Welcome to the Fortanix Data Security Manager (DSM) and Amazon Web Services (AWS) Cloud Native Key Management (CNKMS) User Guide. This article describes how to perform native key lifecycle management in AWS KMS using Fortanix DSM.
The Fortanix solution for AWS Key Management Service (KMS) offers complete Cloud Native Key Management (CNKMS), as explained in this guide, as well as Bring Your Own Key (BYOK) and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, BYOKMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.
3.0 Fortanix AWS CNKMS Workflows Overview
- Generate key: Navigate to a CDC group, select "Generate in AWS", select a supported algorithm type and key size, and click Generate to generate the key in the AWS Key Management Service (KMS) key repository.
- Rotate: Rotate a key that was originally generated in AWS KMS by navigating to it in the AWS CDC group. Otherwise, if the source is "Fortanix DSM", see the <AWS KMS BYOK User Guide>.
- Disable/Enable: Navigate to the detailed view of the key in the AWS CDC group and disable or enable it from Fortanix DSM.
- Schedule/Soft key deletion: AWS will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the AWS CDC group, and in the AWS KEY DETAILS tab, schedule the key for deletion.
4.0 Fortanix Data Security Manager AWS KMS Security Objects
After the AWS CDC group successfully connects to the AWS KMS successfully using the connection details, the keys from the AWS KMS are stored as virtual keys in the Fortanix AWS CDC group. For steps to create an AWS CDC group, refer to AWS CDC Group Setup Guide. A virtual key is a key whose key material is not present in the AWS CDC group. The key material is stored securely in the AWS KMS. The virtual key is just a pointer to the key information and key attributes, but it does not hold the key material itself.
4.1 Create a Key in AWS CDC Group - Generate
You can generate a key in a configured AWS CDC group.
4.1.1 Generate a Key
This action will generate the configured key type in the configured AWS KMS regions directly, and it will be represented as a virtual key in the corresponding AWS CDC group. This means that the virtual key in the AWS CDC group will point to the actual key in AWS KMS that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.
In your Fortanix DSM console, follow the process below to create a new key:
- Click the Security Objects tab.
- Click to create a new Security Object.
- In the Add New Security Object form enter a name for the Security Object (Key).
- Select the This is an HSM/external KMS object check box. This will show the AWS KMS configured groups in the Select group list.
- In the AWS group list, select the AWS CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the AWS CDC group.
- Select GENERATE IN AWS to initiate the "generate key in the AWS" workflow.
- Add an alias in the AWS Aliases tab. Use the ADD ALIAS button if you are adding more than two aliases.
- Select the key type for the new AWS KMS key.
These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy.
- Enter the Key size and select the permitted key operations under the Key operations permitted section.
- Add a tag in the AWS Tags Section. Use the ADD TAG button if you are adding more than one tag. For more details refer to Section 4.4.
- Enable the toggle for Multi-region primary key to create an AWS multi-region Primary Key. For more details, refer to Section 4.2.
- Click the GENERATE button to generate the key in AWS.
- The new AWS Key is created and represented with a special symbol to denote it is of type AWS/KMS. In the detailed view of the AWS key you will notice the following things:
- The group and region to which it belongs (in the Group field). It also shows if the group is mapped to an AWS or not using the special icon .
- How the key was created (in the Created by field). If it is an AWS KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
- The new key will be added to the Security Objects table.
4.2 Multi-Region Keys
Fortanix DSM supports marking an AWS virtual key as a multi-region primary key in an AWS region so that replicas of this key can be created in other regions of AWS KMS making the primary key a multi-Region key.
The multi-Region keys are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID in AWS KMS, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.
4.3 Sync Keys
When you edit the AWS connection details in the AWS group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to AWS and gets all the keys available. Fortanix DSM then stores them as virtual keys.
4.4 Attributes/Tags Tab
This tab will have all the attributes and tags of the AWS key. A tag is an optional metadata label that you can assign to an AWS resource. You can add new tags using the NEW TAG button and add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata.
4.5 AWS Key Details
This tab displays details of the AWS key aliases, Key ARN for Key ID, and the AWS key policy.
If the AWS virtual key is a multi-region primary key, then the Key ARN section will also display the key ARNs of the replica keys.
If the AWS virtual key is a multi-Region replica key, then the Key ARN section will also display the key ARN of the primary key.
4.6 Security Objects Table View
After you add new AWS keys, go to the Security Objects page to view all the security objects from all the groups (AWS and non-AWS).
In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an AWS, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an AWS group or not.
4.7 Schedule to Delete a Key in AWS KMS
When you delete a key from an AWS KMS, the action will delete the actual key in the configured AWS and will appear as disabled in the security objects table.
To delete a key from an AWS KMS:
- Go to the detailed view of an AWS virtual key and select the AWS KEY DETAILS tab.
- Click the link SCHEDULE KEY DELETION.
- In the Schedule Key Deletion in the AWS KMS window, enter a waiting period (in days) to verify whether you still need the AWS key.
- Click SCHEDULE KEY DELETE button to mark the key for deletion.
- You can cancel the key deletion any time before the waiting period ends using the CANCEL KEY DELETION IN AWS link on the top of the screen in the detailed view of the virtual key.
After the key is permanently deleted from AWS KMS, the Delete Key button is enabled in the detailed view of the virtual key in Fortanix DSM.
4.8 Delete a Key in AWS Group
When you delete a key from an AWS CDC group, the action will only delete the virtual key in Fortanix DSM and will not delete the actual key in the configured AWS.
To delete a virtual key:
- Select the AWS key to delete.
- In the security object detailed view, scroll down and click the DELETE KEY button.
4.9 Delete Key Material in AWS KMS
When the allowed key types of AES, RSA, or EC are copied into AWS KMS from Fortanix DSM, the key material is stored in two places, the source key in the regular Fortanix DSM group and in the configured AWS KMS for a specific account and region. This key is represented as a virtual key in the AWS CDC group.
A virtual key is only a virtual representation of the actual AWS KMS key that contains the key information and key attributes; however, this virtual key does not contain the key material. Users may want to delete the key material from the configured AWS KMS to maintain a single copy of key material stored securely in the source key in the regular Fortanix DSM group.
To delete the key material:
- Go to the detailed view of a virtual key in the AWS CDC group and select the AWS KEY DETAILS tab.
- Click the DELETE KEY MATERIAL link to delete the key material in AWS KMS.
- In the Delete Key Material in AWS KMS window, click the DELETE KEY MATERIAL button.
The status of the key in the AWS KMS changes to “Pending import”.
- After the key material is deleted from AWS KMS, it can be reimported back into AWS KMS to reverse the key material deletion. To reimport the key material:
- Go to the detailed view of the virtual key and click the REIMPORT KEY MATERIAL link on top of the screen.
- The key material is reimported successfully.
5.0 Rotate Key in AWS CDC Group
The following section explains the Key Rotation in AWS CDC Group. A Key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.
5.1 Rotating AWS Native Key* with Another Native Key
*Native key is one where the key material was generated by AWS KMS.
When you rotate a virtual key in an AWS CDC group, the action will rotate the key inside the AWS KMS by generating another key within the configured AWS KMS by moving the key alias from the old key to the new key.
To rotate a key in AWS:
- Select the AWS virtual key to rotate.
- In the detailed view of the AWS virtual key, click the ROTATE KEY button.
- In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key.
A new rotated key is now generated.
5.2 Rotate AWS Native Key to Fortanix Data Security Manager Owned Key
When an AWS virtual key whose key material is owned by AWS KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in AWS KMS, which has the key material of the Fortanix DSM-backed key. As a result, the AWS virtual key is backed by a Fortanix DSM source key.
To rotate a virtual key with Fortanix DSM-backed key:
- Click ROTATE KEY in the detailed view of an AWS virtual key.
- In the Key Rotation window, select the Rotate to S-D KMS key check box.
- Select the Fortanix DSM group that contains the source key.
- Select the source key and click the ROTATE KEY button.
The Virtual key is successfully rotated and backed by the source key. To confirm, go to the detailed view of the newly rotated AWS virtual key and click the AWS KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.
For details on how to set up an AWS-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS External KMS Setup.
For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Bring Your Own Key.