Fortanix DSM - AWS KMS BYOK (Bring Your Own Key)

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) and Amazon Web Services (AWS) Bring Your Own Key (BYOK) User Guide. This article describes how to perform BYOK lifecycle management in AWS KMS using Fortanix DSM.

The Fortanix solution for AWS Key Management Service (KMS) offers complete Bring Your Own Key (BYOK), as explained in this guide, as well as Cloud Native Key Management (CNKMS) and Bring your own KMS (BYOKMS), with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOK) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0 Fortanix AWS BYOK Workflows Overview

• Generate key: Navigate to a source key in Fortanix DSM and copy the key into an AWS CDC group to create a linked key and a BYOK key in AWS KMS.
• Rotate source key: Rotate the source key that was originally generated in "Fortanix DSM” and click “rotate linked/copied keys”.
• Disable/Enable: Navigate to the detailed view of the key in the AWS CDC group and disable or enable it from Fortanix DSM.
• Schedule key deletion: AWS will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the AWS CDC group, and in the AWS KEY DETAILS tab, schedule the key for deletion.
• Delete Key Material: This is only available for BYOK and allows you to ignore the mandatory wait time of Schedule key deletion but keeps the key ARN in place, so when you restore the Key Material, no updates need to be made to services.

4.0  Fortanix Data Security Manager AWS KMS Security Objects

After the AWS CDC group successfully connects to the AWS KMS successfully using the connection details, the keys from the AWS KMS are stored as virtual keys in the Fortanix AWS CDC group. For steps to create an AWS CDC group, refer to AWS CDC Group Setup Guide. A virtual key is a key whose key material is not present in the AWS CDC group. The key material is stored securely in the AWS KMS. The virtual key is just a pointer to the key information and key attributes, but it does not hold the key material itself.

4.1  Create a Key in AWS CDC Group

You can copy or import a key into a configured AWS CDC group.

4.1.1  Bring Your Own Key - Copy Key to AWS to Create a Linked Key

Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured AWS KMS. The copy key to the AWS feature will copy a security object from one regular Fortanix DSM group to another regular/AWS CDC group. This feature has the following advantages:

• Maintains a single source of key material while copying/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
• Maintains a link of various copies of the same key material to the source key for audit and tracking purposes. Key Rotation at the Source key even handles updating the AWS Alias
• The Linked Keys approach tends to be a bit easier to manage than AWS native Multi-Region Keys and Multi-Account Keys by handling AWS Alias updates, and showing the keys in AWS KMS where Fortanix can still disable, enable and delete keys and key material
• In AWS, the BYOK keys also further improve your security posture by allowing you to remotely delete key material from a key instantly in AWS. AWS limits your ability to delete a key by creating a 7 day “Key Undo” wait time, this is because AWS wants to protect against accidental deletion. However, with BYOK keys, AWS knows you have another copy of the key and will let you delete key material instantaneously, a great additional security measure not available with native KMS.
• Zero Trust Quorum - Key functions like disabling keys or scheduling deletion of keys can be done from Fortanix and protected by Quorum. Most customers choose to limit their IAM to only allow Fortanix and perhaps 1 “Break Glass Account” to Create, Disable/Enable, Scheduled Delete, Delete key material.

The following actions will happen as part of the copy key operation:

• A new key will be created in the target group: The new key will have the same key material as the original.
• The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
• The source key will also have basic metadata-based information about the linked keys such as:
  • Copied by <user-name/app id>
  • Date of Copy <time stamp>
  • Target copy group name

To copy a key from a regular Fortanix DSM group to an AWS group:

1. Go to the detailed view of a key and click the NEW OBJECT icon on the far right of the screen. 
2. In the menu that appears, click the COPY KEY button. 
   NOTE

   • To copy a key from a regular Fortanix DSM group to an AWS CDC group, the key must be AES 256. AWS KMS only supports AES 256 keys during copy or import operations.
   • The AES 256 key to be copied must have the “Export” permission enabled or the copy key operation will fail.
   • The COPY KEY button will be disabled for all the AWS KMS virtual keys.
3. In the COPY KEY window, update the name of the key if required.
4. Click the Import key to HSM/External KMS check box to filter the groups to show only AWS CDC groups. Select the AWS group for the new key into which the copied key should be imported.
5. Add aliases in the AWS Aliases section.
6. Update KEY PERMISSIONS if you want to modify the permissions of the key. 
7. Click CREATE COPY to create a copy of the key.
8. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. 
   NOTE

   If a user wants to maintain a copy of the key material in Fortanix DSM, then the user can import a regular AES 256 key into Fortanix DSM using the “import key” workflow and then copy this key into AWS using the “copy key” workflow.

4.1.2 Bring Your Own Key - Import Key

This action will import the configured key type in one of the configured regions directly, and it will be represented as a virtual key in the corresponding AWS CDC group. This means that the virtual key in the Fortanix AWS CDC group will point to the actual key in AWS KMS that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material. The import action will not store a copy of the key material in Fortanix DSM.

1. Click the Security Objects  tab.
2. Click to create a new Security Object. 
3. In the Add New Security Object form enter a name for the Security Object (Key).
4. Select the This is an HSM/external KMS object check box. This will show the AWS KMS configured groups in the Select group list.
5. In the AWS group list, select the AWS CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the AWS CDC group. 
6. Select IMPORT to initiate the import key in the AWS workflow.
7. Add an alias in the AWS Aliases section. Use the ADD ALIAS button if you are adding more than two aliases. 
8. Select the key type for the new AWS KMS key.
   
   NOTE

   The allowed key type for an AWS key generated using the Import Key button is only AES 256 keys.
9. Sometimes keys of type AES that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select the check box The key has been encrypted.
10. Next enter or select a Key ID or SO name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.
11. Click UPLOAD A FILE to upload the key file in Raw, Base64, or Hex format.
12. Select the permitted key operations under Key operations permitted section.
13. Add a tag in the AWS Tags Section. Use the ADD TAG button if you are adding more than one tag. For more details refer to Section 4.4.
14. Enable the toggle for Multi-region primary key to create an AWS multi-region Primary Key. For more details, refer to Section 4.2.
15. Click IMPORT to import the key.
16. The key is successfully imported.

4.2 Multi-Region Keys

Fortanix DSM supports marking an AWS virtual key as a multi-region primary key in an AWS region so that replicas of this key can be created in other regions of AWS KMS making the primary key a multi-Region key.

The multi-Region keys are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID in AWS KMS, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.

4.3 Sync Keys

When you edit the AWS connection details in the AWS group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to AWS and gets all the keys available. Fortanix DSM then stores them as virtual keys.

4.4 Attributes/Tags Tab

This tab will have all the attributes and tags of the AWS key. A tag is an optional metadata label that you can assign to an AWS resource. You can add new tags using the NEW TAG button and add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata.

4.5 AWS Key Details

This tab displays details of the AWS key aliases, Key ARN for Key ID, and the AWS key policy. 

If the AWS virtual key is a multi-region primary key, then the Key ARN section will also display the key ARNs of the replica keys.

If the AWS virtual key is a multi-Region replica key, then the Key ARN section will also display the key ARN of the primary key.

The AWS KEY DETAILS tab also contains SCHEDULE KEY DELETION and DELETE KEY MATERIAL options which are explained in Section 4.7 and Section 4.9, respectively.

4.6 Security Objects Table View

After you add new AWS keys, go to the Security Objects page to view all the security objects from all the groups (AWS and non-AWS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an AWS, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an AWS group or not.

4.7 Schedule to Delete a Key in AWS KMS

When you delete a key from an AWS KMS, the action will delete the actual key in the configured AWS and will appear as disabled in the security objects table.

To delete a key from an AWS KMS:

1. Go to the detailed view of an AWS virtual key and select the AWS KEY DETAILS tab.
2. Click the link SCHEDULE KEY DELETION. 
3. In the Schedule Key Deletion in the AWS KMS window, enter a waiting period (in days) to verify whether you still need the AWS key.
4. Click SCHEDULE KEY DELETE button to mark the key for deletion. 
5. You can cancel the key deletion any time before the waiting period ends using the CANCEL KEY DELETION IN AWS link on the top of the screen in the detailed view of the virtual key.

