Segregation of Duties with external, granular access control.

4.0 DSM with AWS XKS - Workflow

XKS allows AWS KMS to use external, customer-managed root keys, giving the customer more control over key management and data security initiatives. Fortanix DSM is solely responsible for creating, safeguarding, and using the customer's root keys.

The figure below depicts how AWS XKS integration with Fortanix DSM works.

Workflow.png Figure 1: DSM with AWS XKS workflow

The workflow between the various services is as follows:

  1. A supported AWS service calls KMS and asks for a new Data Encryption Key (DEK) in an XKS-backed Key Store. For instance, this could be S3 to encrypt an uploaded file for storing in a bucket.
  2. KMS generates the DEK and envelopes (encrypts) it using a key store-specific Key Encryption Key (KEK)
  3. KMS calls Fortanix DSM which, upon satisfying access controls and policies, envelopes the already enveloped key using a DSM-protected Root KEK.
  4. DSM sends the double encrypted DEK back to KMS.
  5. KMS stores the double enveloped DEK in its Key Store.
  6. KMS then immediately retrieves the DEK, unseals the double envelope by sending it back to DSM and opening the inner envelope itself, and hands the DEK to the calling service for use.

Every time the calling service needs the DEK (for instance, S3 to satisfy a download request of the encrypted file), the last step (Step 6) is repeated.

5.0 DSM with AWS XKS - Integration

With FIPS 140-2 Level 3 certified HSM protection, Fortanix DSM is available as an on-premises solution as well as a SaaS offering.

  • In an AWS XKS with DSM SaaS integration, the AWS service reaches out to the Fortanix DSM service to access the user’s Root Key.
  • For on-premises Fortanix DSM clusters, the users need to allow network access from AWS.

For the Fortanix DSM with AWS XKS integration steps, click here.

 

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful