1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Venafi. The integration describes steps to add Fortanix as an Hardware Security Module (HSM) connector within Venafi and then leverage that connector to secure the Venafi Trust Protection (TPP) database with an AES256 key stored within the Fortanix HSM system.
It also contains the information that a user requires to:
Create a group, application, security object in Fortanix DSM.
Install Fortanix DSM Client on Venafi TPP.
Configure Venafi.
2.0 Using Fortanix DSM with Venafi TPP Database
In the Venafi TPP database, encryption begins with the utilization of a software key referred to as the Data Encryption Key (DEK). This DEK is then saved in the Windows registry by the same Venafi node responsible for the encryption process. Following this step, the DEK undergoes a secondary encryption phase using a Master Key also known as the Key Encryption Key (KEK), which is generated and securely stored within the Fortanix HSM.
This dual-layered encryption methodology not only ensures a heightened level of security but also facilitates adherence to stringent security regulations and data protection standards. This is accomplished by storing the encryption key separately from the data and outside the network, thereby enhancing the overall security posture.
3.0 Product Versions Tested
The following product versions were tested:
Fortanix DSM version 4.26
Venafi TPP version 23.2
4.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
4.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
4.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
4.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
4.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
4.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the API Key Details dialog box, copy the API Key of the app to be used later.
5.0 Install Fortanix DSM Client
Perform the following steps to install the Fortanix DSM client on the Venafi TPP:
NOTE
The following steps must be executed on every Venafi TPP node. Each node should establish communication with Fortanix DSM and authenticate using the API key generated in the previous section.
Perform the following steps:
Log in to the Venafi TPP node using the service account assigned to Venafi.
Install the Fortanix DSM Client software.
To know the steps for downloading and installing the MSI from the URL, refer to the Microsoft CNG Provider Client Developers documentation.
To configure the Fortanix DSM Client using app authentication method, refer to the Section: API Key-Based Authentication in the Microsoft CNG Provider Client Developers guide.
5.1 Configure Venafi
Perform the following steps to configure the Venafi:
Open the Venafi Configuration Console.
Figure 4: Venafi configuration console
Click Connectors under the Venafi Configuration menu to create a Connector.
Figure 5: Create a connector
Under Connectors, click Create HSM Connector.
Figure 6: Create HSM connector
Enter the following information:
Name – (user defined)
Cryptoki Dll Path – Enter the PCKS#11 path
Default - C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dllClick Load Slots to select the solt
Select Slot as 0 from the drop down menu.
Select User Type as Crypto Officer (User) from the drop down menu.
In the Pin field, enter the Fortanix API Key for Venafi that you copied in Section 4.4: Creating an Application.
Click Verify.
Figure 7: Create new HSM connector
5.2 Create a New AES256 Key
Perform the following steps to create the key in Venafi:
Click New Key to create a new key.
In the Create New HSM Key window, enter a Name for the key and click Create.
Figure 8: Create AES 256 key
Click the Create button again to complete the key creation process.
Figure 9: Key created
Now, verify that the new HSM configuration is listed under Encryption Connectors.
Figure 10: HSM configuration listed
5.3 Rotate Encryption Keys
Rotating encryption keys allows you to automatically re-encrypt all objects with the designated encryption key. This action re-encrypts all objects encrypted with the designated key. This includes certificates, private keys, SSH keys, symmetric keys, and all credentials.
This option allows organizations that already have secrets encrypted with the software key to migrate to an HSM-based key in a single action. Likewise, organizations must periodically rotate their encryption keys.
NOTE
These steps may necessitate a considerable amount of time depending on the size of your database. The data is undergoing decryption and re-encryption with the new key material.
Perform the following steps:
On the Venafi Configuration Console, click Connectors → Rotate TPP System Protection Key.
Enter a New key name and in the HSM Connector menu, select the location where you want the new encryption key to be stored.
In the Rotate Keys On drop down menu, select either of the following:
Selecting any available server allows the first available TPP server in the cluster to perform the rotation. This is the recommended selection.
If you have one TPP with notably less latency to the database and to the HSM, the recommendation is to select that server specifically.
The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.
Select the Disable software encryption option to ensure that the software key is no longer used If you are rotating your key from software to hardware.
Click the Rotate button.
NOTE
This process may take a while. You can close the Rotate System Protection Key window, and the rotation will continue to run in the background.
6.0 Reference Documents
Creating a HSM (Cryptoki) connector (venafi.com)
Rotate Secret Store encryption keys (venafi.com)
Configuring the root encryption driver (venafi.com)
Rotate the System Protection Key (venafi.com)