Fortanix Self-Defending Key Management Service (KMS) is the world’s first cloud service secured with Intel® SGX. With Fortanix Self-Defending KMS, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix Self-Defending KMS using legacy cryptographic interfaces or using the native Fortanix Self-Defending KMS RESTful interface.
Fortanix Self-Defending KMS uses built-in cryptography in Intel® Xeon® CPUs to help protect the customer’s keys and data from all external agents, reducing the system complexity greatly by removing the reliance on characteristics of the physical boxes. Intel® SGX enclaves prevent access to customer’s keys or data by Fortanix or any other cloud service provider.
Unlike many hardware security technologies, Intel® SGX is architected to help protect arbitrary x86 program code. Fortanix Self-Defending KMS uses Intel® SGX not only to help protect the keys and data but also to all the application logic including role-based access control, account set up, password recovery, etc. The result is significantly improved security for a key management service that offers the elasticity of modern cloud software and the hardware-based security of an HSM appliance, all while drastically reducing initial and ongoing costs.
Fortanix Self-Defending KMS is designed to enable businesses to serve key management needs for all their applications, whether they are operating in a public, private, or hybrid cloud.
Cryptographic Operations and Key Management
Fortanix Self-Defending KMS enables you to manage the lifecycle of security objects (keys, certificates, etc.), and use them for performing cryptographic operations. The following operations are supported:
- Create symmetric and asymmetric keys
- Import your own keys
- Import/export key components
- Derive new keys from existing keys
- Key Tokenization
- Role-based access control to determine which users, groups, or apps have access to which keys, and what operations on those keys
- Statistics on the usage of keys
- Complete audit trail for use of keys
- Encryption and decryption using symmetric and asymmetric keys
- Sign and verify operations
- Create and update plugins
Figure 1: Relationship between Fortanix Self-Defending KMS Accounts, Groups, Apps, Keys, Users, and Plugins
A Fortanix Self-Defending Key Management Service (KMS) account is the top-level container for security objects managed by the Fortanix Self-Defending KMS. An account is generally associated with an organization, rather than an individual. Security objects, groups, and applications belong to exactly one account. Different accounts are fully isolated from each other.
When planning accounts, be aware that it is not possible to move security objects, groups, or applications between accounts. Therefore, create multiple accounts only when you are sure that there will not be a need to move objects between them.
Users are associated with email addresses. A user can be a member of one or more accounts. For example, an employee might belong to an account for the corporate production environment, an account for the corporate test environment, and an account used for personal testing and development purposes.
Depending on permissions, users can:
- perform management operations like adding or modifying users or groups
- create security objects
- change properties of security objects
- review logs of key management and cryptographic activity
Users are not able to perform cryptographic operations. Only applications can perform cryptographic operations.
A security object is any datum stored in Fortanix Self-Defending KMS (e.g. a key, a certificate, secret, etc.). For asymmetric key pairs, both the private and public keys are stored in a single security object. It is also possible for a security object to hold a public key without the associated private key.
Users and applications assigned to the group have permission to see the security object and to perform operations on it. Users and applications not assigned to a security object’s group cannot view or operate on that security object. See Authorization for more detail about the Fortanix Self-Defending KMS authorization model.
The copy key feature will copy a security object from a standard Fortanix Self-Defending KMS group to another standard group. This feature has the following advantages:
- Maintains a single source of key material while using/importing that key across various Fortanix Self-Defending KMS groups where applications in respective groups may need to use a single key to meet some business objectives.
- Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.
See Copy Key for more details.
A group is a collection of related security objects. Access policies are set at the group level, so all security objects in a group share the same access policy. Any number of users and/or applications can be assigned to a group. Some examples of usage of groups are given in Authorization.
An application is a daemon, service, or other non-human clients that uses Fortanix Self-Defending KMS. Applications can authenticate to Fortanix Self-Defending KMS using an API key (a secret token) or a TLS client certificate.
Depending on permissions, applications can:
- create security objects
- change properties of security objects
- perform cryptographic operations using security objects
Applications cannot perform management operations like adding or modifying users and groups.
An application can be assigned to one or more groups. An application that is assigned to a group has permission to operate on all of the security objects in that group.
Plugins are a powerful system allowing users to securely run sensitive business logic inside the Fortanix Self-Defending Key Management Service (KMS).
For example, plugins may be used to
- impose custom, arbitrarily complex access control policies on keys in Fortanix Self-Defending KMS
- require approval from a quorum before a key in Fortanix Self-Defending KMS is used
- ensure that an RSA key in Fortanix Self-Defending KMS may only sign certificates with a particular attribute
- require that a key in Fortanix Self-Defending KMS may only be wrapped with a certificate signed by a particular CA
- implement a secure higher-level cryptographic operation, including custom audit logs, to expose to outside apps
Currently, Lua is the only language supported.
To know more about Plugins see Plugins - Getting Started.
Plugin Library (PL) is a feature of the Fortanix Self-Defending KMS that allows users to view a list of frequently used plugins from a commonplace. Fortanix Self-Defending KMS users can create local copies of the plugins in the library that they intend to use and then they can start invoking them.
The Fortanix Self-Defending KMS PL is backed by a Git repository that contains the plugin code. As this repository is updated by Fortanix with new plugins, Fortanix Self-Defending KMS users will be able to see the updated and new plugins available for use. To know more about Plugin Library see User's Guide: Plugin Library
Fortanix Self-Defending KMS automatically maintains an internal audit log of system operations. You can configure Fortanix Self-Defending KMS to send these audit log entries to an external logging system such as Splunk, Google Stackdriver, and Syslog Server.
A typical enterprise might have a requirement to collect and maintain a log of all the systems including Fortanix Self-Defending KMS in a single place. These enterprises can write rules using external logging systems such as Splunk, Google Stackdriver, and Syslog to generate actions like alerts, emails, and so on when a log or event occurs. Fortanix Self-Defending KMS supports the mechanism to push all its logs/system events to these third-party servers to enable external logging of events. To know more about Audit Logs, see User's Guide: Logging.
Enabling quorum approval policy for a group in Fortanix Self-Defending Key Management Service (KMS) prevents a single user (or administrator) to be able to access or use a highly sensitive key. A group administrator may enable a quorum approval policy on a group, which mandates that all security-sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. To know more about Quorum Policy see User's Guide: Quorum Policy.
Fortanix Self-Defending KMS accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials. Currently, the following SSO mechanisms are available: SAML and OpenID Connect / OAuth. To know more about Single Sign-On see User's Guide: Single Sign-On.
All clients connecting to Fortanix Self-Defending Key Management Service (KMS) must be authenticated. Clients are classified as either users or applications. A user authenticates to Fortanix Self-Defending KMS using a password. An application authenticates to Fortanix Self-Defending KMS using either an API key or a TLS client certificate. To know more about authorization see User's Guide: Authentication.
Once a user or an app is authenticated, it still needs the authorization to perform an operation on Fortanix Self-Defending Key Management Service (KMS). Fortanix Self-Defending KMS provides fine-grained authorization controls that can broadly be categorized into “time-based authorization”, “role-based access control (RBAC)”, “quorum-based authorization”, “key-based authorization”, “LDAP authorization” and “authorization for plugins”. To know more about authorization see User's Guide: Authorization.