Using Fortanix Data Security Manager with Pure Storage

1.0 Introduction

This document describes how to integrate Fortanix Data Security Manager (DSM) with Pure Storage to enhance data security and facilitate secure communication between the Fortanix DSM and Pure Storage systems.

2.0 Fortanix DSM with Pure Storage

The encryption process for data at rest on Pure Storage FlashArray is safeguarded by an internal mechanism that operates transparently and takes away the responsibility of key management from users. Key management involves automatic rotation of keys, periodic regeneration of keys, and the use of unreadable partitioned keys distributed across FlashArray flash modules. In the event of a complete loss of the array, several steps are needed to reconstruct the data. This includes physically accessing most of the array modules, having access to all secure keys partitioned across all flash modules, and possessing a thorough understanding of the hidden logical structure within the internal databases.


To encrypt data, FlashArray employs three interconnected layers of internal keys. It generates the Array key using a random secret and distributes it across multiple SSDs. This method ensures that recreating the current access keys requires at least half of the array drives plus two more. Importantly, SSD keys are never revealed on any array interface, and no single SSD contains a complete encryption key.

2.1 Key Details

  • Array Key
    • Created at array initialization.
    • Distributed across SSDs using a secret sharing algorithm.
    • Changed every 24 hours, as well as during configuration changes.
  • Solid State Device (SSD) Key
    • Generated at boot with a hash of Array Key and SSD Key.
    • Unique per device (NVRAM and SSD).
    • Can not be read back.
  • Data Encryption Key
    • Requires unlocked SSDs since it is stored and partitioned on the SSD itself.
    • Armored by array key using an AES 256 key wrap.
    • Cannot be read back.

3.0 Definitions

  • Rapid Data Locking: To ensure absolute security for the array, even in the unlikely event of a total loss and faced with a highly skilled intruder possessing in-depth product-specific knowledge, Pure Storage offers Rapid Data Locking (RDL) using two optional external key technologies.
  • USB-connected Spyrus Rosetta II Smartcards (YubiKey): By removing the smart card and causing a power loss to the array, a FlashArray can be entirely locked, making the data permanently unrecoverable.
  • Key Management Interoperability Protocol (KMIP) remote key server: Locking down a FlashArray involves revoking a remote key and powering off the system. A secondary key, controllable by the user, is introduced to unlock the array’s flash modules. This occurs when KMIP keys are remotely accessed from a KMIP server. Without access to the server, the flash modules remain locked and cannot be unlocked upon powering on.

4.0 Prerequisites

Ensure the following:

5.0 Product Version Tested

  • Fortanix has tested this integration on Purity OS versions 6.3 and 6.5.
  • Fortanix has tested this integration on DSM version 4.26.2359

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Creating Groups

Perform the following steps to add a group to the Fortanix DSM:

  1. Navigate to the Groups menu item. Click the Plus.png button to create a new group.
  2. On the Adding new group page, enter the following details:
    • Name: The title of the group (required).
    • Description (optional): A short description of the group.
  3. Click the SAVE button.

Add_Group.png Figure 1: Adding new group

6.2 Creating Application (App)

Perform the following steps to add a Pure Storage app to the Fortanix DSM:

  1. Navigate to the Apps menu item. Click the Plus.png button to create a new app.
  2. On the Adding new app page, enter the following details:
    • Name: Name of the application (required).
    • Interface (Optional): Type of the application. Select the value as interface.
    • Description: A short description of the application.
    • Authentication method: Select the authentication method as the API key.
    • OAuth: Enable this toggle button to authorize the users to perform actions on their behalf for this app.
    • Assigning the new app to groups: Select the Pure Storage group that you created in the previous section and assign it to this app.
  3. Click the SAVE button. Add_app.png Figure 2: Adding new app
  4. Copy the UUID of the app to authenticate the app using a client certificate. app_UUID.png Figure 3: App UUID

7.0 Generate the Certificate

To generate the certificate and sign it, SSH to the Pure Storage server and perform the following steps using Pure Storage CLI:

  1. Run the following command to create the certificate. Replace the <App_UUID> parameter with the UUID of the app created in the previous section.
    purecert create cert_2 --self-signed --common-name <App_UUID>
    Example output:
    pureuser@pod-43-vfa1 purecert create cert_4 --self-signed --common-name e003132d-6d58-4e7e-a781-03fc5d8c7c21
    Name    Status       Key Size  Issued To                             Issued By                             Valid From               Valid To                 Country  State/Province  Locality  Organization        Organizational Unit  Email  Common Name
    cert_4  self-signed  2048      e003132d-6d58-4e7e-a781-03fc5d8c7c21  e003132d-6d58-4e7e-a781-03fc5d8c7c21  2024-02-29 06:01:39 UTC  2034-02-26 06:01:39 UTC  -        -               -         Pure Storage, Inc.  Pure Storage, Inc.   -      e003132d-6d58-4e7e-a781-03fc5d8c7c21
    
