Using Fortanix Data Security Manager with Venafi - HSM

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Venafi. The integration describes steps to add Fortanix as an HSM connector within Venafi and then leverage that connector to secure the Venafi Trust Protection (TPP) database with an AES256 key stored within the Fortanix HSM system.

It also contains the information that a user requires to:

  • Create a group, app, security object in Fortanix DSM.
  • Install Fortanix DSM Client on Venafi TPP.
  • Configure Venafi.

2.0 Using Fortanix DSM with Venafi TPP Database

In the Venafi TPP database, encryption begins with the utilization of a software key referred to as the Data Encryption Key (DEK). This DEK is then saved in the Windows registry by the same Venafi node responsible for the encryption process. Following this step, the DEK undergoes a secondary encryption phase using a Master Key also known as the Key Encryption Key (KEK), which is generated and securely stored within the Fortanix HSM.

This dual-layered encryption methodology not only ensures a heightened level of security but also facilitates adherence to stringent security regulations and data protection standards. This is accomplished by storing the encryption key separately from the data and outside the network, thereby enhancing the overall security posture.

2.1 Product Versions Tested

The following product versions were tested:

  • Fortanix DSM version 4.26
  • Venafi TPP version 23.2

3.0 Create an App

Perform the following steps to create an app in the Fortanix DSM:

  1. Log in to the Fortanix DSM UI.
  2. Click the Groups tab. On the Groups page, click Plus.png icon to create a new group. 
    Figure 1: Create a Group in DSM
  3. Click the Apps tab. On the Apps page, click the "Create a new app" icon Plus.png to create a new app.
    Enter the following information:
    • App name: This is the name to identify the Venafi app.
    • Authentication method: This can be left at the default API Key.
    • Group: This is a logical construct that will contain keys created and owned by the Venafi cluster.
  4. Click Save to complete creating the application. 
    Figure 2: Create New App
  5. Note down the application’s API Key to use later.
    1. Go to the detailed view of an app and click the COPY API KEY as shown below.
      Figure 3: Copy App API key

4.0 Install Fortanix DSM Client

Perform the following steps to install the Fortanix DSM client on the Venafi TPP:

The following steps must be executed on every Venafi TPP node. Each node should establish communication with Fortanix DSM and authenticate using the API key generated in the previous section.

Perform the following steps:

  1. Log in to the Venafi TPP node using the service account assigned to Venafi.
  2. Install the Fortanix DSM Client software. To know the steps for downloading and installing the MSI from the URL, refer to the Microsoft CNG Provider Client Developers documentation. 
    To configure the Fortanix DSM Client using app authentication method, refer to the Section: API Key-Based Authentication in the
    Microsoft CNG Provider Client Developers guide. 

4.1 Configure Venafi

Perform the following steps to configure the Venafi:

  1. Open the Venafi Configuration Console.
    Figure 4: Venafi configuration console
  2. Click Connectors under the Venafi Configuration menu to create a Connector.
    Figure 5: Create a connector
  3. Under Connectors, click Create HSM Connector
    Figure 6: Create HSM connector
  4. Enter the following information:
    1. Name – (user defined)
    2. Cryptoki Dll Path – Enter the PCKS#11 path
      Default - C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll
    3. Click Load Slots to select the solt
    4. Select Slot as 0 from the drop down menu.
    5. Select User Type as Crypto Officer (User) from the drop down menu.
    6. In the Pin field, enter the Fortanix API Key for Venafi that you copied in Section 3.0: Create an App.
  5. Click Verify.
    Figure 7: Create new HSM connector

4.2 Create a New AES256 Key

Perform the following steps to create the key in Venafi:

  1. Click New Key to create a new key.
  2. In the Create New HSM Key window, enter a Name for the key and click Create.
    Figure 8: Create AES 256 key
  3. Click the Create button again to complete the key creation process.
    Figure 9: Key created
  4. Now, verify that the new HSM configuration is listed under Encryption Connectors.
    Figure 10: HSM configuration listed

4.3 Rotate Encryption Keys

Rotating encryption keys allows you to automatically re-encrypt all objects with the designated encryption key. This action re-encrypts all objects encrypted with the designated key. This includes certificates, private keys, SSH keys, symmetric keys, and all credentials.

This option allows organizations that already have secrets encrypted with the software key to migrate to an HSM-based key in a single action. Likewise, organizations must periodically rotate their encryption keys.

These steps may necessitate a considerable amount of time depending on the size of your database. The data is undergoing decryption and re-encryption with the new key material.

Perform the following steps:

  1. On the Venafi Configuration Console, click ConnectorsRotate TPP System Protection Key.
  2. Enter a New key name and in the HSM Connector menu, select the location where you want the new encryption key to be stored.
  3. In the Rotate Keys On drop down menu, select either of the following:
    • Selecting any available server allows the first available TPP server in the cluster to perform the rotation. This is the recommended selection.
    • If you have one TPP with notably less latency to the database and to the HSM, the recommendation is to select that server specifically.
      The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.
  4. Select the Disable software encryption option to ensure that the software key is no longer used If you are rotating your key from software to hardware.
  5. Click the Rotate button.
    This process may take a while. You can close the Rotate System Protection Key window, and the rotation will continue to run in the background.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful