Download
The Microsoft CNG Key Storage Provider (KSP) for Windows 64-bit can be downloaded here.
Installation
FortanixKmsClient.msi
installs the Fortanix CNG Provider, as well as an EKM provider and PKCS#11 library.
The Fortanix KMS CNG Provider is installed at C:\Windows\System32\FortanixKmsCngProvider.dll
and is registered with Windows during installation.
The certutil
command on Windows can be used to verify that the CNG Provider is registered. To display all registered cryptographic service providers on the system, run
certutil -csplist
You should be able to locate Fortanix KMS CNG Provider
in this list.
For information on Cyberark, SQL server, and MS PKI, refer to Using Fortanix Self-Defending KMS with Microsoft PKI Using Fortanix Self-Defending KMS with Microsoft SQL Server TDE Using Fortanix Self-Defending KMS with CyberArk Enterprise Password Vault.
Uninstallation
Uninstall FortanixKmsClient.msi
(click Uninstall from the context menu or uninstall using Windows’s Programs and Features manager).
Configuration
The Fortanix Key Management Service (KMS) Server URL and proxy information are configured in the Windows registry for the local machine or current user with:
C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe
The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
For example, to configure the Fortanix KMS Server URL for the local machine, run:
FortanixKmsClientConfig.exe machine --api-endpoint https://sdkms.fortanix.com
To configure the Fortanix KMS Server URL for the current user, run:
FortanixKmsClientConfig.exe user --api-endpoint https://sdkms.fortanix.com
To configure proxy information, add --proxy http://proxy.com
or --proxy none
to unconfigure proxy.
The CNG does not provide an API for logging in with a credential, so the API Key for the Fortanix KMS CNG Provider is stored in the Windows registry, encrypted using the Windows Data Protection API.
The API key needs to be generated ahead of time by adding an application to Fortanix Self-Defending KMS. Then, it may be configured for the machine key store:
FortanixKmsClientConfig.exe machine --api-key <key>
or the user key store:
FortanixKmsClientConfig.exe user --api-key <key>
certutil
may be used to verify that the Fortanix KMS CNG Provider is configured correctly. To list the keys in the machine key store, run:
certutil -csp "Fortanix KMS CNG Provider" -key
To list the keys in the user key store for the current user, run:
certutil -csp "Fortanix KMS CNG Provider" -key -user
Troubleshooting
Logging
In case of any issues or failures during the above operations, the Fortanix CNG provider writes error logs to a file that can be located in the Windows folder:
C:\Windows\System32\config\systemprofile\AppData\Roaming\Fortanix
or
C:\Users\Administrator\AppData\Roaming\Fortanix