  2. Run the following command to sign the created certificate:
    purecert list cert_2 –certificate
    
    This command generates the following output:
    -----BEGIN CERTIFICATE----- MIIEETCCAvmgAwIBAgIQdc+ZQexf9kNeiP6Wv2H+8zANBgkqhkiG9w0BAQsFADBp MS0wKwYDVQQDDCQxNzhiNDBlYy1jOGEwLTQ5M2ItOWMzNC01MmFlNjhhYWY5ZjIx GzAZBgNVBAsMElB1cmUgU3RvcmFnZSwgSW5jLjEbMBkGA1UECgwSUHVyZSBTdG9y YWdlLCBJbmMuMB4XDTI0MDIwNzE4NDcwNloXDTM0MDIwNDE4NDcwNlowaTEtMCsG A1UEAwwkMTc4YjQwZWMtYzhhMC00OTNiLTljMzQtNTJhZTY4YWFmOWYyMRswGQYD VQQLDBJQdXJlIFN0b3JhZ2UsIEluYy4xGzAZBgNVBAoMElB1cmUgU3RvcmFnZSwg SW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNNWV7/1ZV45ZkK Kil9UCNbc7V6L2A93FXSXI+HLlJeNU3tEqDX415lsnvFzyLym9fWN+KhaVvaMyrR pwjTRT4Yc7eOJp4oCKnkx8UHFRCH3rXKTgMIvnGvO2RZ7h9/zSApUjYg/n0hW20p SkiN86AkavLme3YRo8wbJgdFlNWpFRZrP/mCzVN0tuKFrNrzk4CQZON8nLznjGM4 jA7ARUYqp06mSgt5PgVTuwSkzRaK6AHndh6cB+prrubamQGKagg4bVtXGCXzUCBT mjx29mW2BezLaUy4FEa7wGKnB6eVBewRMizUSJ/jdRI5ZiXWSg+S+zuN8bbwZc6l durLEuUCAwEAAaOBtDCBsTAvBgNVHREEKDAmgiQxNzhiNDBlYy1jOGEwLTQ5M2It OWMzNC01MmFlNjhhYWY5ZjIwHwYDVR0jBBgwFoAUBr4thauvoLBSh/YDwuCbRuEC ULUwHQYDVR0OBBYEFAa+LYWrr6CwUof2A8Lgm0bhAlC1MAwGA1UdEwEB/wQCMAAw DgYDVR0PAQH/BAQDAgKkMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjANBgkqhkiG9w0BAQsFAAOCAQEAYvxQsQkrNHsSkGrivI6uUme0qbGIEMhAmlAu r9kpF532FIGkbA2wwP6wF6whY2fdsJsDNy2jH4UqpfXKHwBBM1h1CnVp2313SPOh DZuH1Vt/QXUPhdiSsWVQiWVltbzulOR4tOTwe2EnZ6Qhun+T3jsndQYjwH4ICp3P 0UCRPAe+Yq9yydUGf8nI13nP85Mz7bRDQbVjIplMRlyazyifJBKYVBCl7jswLpQ6 iYsfpjeF7K6CYdp8rMkxJSaE3Ne9SrOid4YuTRrz5o1dQzjbm2WL4+xnuycUCAWM BjUja98j17eweqsYRdMdUZ1WhDDyS7vp/A3Em3t9oICRzO6x+A== -----END CERTIFICATE-----
    
  3. Next, change the authentication type of the Pure Storage app in DSM to Certificate:
    1. Navigate to the Apps menu item → Apps table. Click the Pure Storage app created in Section 6.2: Creating the Application.
    2. In the detailed view of the app, click the Change authentication method button and select the Certificate option from the drop down menu
    3. Click the SAVE button.
    4. In the Add certificate dialog box, perform the following:
      1. Click the UPLOAD CERTIFICATE option to upload the certificate file from your system or paste the content of the certificate in the provided space as created in Step 1 above.
      2. Optionally, update the Expiration Setting for the previous authentication method.
      3. Read and select both the check boxes to confirm your understanding of changing the app authentication method.
      4. Click the UPDATE button to complete updating the app authentication method to the certificate.
  4. Run the following command to connect to the KMIP server.
    Where,
    • amer.smartkey.io is the KMIP server
    • --ca-certificate is the server certificate, in this case, it is amer.smartkey.io
    purekmip create kmip_srvr --uri amer.smartkey.io:5696 --certificate cert_3 --ca-certificate
    Please enter CA certificate followed by Enter and then Ctrl-D:
    -----BEGIN CERTIFICATE----- 
    MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 
    -----END CERTIFICATE----- 
    Name URI Certificate Ca Certificate Configured kmip_srvr amer.smartkey.io:5696 cert_3 True
    
    

8.0 Verification

Perform the following steps to verify if the integration was performed successfully.

  1. Run the following command to verify the KMIP server connection:
    purekmip test kmip_srvr
    
    Output:
    Name       URI                   Status  Details
    kmip_srvr  sit.smartkey.io:5696  OK
    
  2. Run the following command to enable the security token:
    purearray enable security-token --kmip kmip_srvr
    
    Output:
    Enabled  Type  Signature                                                         Server
    True     KMIP  fb2aade21650857a11bf77d64dc14135c28692d45cabaefb241e00a49c0b9a87  kmip_srvr
    
    SOGenerated.png Figure 4: Key generated
  3. Run the following command to list the security tokens:
    purearray list --security-token
    
    Output:
    Enabled  Status   Type  Signature                                                         Server
    True     enabled  KMIP  fb2aade21650857a11bf77d64dc14135c28692d45cabaefb241e00a49c0b9a87  kmip_srvr
    
  4. Run the following command to test the security token integration:
    purearray test security-token
    
    Output:
    Name  Uri   Status  Type  Error Message  Signature
    CT0   sit.smartkey.io:5696  OK   KMIP   77ce7612c04ba7593d24de780922f151b10bce066976ffa32bc7930e75420c55
    
    NOTE
    It is recommended to allow up to 30 minutes for the purearray test command to accurately reflect the configuration.

8.1 Key Control

The following scenarios show how Fortanix DSM can control Pure Storage using the RDL feature to deactivate the keys in DSM.

  1. Deactivate the key in Fortanix DSM as shown below. DeactivatedKey.png Figure 5: Key deactivation
  2. Go to the Pure Storage console and notice the following message when you click the RDL section. image (11).png Figure 6: Pure Storage Console This shows that after the key is deactivated in Fortanix DSM, you will not be able to perform any operation as Pure Storage will not be able to find the matching key and will result in a key mismatch error as shown in Figure 6 above.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful