Using Fortanix DSM with AWS External Key Store (XKS)

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with AWS External Key Store (XKS) to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations.

2.0 Prerequisites

  • Fortanix DSM version 4.9 and above: Fortanix introduced XKS support in DSM version 4.9 but requires the feature to be enabled through Fortanix Support until it has been enabled by default in DSM version 4.16.
  • AWS Console
  • AES 256 key – For the initial implementation, only AES 256 keys are supported.
    The AES key can either be imported or created in Fortanix DSM.

3.0 Using Fortanix DSM with AWS XKS

3.1 Overview

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the customer’s data in AWS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (that is, Bring Your Own Key) functionality where the key material for a key in Fortanix DSM (External HSM) is imported into AWS KMS with an optional expiration period and cryptographic operations happen inside an AWS data center.

3.2 Obtaining Access to Fortanix Data Security Manager

Create an account in Fortanix DSM if you do not have one already. See the Fortanix DSMGetting Started guide for more information.

3.3 Create/Import an AES Key

In your Fortanix DSM console, follow the steps below to create an AES encryption key:

  1. Click the Security Objects SO.png tab (Figure 1)
  2. Click Plus.png to create a new security object. XKS_CreateSODSm.png Figure 1: Security objects tab in Fortanix DSM
    In the Add New Security Object form, you can create or import an AES key. See the example below to generate an AES 256 key:
    1. Type a name for the Security Object (Key).
    2. Assign a group for the key.
    3. Click Generate to set the option to generate an AES key.
    4. Click AES for the type of key to import.
    5. In the Key size field, select 256 bits.
    6. Select the permitted key operations for this key.
    7. Optional: Add Custom Attributes and edit Activation and Deactivation dates if required.
    8. Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object. it is an optional field.
    9. Click Generate to generate the AES key.
      • Make sure that you generate an AES 256 key.
      • Make sure the new key has “encrypt” and “decrypt” key operations allowed.
    XKS_CreateSODSM2.png Figure 2: Generate a new AES Key
    You can also import an AES encryption key. Refer to the Key Lifecycle Management guide for instructions to import a key.

3.4 Copy the UUID of the AWS Key

The UUID of the AES key is required in Section 3.5: Create an App in Fortanix DSM to create the key in AWS XKS. To copy the UUID of the key:

  1. Go to the detailed view of the key and click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID and make a note of it. XKS_CopySOUUID.png Figure 3: Copy key UUID

3.5 Create an App in Fortanix Data Security Manager

To create an application in Fortanix DSM, specify AWS XKS as the authentication method.

The AWS XKS feature is a hidden feature for Fortanix DSM 4.9 release. To enable it for your account, contact the Fortanix Support team.
  1. In the Fortanix DSM account, click the Applications App.png tab.
  2. Create a new Fortanix DSM app using the Add Plus.png button . XKS_CreateApp.png Figure 4: Create new application
  3. In the Adding new app form, do the following:
    1. In the App name field, type the name of the AWS XKS app. For example: XKS app 3
    2. In the Authentication method, select AWS XKS.
      Ensure that the new application has access to the AES 256 key. This can be done by creating the app in the same group as the key created in the previous section.
    3. Click Save to create the new application.
    XKS_CreatedApp.png Figure 5: Name of the application

3.6 Update Authentication Method for an Existing App

You can also change the authentication method for an existing app to AWS XKS from the detailed view of an app.

Updating an authentication method causes the services relying on the app to stop working.
  1. In the detailed view of an app, click the INFO tab and in the API Key section, click the Change authentication method drop down menu. XKS_existingAppChangeAuth.png Figure 6: Change authentication method
  2. Select AWS XKS and click SAVE to save the setting. XKS_existingAppChangeAuth1.png Figure 7: Change authentication method
  3. The application is updated with the new authentication method.

3.7 Configure DSM as an XKS with AWS

You can register Fortanix DSM as an XKS with AWS using the following steps:

  1. In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button. XKS_ShowInst.png Figure 8: Show instructions
  2. In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once in a clipboard in JSON format.
    1. Path prefix: A fixed path containing the Fortanix DSM App UUID.
    2. Access key ID and Secret access key: Access key and Secret access key are used by AWS to access Fortanix DSM.
    XKS_copyconfig.png Figure 9: Copy config values
    "" opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
  3. Go to the AWS Console.
  4. Click Services -> Key Management Service. XKS_KMSSelect.png Figure 10: Select AWS KMS
  5. From the left menu select Custom key stores -> External key stores Beta.
  6. On the External key stores page, click Create external key store. XKS_createXKS.png Figure 11: Create external key store
  7. In the Create external key store – beta form, fill in the following details:
    1. Key store name: Enter a name for your key store. For example: XKS Test. XKS_createXKS1.png Figure 12: Create XKS
    2. In the Proxy Connectivity section:
      1. Select Public endpoint to communicate with the Fortanix DSM proxy.
      2. In the Proxy URI endpoint field, enter the URI that you copied in Step 2. For example: which opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here..  XKS_createXKS2.png Figure 13: Create XKS
    3. In the Proxy configuration section, you can enter the configuration details in the following ways:
      1. Paste the individual configuration values that you copied in Step 2 in the Proxy URI path prefix, Access key ID, and Secret access key fields respectively OR
      2. Click Upload configuration file and paste the JSON configuration details that you copied in Step 2. XKS_UploadConfig.png Figure 14: Upload configuration file
    4. If you selected option (ii) above, then paste the JSON Configuration in the text box and click Use this proxy configuration to save the configuration. XKS_UploadConfig1.png Figure 15: Proxy configuration
    5. Click Create external key store to complete the XKS creation process. XKS_createXKSPress.png Figure 16: Create XKS
    6. Click Connect key store to connect the XKS with Fortanix DSM so that you can start creating the keys in this key store. XKS_connect.png Figure 17: Connect keystore

3.8 Create Keys in the External Key Store

After the connection between AWS XKS and Fortanix DSM is successful, you can start creating keys in this key store using the following steps:

  1. Click Create a KMS key in this key store to create a key. XKS_createKey.png Figure 18: Create a key
  2. In the section External key, enter the UUID of the AES 256 key you copied in Section 3.4: Copy the UUID of the AES Key in the External key ID field.
  3. Select the check box for Confirm the user of external key store.
  4. Click Next. XKS_pasteSOUUID.png Figure 19: External key ID
  5. In the Add labels page, Enter the key Alias.
  6. Click Next. XKS_SOAlias.png Figure 20: Add alias
  7. Next, select the key administrators who can administer this key using the KMS API and click Next. XKS_keyAdmins.png Figure 21: Key administrators
  8. Select the users who will use the key for cryptographic operations and click Next. XKS_keyCryptoUsers.png Figure 22: Key usage permissions
  9. Review the updates and click Finish.
  10. The AWS KMS key is now successfully created in the XKS. XKS_KeyCreationSuccess.png Figure 23: Key created in XKS


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful