This article describes how to integrate Fortanix Data Security Manager (DSM) with AWS External Key Store (XKS) to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations.
- Fortanix DSM version 4.9 and above: Fortanix introduced XKS support in DSM version 4.9 but requires the feature to be enabled through Fortanix Support until it has been enabled by default in DSM version 4.16.
- AWS Console
- AES 256 key – For the initial implementation, only AES 256 keys are supported.
3.0 Using Fortanix DSM with AWS XKS
With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the customer’s data in AWS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (that is, Bring Your Own Key) functionality where the key material for a key in Fortanix DSM (External HSM) is imported into AWS KMS with an optional expiration period and cryptographic operations happen inside an AWS data center.
3.2 Obtaining Access to Fortanix Data Security Manager
Create an account in Fortanix DSM if you do not have one already. See the Fortanix DSMGetting Started guide for more information.
3.3 Create/Import an AES Key
In your Fortanix DSM console, follow the steps below to create an AES encryption key:
- Click the Security Objects tab (Figure 1)
- Click to create a new security object. Figure 1: Security objects tab in Fortanix DSM
In the Add New Security Object form, you can create or import an AES key. See the example below to generate an AES 256 key:
- Type a name for the Security Object (Key).
- Assign a group for the key.
- Click Generate to set the option to generate an AES key.
- Click AES for the type of key to import.
- In the Key size field, select 256 bits.
- Select the permitted key operations for this key.
- Optional: Add Custom Attributes and edit Activation and Deactivation dates if required.
- Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object. it is an optional field.
- Click Generate to generate the AES key.
You can also import an AES encryption key. Refer to the Key Lifecycle Management guide for instructions to import a key.
3.4 Copy the UUID of the AWS Key
The UUID of the AES key is required in Section 3.5: Create an App in Fortanix DSM to create the key in AWS XKS. To copy the UUID of the key:
- Go to the detailed view of the key and click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID and make a note of it. Figure 3: Copy key UUID
3.5 Create an App in Fortanix Data Security Manager
To create an application in Fortanix DSM, specify AWS XKS as the authentication method.
- In the Fortanix DSM account, click the Applications tab.
- Create a new Fortanix DSM app using the Add button . Figure 4: Create new application
- In the Adding new app form, do the following:
- In the App name field, type the name of the AWS XKS app. For example: XKS app 3
- In the Authentication method, select AWS XKS.
- Click Save to create the new application.
3.6 Update Authentication Method for an Existing App
You can also change the authentication method for an existing app to AWS XKS from the detailed view of an app.
- In the detailed view of an app, click the INFO tab and in the API Key section, click the Change authentication method drop down menu. Figure 6: Change authentication method
- Select AWS XKS and click SAVE to save the setting. Figure 7: Change authentication method
- The application is updated with the new authentication method.
3.7 Configure DSM as an XKS with AWS
You can register Fortanix DSM as an XKS with AWS using the following steps:
- In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button. Figure 8: Show instructions
- In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once in a clipboard in JSON format.
- Path prefix: A fixed path containing the Fortanix DSM App UUID.
- Access key ID and Secret access key: Access key and Secret access key are used by AWS to access Fortanix DSM.
- Go to the AWS Console.
- Click Services -> Key Management Service. Figure 10: Select AWS KMS
- From the left menu select Custom key stores -> External key stores Beta.
- On the External key stores page, click Create external key store. Figure 11: Create external key store
- In the Create external key store – beta form, fill in the following details:
- Key store name: Enter a name for your key store. For example: XKS Test. Figure 12: Create XKS
- In the Proxy Connectivity section:
- Select Public endpoint to communicate with the Fortanix DSM proxy.
- In the Proxy URI endpoint field, enter the URI that you copied in Step 2. For example: https://<fortanix_dsm_url>. Figure 13: Create XKS
- In the Proxy configuration section, you can enter the configuration details in the following ways:
- Paste the individual configuration values that you copied in Step 2 in the Proxy URI path prefix, Access key ID, and Secret access key fields respectively OR
- Click Upload configuration file and paste the JSON configuration details that you copied in Step 2. Figure 14: Upload configuration file
- If you selected option (ii) above, then paste the JSON Configuration in the text box and click Use this proxy configuration to save the configuration. Figure 15: Proxy configuration
- Click Create external key store to complete the XKS creation process. Figure 16: Create XKS
- Click Connect key store to connect the XKS with Fortanix DSM so that you can start creating the keys in this key store. Figure 17: Connect keystore
3.8 Create Keys in the External Key Store
After the connection between AWS XKS and Fortanix DSM is successful, you can start creating keys in this key store using the following steps:
- Click Create a KMS key in this key store to create a key. Figure 18: Create a key
- In the section External key, enter the UUID of the AES 256 key you copied in Section 3.4: Copy the UUID of the AES Key in the External key ID field.
- Select the check box for Confirm the user of external key store.
- Click Next. Figure 19: External key ID
- In the Add labels page, Enter the key Alias.
- Click Next. Figure 20: Add alias
- Next, select the key administrators who can administer this key using the KMS API and click Next. Figure 21: Key administrators
- Select the users who will use the key for cryptographic operations and click Next. Figure 22: Key usage permissions
- Review the updates and click Finish.
- The AWS KMS key is now successfully created in the XKS. Figure 23: Key created in XKS