After the key is permanently deleted from AWS KMS, the Delete Key button is enabled in the detailed view of the virtual key in Fortanix DSM.

4.8  Delete a Key in AWS Group

When you delete a key from an AWS CDC group, the action will only delete the virtual key in Fortanix DSM and will not delete the actual key in the configured AWS.

To delete a virtual key:

1. Select the AWS key to delete.
2. In the security object detailed view, scroll down and click the DELETE KEY button.

4.9  Delete Key Material in AWS KMS

When an AES 256 key is copied into AWS KMS from Fortanix DSM, the key material is stored in two places, the source key in the regular Fortanix DSM group and in the configured AWS KMS for a specific account and region. This key is represented as a virtual key in the AWS CDC group.

A virtual key is only a virtual representation of the actual AWS KMS key that contains the key information and key attributes; however, this virtual key does not contain the key material. Users may want to delete the key material from the configured AWS KMS to maintain a single copy of key material stored securely in the source key in the regular Fortanix DSM group.

To delete the key material:

1. Go to the detailed view of a virtual key in the AWS CDC group and select the AWS KEY DETAILS tab.
2. Click the DELETE KEY MATERIAL link to delete the key material in AWS KMS. 
3. In the Delete Key Material in AWS KMS window, click the DELETE KEY MATERIAL button. 
   The status of the key in the AWS KMS changes to “Pending import”.
4. After the key material is deleted from AWS KMS, it can be reimported back into AWS KMS to reverse the key material deletion. To reimport the key material:
   1. Go to the detailed view of the virtual key and click the REIMPORT KEY MATERIAL link on top of the screen. 
   2. The key material is reimported successfully.

5.0  Rotate Key in AWS CDC Group

The following section explains the Key Rotation in AWS CDC group. A Key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.

5.1  Rotating Keys in Fortanix Data Security Manager Source Group

When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then the user is given the option to select the linked keys for key rotation. If these linked keys belong to an AWS group, then rotating the linked keys results in rotating the keys in AWS KMS as well by generating new keys within the configured AWS KMS and by moving the aliases from old to new keys.

1. Click ROTATE KEY in the detailed view of a Fortanix DSM Source Key.
2. In the KEY ROTATION window, select the Rotate linked keys check box.
3. Select the AWS Virtual Keys that need to be rotated along with the Fortanix DSM source key and click the ROTATE KEYS button.
   NOTE

   In the KEY ROTATION window, if the user edits the default Key Size of the Source key from AES 256 to a new value, then selecting the “Rotate linked key “ option disables the AWS virtual keys. AWS KMS only supports AES 256 keys. Linked keys that are not AWS KMS keys will still be available for rotation with the new key size value.
4. After the keys are rotated, click the OK button. 

You can also schedule a key rotation policy for the Fortanix DSM source key such that the linked AWS KMS keys that are copies of the source keys are also periodically rotated automatically.
To schedule a key rotation policy for the source key:

1. Go to the detailed view of the source key in the Fortanix DSM UI.
2. In the detailed view, click the KEY ROTATION tab and click the ADD POLICY
3. Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
4. To deactivate the old key after key rotation, select the Deactivate original key after the rotation check box.
5. To rotate the linked copied keys, select the Rotate all copied keys check box.
6. Click SAVE POLICY to save the policy.

For more information on the key rotation policy, refer to theUser’s Guide: Key Lifecycle Management.

5.3  Rotate AWS Native Key to Fortanix Data Security Manager Owned Key

When an AWS virtual key whose key material is owned by AWS KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in AWS KMS, which has the key material of the Fortanix DSM-backed key. As a result, the AWS virtual key is backed by a Fortanix DSM source key.

To rotate a virtual key with Fortanix DSM-backed key:

1. Click ROTATE KEY in the detailed view of an AWS virtual key.
2. In the Key Rotation window, select the Rotate to S-D KMS key check box.
3. Select the Fortanix DSM group that contains the source key.
4. Select the source key and click the ROTATE KEY button. 

The Virtual key is successfully rotated and backed by the source key. To confirm, go to the detailed view of the newly rotated AWS virtual key and click the AWS KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.

For details on how to set up an AWS-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS External KMS Setup.

For details on how to perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Cloud Native Key Management.