Fortanix DSM - AWS Cloud Native Key Management

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) and Amazon Web Services (AWS) Cloud Native Key Management (CNKMS) User Guide. This article describes how to perform native key lifecycle management in AWS KMS using Fortanix DSM.

The Fortanix solution for AWS Key Management Service (KMS) offers complete Cloud Native Key Management (CNKMS), as explained in this guide, as well as Bring Your Own Key (BYOK) and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, BYOKMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0 Fortanix AWS CNKMS Workflows Overview

  • Generate key: Navigate to a CDC group, select "Generate in AWS", select a supported algorithm type and key size, and click Generate to generate the key in the AWS Key Management Service (KMS) key repository.
  • Rotate: Rotate a key that was originally generated in AWS KMS by navigating to it in the AWS CDC group. Otherwise, if the source is "Fortanix DSM", see the <AWS KMS BYOK User Guide>. 
  • Disable/Enable: Navigate to the detailed view of the key in the AWS CDC group and disable or enable it from Fortanix DSM. 
  • Schedule/Soft key deletion: AWS will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the AWS CDC group, and in the AWS KEY DETAILS tab, schedule the key for deletion.

4.0  Fortanix Data Security Manager AWS KMS Security Objects

After the AWS CDC group successfully connects to the AWS KMS successfully using the connection details, the keys from the AWS KMS are stored as virtual keys in the Fortanix AWS CDC group. A virtual key is a key whose key material is not present in the AWS CDC group. The key material is stored securely in the AWS KMS. The virtual key is just a pointer to the key information and key attributes, but it does not hold the key material itself.

4.1  Create a Key in AWS CDC Group - Generate

You can generate a key in a configured AWS CDC group.

4.1.1  Generate a Key

This action will generate the configured key type in the configured AWS KMS regions directly, and it will be represented as a virtual key in the corresponding AWS CDC group. This means that the virtual key in the AWS CDC group will point to the actual key in AWS KMS that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.

In your Fortanix DSM console, follow the process below to create a new key:

  1. Click the Security Objects SO.png tab.
  2. Click Plus.pngto create a new Security Object. 
  3. In the Add New Security Object form enter a name for the Security Object (Key).
  4. Select the This is an HSM/external KMS object check box. This will show the AWS KMS configured groups in the Select group list.
  5. In the AWS group list, select the AWS CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the AWS CDC group. 
  6. Select GENERATE IN AWS to initiate the generate key in the AWS workflow.
  7. Add an alias in the AWS Aliases tab. Use the ADD ALIAS button if you are adding more than two aliases. 
  8. Select the key type for the new AWS KMS key.
    NOTE
    The allowed key type for an AWS key generated using the Generate Key button is AES 256.
    These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy.
    NOTE
    Currently, Fortanix DSM supports key types of AES 256. Support for generating RSA and EC keys is coming soon.
  9. Enter the Key size and select the permitted key operations under the Key operations permitted section.
  10. Add a tag in the AWS Tags Section. Use the ADD TAG button if you are adding more than one tag. For more details refer to Section 4.4.
  11. Enable the toggle for Multi-region primary key to create an AWS multi-region Primary Key. For more details, refer to Section 4.2.
  12. Click the GENERATE button to generate the key in AWS.
  13. The new AWS Key is created and represented with a special symbol VirtualKeyIcon.png to denote it is of type AWS/KMS. In the detailed view of the AWS key you will notice the following things:
    • The group and region to which it belongs (in the Group field). It also shows if the group is mapped to an AWS or not using the special icon AWS_46.png.
    • How the key was created (in the Created by field). If it is an AWS KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
  14. The new key will be added to the Security Objects table. 
    TIP
    • You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
    • You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click ADD SECURITY OBJECT button, and follow steps 3-10 above.

4.2 Multi-Region Keys

Fortanix DSM supports marking an AWS virtual key as a multi-region primary key in an AWS region so that replicas of this key can be created in other regions of AWS KMS making the primary key a multi-Region key.

NOTE

Replicas of a multi-region key cannot be created from Fortanix DSM.

The multi-Region keys are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID in AWS KMS, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.

4.3  Sync Keys

When you edit the AWS connection details in the AWS group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to AWS and gets all the keys available. Fortanix DSM then stores them as virtual keys.

NOTE

  • When keys are synced with AWS KMS, the metadata of the existing keys for the configured service account and region are downloaded and represented as virtual keys. The actual key material for those keys is always stored in AWS KMS.
  • Clicking SYNC KEYS only returns the keys from AWS that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
  • If some keys were marked as multi-Region primary keys or multi-Region replica keys in AWS KMS before the scan, then clicking SYNC KEYS will identify these keys and mark them as multi-Region primary keys or multi-Region replica keys respectively.
  • The time taken to sync keys from AWS KMS to Fortanix DSM is a function of the number of keys in the AWS KMS and the network latency between the AWS location and Fortanix DSM. It can take several minutes if there are hundreds of keys and significant network latency.
  • The AWS CDC groups have a scan limitation. When the AWS KMS region has more than 100 keys, only 100 virtual keys are created during the group scan.

4.4 Attributes/Tags Tab

This tab will have all the attributes and tags of the AWS key. A tag is an optional metadata label that you can assign to an AWS resource. You can add new tags using the NEW TAG button and add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata.

4.5  AWS Key Details

This tab displays details of the AWS key aliases, Key ARN for Key ID, and the AWS key policy. 

If the AWS virtual key is a multi-region primary key, then the Key ARN section will also display the key ARNs of the replica keys.

If the AWS virtual key is a multi-Region replica key, then the Key ARN section will also display the key ARN of the primary key.

The AWS KEY DETAILS tab also contains SCHEDULE KEY DELETION and DELETE KEY MATERIAL options which are explained in Section 4.7 and Section 4.9, respectively.

4.6  Security Objects Table View

After you add new AWS keys, go to the Security Objects page to view all the security objects from all the groups (AWS and non-AWS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an AWS, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an AWS group or not.

4.7  Schedule to Delete a Key in AWS KMS

When you delete a key from an AWS KMS, the action will delete the actual key in the configured AWS and will appear as disabled in the security objects table.

To delete a key from an AWS KMS:

  1. Go to the detailed view of an AWS virtual key and select the AWS KEY DETAILS tab.
  2. Click the link SCHEDULE KEY DELETION
  3. In the Schedule Key Deletion in the AWS KMS window, enter a waiting period (in days) to verify whether you still need the AWS key.
  4. Click SCHEDULE KEY DELETE button to mark the key for deletion. 
  5. You can cancel the key deletion any time before the waiting period ends using the CANCEL KEY DELETION IN AWS link on the top of the screen in the detailed view of the virtual key.

NOTE

Data encrypted with the key can no longer be used once the key is deleted.

After the key is permanently deleted from AWS KMS, the Delete Key button is enabled in the detailed view of the virtual key in Fortanix DSM.

4.8  Delete a Key in AWS Group

NOTE

The DELETE KEY option is enabled only when the key is permanently deleted from AWS KMS.

When you delete a key from an AWS CDC group, the action will only delete the virtual key in Fortanix DSM and will not delete the actual key in the configured AWS.

To delete a virtual key:

  1. Select the AWS key to delete.
  2. In the security object detailed view, scroll down and click the DELETE KEY button.

4.9  Delete Key Material in AWS KMS

When an AES 256 key is copied into AWS KMS from Fortanix DSM, the key material is stored in two places, the source key in the regular Fortanix DSM group and in the configured AWS KMS for a specific account and region. This key is represented as a virtual key in the AWS CDC group.

A virtual key is only a virtual representation of the actual AWS KMS key that contains the key information and key attributes; however, this virtual key does not contain the key material. Users may want to delete the key material from the configured AWS KMS to maintain a single copy of key material stored securely in the source key in the regular Fortanix DSM group.

NOTE

  • The Delete Key material feature is enabled only for keys of type AES 256 that have been externally imported into AWS KMS.
  • The Delete key material feature is visible only for BYOK keys, that is, for keys that were copied from Fortanix DSM.

To delete the key material:

  1. Go to the detailed view of a virtual key in the AWS CDC group and select the AWS KEY DETAILS tab.
  2. Click the DELETE KEY MATERIAL link to delete the key material in AWS KMS. 
  3. In the Delete Key Material in AWS KMS window, click the DELETE KEY MATERIAL button. 
    The status of the key in the AWS KMS changes to “Pending import”.
  4. After the key material is deleted from AWS KMS, it can be reimported back into AWS KMS to reverse the key material deletion. To reimport the key material:
    1. Go to the detailed view of the virtual key and click the REIMPORT KEY MATERIAL link on top of the screen. 
    2. The key material is reimported successfully.

5.0  Rotate Key in AWS CDC Group

The following section explains the Key Rotation in AWS CDC Group. A Key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.

5.1  Rotating AWS Native Key* with Another Native Key

*Native key is one where the key material was generated by AWS KMS.

When you rotate a virtual key in an AWS CDC group, the action will rotate the key inside the AWS KMS by generating another key within the configured AWS KMS by moving the key alias from the old key to the new key.

To rotate a key in AWS:

  1. Select the AWS virtual key to rotate.
  2. In the detailed view of the AWS virtual key, click the ROTATE KEY button. 
  3. In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key. 

    A new rotated key is now generated.

5.2  Rotate AWS Native Key to Fortanix Data Security Manager Owned Key

When an AWS virtual key whose key material is owned by AWS KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in AWS KMS, which has the key material of the Fortanix DSM-backed key. As a result, the AWS virtual key is backed by a Fortanix DSM source key.

To rotate a virtual key with Fortanix DSM-backed key:

  1. Click ROTATE KEY in the detailed view of an AWS virtual key.
  2. In the Key Rotation window, select the Rotate to S-D KMS key check box.
  3. Select the Fortanix DSM group that contains the source key.
  4. Select the source key and click the ROTATE KEY button. 

The Virtual key is successfully rotated and backed by the source key. To confirm, go to the detailed view of the newly rotated AWS virtual key and click the AWS KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.

For details on how to set up an AWS-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS External KMS Setup.

For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Bring Your Own Key.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful