This article describes the configuration steps required on Fortanix Data Security Manager (DSM) and Sixscape’s IDcentral Key Management platform to securely escrow S/MIME encryption key pairs using Sixscape Email Security Suite and IDcentral Identity Registration platform.
This integration requires the following:
- Fortanix PKCS#11 client. You can download the latest version from here.
- Fortanix app API Key to configure IDcentral Key Management Platform. Refer to Section 4.0: Configure Fortanix DSM for more details.
- IDcentral Identity Registration Platform (IRP) installed in the enterprise network and configured with the required issuing CA connection and certificate profile to generate the S/MIME certificates.
- IDcentral Key Management must be installed and configured with IDcentral IRP.
- End-user devices should be installed with Sixscape’s Email Security Suite Add-In.
The following image illustrates the workflow:
Figure 1: DSM with IDcentral workflow
4.0 Configure Fortanix DSM
Perform the following steps to configure the IDcentral Key Management Platform:
- Create an account in Fortanix DSM if you do not have one already.
- Create a new group in the account created in Step 1, for example “IDcentral Key Management”, for storing the Escrow Key Manager’s keys.
- Create an application (app) in Fortanix DSM in the group created in Step 2 and copy the API key of the app.
- In your Fortanix DSM account, go to the Apps tab, and create a new app in the same group as Step 2.
- After the app is created, click COPY API KEY to copy the API key and save it in a notepad.
Refer to User's Guide: Getting Started with Fortanix Data Security Manager – UI for more details.
- Install the Fortanix PKCS#11 client in the Windows server where the IDcentral Key Management is installed.
- Configure the Fortanix PKCS#11 client using the steps described in the Fortanix PKCS#11 documentation.
5.0 Configure IDcentral Key Management
The following sections describe the steps required to integrate IDcentral Key Management with Fortanix DSM.
5.1 Configure Crypto Token
Perform the following steps to add the Fortanix DSM as a PKCS#11 cryptographic token in IDcentral Key Management:
- Log in to the IDcentral Key Management Snap-In, navigate to Crypto Tokens to add a new token.
Figure 2: Add New Token
- On the Add Token Configuration page, select the key store type as HSM PKCS#11 Keystore and enter a name for the token configuration.
- Click the file upload icon to browse the Fortanix DSM PKCS#11 DLL file.
- After the correct DLL file is selected, the list of available token slots is listed under the Token drop down menu. Select the required token slot.
- Enter the Token PIN. This value is the Fortanix DSM API Key created in Section 4, Step 3.
- Click the Save button to save the configuration.
Figure 3: Token Configuration
5.2 Create Encryption Key Manager
This section describes the steps to create and activate an Encryption Key Manager (EKM) after the crypto token is added to IDcentral Key Management. This process involves the creation of an asymmetric key pair and a certificate for the key manager in the Fortanix DSM. The end-user’s S/MIME encryption keys are securely wrapped and escrowed using the Key Manager’s keypair, which is securely protected inside the Fortanix DSM.
Perform the following steps to add a new Key Manager:
- Log in to IDcentral Key Management Snap-In, navigate to Key Managers > Add Key Manager.
- Enter a name for the key manager in the Manager Name field.
- Enter a subject distinguished name (DN) for the Key Manager in the General Information section.
- In the Private Key Specification section, select Encryption as the Intended Purpose of the Key Manager.
- From the Key Algorithm drop down menu, select the appropriate key algorithm.
- From the Key store type drop down menu, select HSM PKCS#11 Keystore, and select the newly added Fortanix DSM Keystore in the Keystore field.
- Click the Save button and provide the Keystore PIN which is the Fortanix DSM PKCS#11 PIN (API Key) to successfully create the Key Manager.
Figure 4: Add Key Manager
- After the Key Manager is added successfully, click the Download CSR button to export the PEM CSR file for the newly created encryption Key Manager.
Figure 5: Download CSR
You should also be able to view the newly generated security object in the Security Objects table in Fortanix DSM UI.
Figure 6: DSM Security Key Object
5.3 Activate Encryption Key Manager
This section describes the steps to activate the encryption key manager by requesting a digital certificate from a CA and importing it into Fortanix DSM. The issuance of the key manager certificate by the CA is out of the scope of this article. Refer to the respective CA documentation on how to request a digital certificate for a Key Escrow Manager from the CA.
- After the certificate has been generated, log in to the IDcentral Key Management, navigate to Key Managers, select the key manager, and then click the View button.
- Click the Upload Certificate button and select the certificate file to import the key manager certificate.
Figure 7: Import Key Manager Certificate
A prompt is displayed on the screen for the keystore PIN. Provide the Fortanix DSM PKCS#11 PIN (API Key) to authenticate and reassociate the certificate with the keypair of the key manager.
- After the successful import of the certificate, the new encryption key manager will be activated and is ready to receive secure key escrow and key recovery requests from clients.
Figure 8: Encryption Key Manager Activated
6.0 Certificate Enrolment using Email Security Suite
After the necessary backend configurations have been completed, end-user devices can be provisioned with Sixscape’s Email Security Suite (ESS). ESS is available for all major operating system platforms, enabling enterprise users to seamlessly request S/MIME certificates for secure, digitally signed, and encrypted email communication. ESS automates the complete lifecycle management of S/MIME digital certificates, including certificate requests, renewals, key storage, key escrow, and revocation.
This article focuses on ESS for Microsoft Outlook on the Windows platform. Note that the deployment of ESS to user’s devices is beyond the scope of this article. For technical assistance with deployment, contact your respective system administrator.
After the successful deployment of ESS to the user’s device, the ESS ribbon button is displayed in the Outlook Explorer ribbon, as shown in the following image:
Figure 9: ESS Ribbon
Perform the following steps:
- Compose a new email to any recipient and click the Send button.
- The ESS Add-in at this stage automatically identifies if you have a valid S/MIME certificate to digitally sign and encrypt the email and will prompt the user to request a new S/MIME certificate.
- Click the Request Certificate button.
Figure 10: Request Digital Certificate
- In the next screen, authenticate using your enterprise authentication credentials, such as your Active Directory credentials.
Figure 11: Authentication Details
- After the authentication is successful, ESS will automatically generate key pairs and a CSR as specified in the certificate profile, and the CSR will be submitted to IDcentral IRP to request the S/MIME certificate from the configured certifying authority.
- After the certificate is received, ESS will reassociate the certificate with the key pair, publish the public certificate to the Global Address Book, securely escrow the encryption key and certificate using the Encryption Key Manager protected by Fortanix DSM, and finally install the certificate in the user certificate store as non-exportable.
- After the entire certificate process is completed, click the Done button, and send the first signed email.
Figure 12: Certificate Installed
- The escrowed user’s encryption keys can be located under the Key Archives section of IDcentral Key Management Service.
Figure 13: Encryption Keys
7.0 Manual Recovery by Administrator
According to organizational policies or the law, enterprises must keep the email communications of their former employees for a specific amount of time for legal and compliance purposes. This, in turn, means that any encrypted data, including encrypted email communications, must be recoverable while simultaneously being protected from unauthorized access. Furthermore, the loss of the private key could result in data loss; hence, a secure escrow mechanism should be set up to seamlessly and securely protect the email encryption keys and certificates. Security can be further enhanced by enabling hardware-based security, such as a hardware security module (HSM), to protect the encryption private keys.
Sixscape’s IDcentral Key Management, integrated with Fortanix DSM, enables a secure escrow mechanism to seamlessly protect the email encryption private keys of users. Wrapping them in an Escrow Key Manager key and certificate—both of which are secure within the Fortanix DSM—accomplishes this.
This section outlines the steps for manually recovering the full key history of an end-user if the employee has left the organization.
- Log in to IDcentral Key Management Administrator Snap-In and navigate to Key Archives.
- Type the relevant email address in the Search Bar to look for the user’s key archive.
- Select the user’s record to expand and view the key history.
Figure 14: Key History
- Click the Recover icon in the header row to export the complete key history to a single PKCS#12 file.
Figure 15: Export Key History
- Enter the Fortanix DSM Keystore PIN (API Key) and click the OK button.
Figure 16: Keystore PIN
- After the authentication is successful, the administrator will be prompted to set a passphrase for the exported PKCS#12.
Figure 17: Passphrase
The exported PKCS#12 will be successfully recovered and exported to the