Using Fortanix Data Security Manager with Google Cloud EKM Interface

New call-to-action

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Google Cloud Platform (GCP) services. It also contains the information that a user needs to:

  • Enable the Cloud Key Management Service (KMS) API in your GCP project
  • Obtain GCP service account email address
  • Import the Google Advanced Encryption Standard (AES) Key in Fortanix DSM
  • Complete the GCP setup

Fortanix DSM supports the following customer-managed encryption keys (CMEK) integration services on the Google cloud:

Refer to the Cloud EKM documentation for the complete list.

1.1 Why Use Fortanix Data Security Manager With Google Cloud EKM

Google Cloud’s External Key Manager allows services running in the Google Cloud Platform (GCP), namely Big Query and Google Compute Engine (GCE) to use an encryption key managed in an external key management service and controlled entirely by the customer.

To read more about the announcement of Google Cloud External Key Manager (EKM) and the Fortanix DSM integration, read the Google and Fortanix announcement blogs.

Fortanix DSM protects all your data on-premises as well as in the cloud. It provides end-to-end security for keys and data (at-rest, in-transit, and in-use) protected with layers of defense including Fortanix Runtime Encryption®, Intel® SGX and FIPS-validated hardware; Only authorized users can access keys.

2.0 Terminology References

Fortanix Data Security Manager (DSM)

Fortanix DSM is the cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

GCP - Google Cloud Platform

Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage, and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators, and other enterprises IT professionals over the public internet or through a dedicated network connection.

Google KMS - Google Key Management Service

Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google cloud services that enterprises can use to implement cryptographic functions. For more information, see Google Cloud Key Management Service.

AES - Advanced Encryption Standard

Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:

  1. Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).
  2. AES is often included as part of customer compliance requirements. For more information please see Advanced Encryption Standard.

SGX - Software Guard Extensions

Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is potentially malicious.

FIPS - Federal Information Processing Standards

FIPS is a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

3.0 Prerequisites

  • Fortanix Data Security Manager
  • GCP Services
  • Google Cloud Project
  • AES key
  • The GCP Project Owner must enable the Cloud Key Management Service (KMS) API in your GCP Project. Refer to the Google documentation for steps to enable the Cloud KMS API in your GCP project.
  • The user trying to add the EKM Key in the GCP keyring must have a Cloud KMS Admin role.
  • The GCP Project Owner must enable BigQuery API access in your GCP Project.
  • The user using BigQuery must have permission to use BigQuery and permission to access the EKM key that Fortanix creates.
NOTE
The AES key can either be imported or created in Fortanix DSM.

4.0 Using Fortanix Data Security Manager with GCP Service

4.1 Overview

With Google Cloud Platform (GCP) External Key Manager, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting GCP workloads including BigQuery and Google Compute Engine (GCE).

While the sdkms.fortanix.com free trial deployment supports us-west2 region, production deployments of Fortanix DSM support any GCP regions. 

NOTE
Please keep in mind that sdkms.fortanix.com is a test instance and not supported for production use. Supported use for production workloads requires engaging Fortanix and Google Cloud. Please email info@fortanix.com for more information.

4.2 Enable KMS API in Your GCP project

See Google documentation for steps on how to enable Google External Key Manager API in your GCP project.

4.3 Obtain Your Google Service Account Email Address

Fortanix DSM requires the identity of the GCP service account in your Google cloud project. This service account is automatically created by GCP once the KMS API is enabled. This service account exists by default and has the appropriate permissions, which cannot be modified. This service account will also not be viewable from your IAM; it is a backend service account controlled by GCP. This is in the format of the following email address, using your own project-number, where specified:

service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com

In the example above, PROJECT-NUMBER is the project number of your Google Cloud Platform project.

You can look up your project number using the following instructions:

Creating and managing projects  |  Resource Manager Documentation  |  Google Cloud

4.4 Obtaining Access in Fortanix Data Security Manager

Create an account in Fortanix DSM if you do not have one already. See the Fortanix DSM Getting Started.

4.5 Create/Import an AES Key

In your Fortanix DSM console, follow the process below to create/import an AES encryption key:

  1. Click the Security Objects SecurityObjects.png tab (Figure 1).
  2. Click NewSecurity.png to create a new Security Object. CreateNewSO.pngFigure 1: Security Objects tab in Fortanix DSM

In the Add New Security Object form, you can create or import an AES key. See the example below to import an AES key:

  1. Type a name for the Security Object (Key).
  2. Assign a Group for the key.
  3. Click Import to set the option to import an AES key.
  4. Click AES for the type of key to import. Picture2.png Figure 2: Import AES Key
  5. Enter Key Check Value (KCV).
  6. Select an option for the key-value format.
  7. Click UPLOAD A FILE to upload your AES key. Picture3.png Figure 3: Upload AES Key
NOTE
Make sure the new key has “encrypt” and “decrypt” key operations allowed.

To generate a new AES key, follow the instruction below:

  1. Type a name for the Security Object (Key).
  2. Assign a Group for the key.
  3. Click Generate to set the option to generate an AES key.
  4. Click AES for the type of key to import.
  5. Type a value for the key size, in the Key size field.
    Picture4.png Figure 4: Generate New AES Key
  6. Select the permitted key operations for this key. Picture5.png Figure 5: Select Permitted Key Operations
  7. Optional: Add Custom Attributes and edit Activation and Deactivation dates.
  8. Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object. it is an optional field.
  9. Click Generate to generate the AES key.
    Picture6.png Figure 6: Generate AES Key
NOTE
Make sure the new key has “encrypt” and “decrypt” key operations allowed.

4.6 Create an App in Fortanix Data Security Manager

To create an application in Fortanix DSM, specify the Google service account email as the application name and the Google Service Account as the authentication method.

  1. In the Fortanix DSM account, click the Apps AppTab.png tab.
  2. Create a new Fortanix DSM app using the button NewSecurity.png. Picture7.png Figure 7: Create New Application
  3. In the Adding new app form, do the following:
    1. In the App name field, type the name of the service account email you acquired before. 
      NOTE
      The app name must match the email address of an existing Google Service Account. 
    2. In the Authentication method, select Google Service Account
      NOTE
      Ensure that the new application has access to the AES key. This can be done by assigning the app and the key to the same Fortanix DSM group. 
    3. Select the access justification reason for wrapping or unwrapping the key. Picture8.png Figure 8: Application Name and Access Justification (Default Settings) Access_Justification_Reason1.pngFigure 9: Access Justification (Select Reason) The user can allow access to wrap/unwarp keys for the following types of access justifications options:
      NOTE
      Selecting the allowed key justification reasons below defines an access policy for the app. 
      • Accept All: Select Accept All to allow access for all the justification reasons provided below. You can also customize your selection and select specific justification criteria for access.
        • Customer-initiated support – Support initiated from the customer, for example, Case Number: ####.
        • Customer-initiated access – Customer or a third-party authorized by customer's IAM policy perform any access to the customer's data.
        • Google-initiated service – Google-initiated access, for example, to perform system management and troubleshooting which includes:
          • Backup and recovery from outages and system failures
          • Investigation to confirm that the customer is not affected by suspected service issues
          • Remediation of technical issues, such as storage failure or data corruption
        • Google-initiated review – Google-initiated access for security, fraud, abuse, or compliance purposes including:
          • Ensuring the safety and security of customer accounts and content
          • Confirming whether the content is affected by an event that may impact account security (for example, malware infections)
          • Confirming whether the customer is using Google services in compliance with Google Terms of Service
          • Investigating complaints by other users and customers, or other signals of abusive activity
          • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
        • Google-initiated system operation – Google-initiated access for security, fraud, abuse, or compliance purposes.
        • Third-party data request – Customer-initiated access by Google to respond to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs, in this case, may not be available if Google cannot legally inform the customer of such a request or process.
        • Unspecified reason – Indicates the actor accessing the data provided no access reason for the request. This may have been due to a transient error, a bug, or some other unexpected circumstance.
        • No justification reason expected – Indicates no reason is expected for this key request as the service in question has never integrated with Key Access Justification or is still in the pre-GA state and therefore may still have residual methods that call the External Key Manager but does not provide a justification.
        • Modified customer-initiated access – A customer uses their account to perform any access which is authorized by their own IAM policy; however, a Google administrator has reset the superuser account associated with the user’s organization within the last 7 days.
        • Modified Google-initiated system operation – Google initiated access of customer data to perform indexing, structuring, precomputation, hashing, sharding and caching to optimize the structure and quality of data for future uses by the customer.
        • Google responses to production alert – indicates Google-initiated access to main system reliability.
      • Allow missing justification: Select this option to allow access even if a justification reason is not provided.
    4.  Assign the new application to a group or create a new group if there are no existing groups already
    5. Click Save to create the new application.
      Picture10.png

      Figure 10: Assign to Group and Save

4.7 Add Authentication Method for an Existing App

You can also change the authentication method for an existing app to Google Service Account from the detailed view of an app.

  1. In the detailed view of an app, click the INFO tab and in the API Key section click the Change authentication method drop-down menu.
    Picture11.png

    Figure 11: Change Authentication Method

  2. Select Google Service Account and click SAVE to save the setting.
    Picture12.png

    Figure 12: Select Authentication Method

  3. In the Configure authentication method window, select the key justification reasons, and click UPDATE. Refer to Section 4.6 to learn about the justification policies.
    NOTE
    The app name must match the email address of an existing Google Service Account.
    Picture13.png

    Figure 13: Select Key Justification Reason

    The application is updated with the new authentication method.
    Picture14.png

    Figure 14: Authentication Method Updated

4.8 Edit Key Access Justification Reason for an Existing App

You also have an option to edit the key justification reason for an existing app.

  1. In the detailed view of an app, click the INFO tab and in the Google Service Account section, click the SHOW INSTRUCTIONS button.
    Picture15.png

    Figure 15: Edit Existing Key Justification Reason

  2. In the Google Service Account window, click the EDIT button.
    Picture16.png

    Figure 16: Edit Key Justification Reason

  3. Edit the allowed justification reason and click SAVE AND CLOSE to save the new updates.

4.9 Add Key Access Justification Policy for an Existing Key (Optional) 

You can also change the authentication method for an existing key from the Security Objects page. 

NOTE
  1. Fortanix DSM first checks the provided access reason against the app level policy.  
  2. If the provided access reason passes at app level, then Fortanix DSM checks it against the key level policy.  
  3. If the provided access reason passes at both app level and key level, Fortanix DSM executes the operation. 
  4. If the provided access reason passes at the app level but fails at the key level, Fortanix DSM throws an error: “Request violates security object's access reason policy.” 
  1. On the Security Objects page, select the key for which you want to change the key justification policy.
    Picture18.png

    Figure 18: Select the Key

  2. In the detailed view of the key, click the KEY ACCESS JUSTIFICATION tab, and then click ADD POLICY to add a new key access justification policy.  
    Picture19.png

    Figure 19: Change Key Authentication Method

  3. By default, the Accept All option is selected. Click Save to apply all the defined access justification policies to the key. 
    Picture20.png

    Figure 20: Change Key Authentication Method (Default Settings)

  4. To change the applicable policies, clear the Accept All option, select the access justification policies that you want to apply to the key, and then click Save. Refer to Section 4.6 to learn about the justification policies.
    Picture21.png

    Figure 21: Update Key Policies

    The key is updated with the new justification policy. 

4.10 Edit Key Level Justification Policy for an Existing Key

You can also edit and change the authentication method for an existing key from the detailed view of a security object. Once you have applied the to a key, you will see the EDIT POLICY button.

  1. On the Security Objects page, select the key for which you want to edit the key access justification reason. In the detailed view of the key, the KEY ACCESS JUSTIFICATION tab, and then click EDIT POLICY.
    EditGCPPolicyKeyLevel.png

    Figure 22: Edit Key Authentication Method

  2. Clear the default policies you want to remove, select the policies you want to add, and then click SAVE.
    EditGCPPolicyKeyLevel1.png

    Figure 23: Update Key Policies

         The key is updated with the new access justification policy.

4.11 Enable GCP Service to Access AES Key in Fortanix Data Security Manager

GCP services would need to know a URL that allows the service to access a key stored in Fortanix DSM. This is known as the external_key_uri .

  1. Replace key_id> in the below URL with the UUID of the AES key to obtain the external_key_uri.
    https://sdkms.fortanix.com/v0/gcp/key/key_id
  2. To obtain the UUID of the AES key, click the Security Objects tab, and then click the new AES key which you created/imported.
    Picture24.png

    Figure 24: Security Objects Page

  3. In the AES key detailed view, copy the UUID of the AES Key by clicking COPY UUID from the COPY ID drop-down menu.
    Picture25.png

    Figure 25: Copy AES Key UUID

  4. Replace the Key_id with the UUID in the below URL, for example: https://sdkms.fortanix.com/v0/gcp/key/b5105b49-0fde-4522-8e0d-6064fde6688e
  5. You can also get the Google EKMS URL by clicking COPY GOOGLE EKMS URL in the COPY ID drop-down menu.
    Picture26.png

    Figure 26: Get the Google EKMS URL

  6. Use the resource URL above to complete the GCP setup.

5.0 References

1. Google Cloud Key Management Service

https://cloud.google.com/kms/ekm/docs/

2. GCP Key Manager Service API

https://cloud.google.com/kms/docs/reference/rest/

3. Fortanix DSM Getting started

https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-Fortanix-Data-Security-Manager 

4. Advanced Encryption Standard

https://www.researchgate.net/publication/317615794_Advanced_Encryption_Standard_AES_Algorithm_to_Encrypt_and_Decrypt_Data

5. Enable Billing in GCP

https://cloud.google.com/billing/docs/how-to/modify-project

New call-to-action

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful