See more

Using SDKMS with Google Cloud EKM Interface

  • Last updated:
  • access_time Reading time:

1.0  Introduction

This article describes how to integrate Fortanix Self-Defending Key Management Service (SDKMS) with Google Cloud Platform (GCP) services. It also contains the information that a User needs to:

  • Enable the Cloud Key Management Service (KMS) API in your GCP project
  • Obtain GCP service account email address
  • Import the Google Advanced Encryption Standard (AES) Key in SDKMS
  • Complete the GCP setup

Why Use Fortanix SDKMS With Google Cloud EKM

Google Cloud’s External Key Manager allows services running in the Google Cloud Platform (GCP), namely Big Query and Google Compute Engine (GCE) to use an encryption key managed in an external key management service and controlled entirely by the customer.

To read more about the announcement of Google Cloud External Key Manager (EKM) and the Fortanix SDKMS integration, read the Google and Fortanix announcement blogs.

SDKMS protects all your data on-premises as well as in the cloud. It provides end-to-end security for keys and data (at-rest, in-transit, and in-use) protected with layers of defense including Fortanix Runtime Encryption®, Intel® SGX and FIPS-validated hardware; Only authorized users can access keys.

2.0  Terminology References

SDKMS - Self-Defending Key Management Service

Self-Defending Key Management Service (SDKMS) is the cloud solution secured with Intel® SGX. With SDKMS, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

GCP - Google Cloud Platform

Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators and other enterprise IT professionals over the public internet or through a dedicated network connection.

Google KMS - Google Key Management Service

Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google cloud services that enterprises can use to implement cryptographic functions. For more information, see Google Cloud Key Management Service.

AES - Advanced Encryption Standard

Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is AES is widely used because:

  1. Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).
  2. AES is often included as part of customer compliance requirements. For more information please see Advanced Encryption Standard.

SGX - Software Guard Extensions

Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is potentially malicious.

FIPS - Federal Information Processing Standards

FIPS are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

3.0  Prerequisites

  • Fortanix SDKMS
  • GCP Services
  • Google Cloud Project
  • AES key

Note.png NOTE: The AES key can either be imported or created in SDKMS.

4.0  Using SDKMS with GCP Service

Overview

With Google Cloud Platform (GCP) External Key Manager, administrators use Fortanix SDKMS to store cryptographic keys for the purpose of encrypting/decrypting GCP workloads including BigQuery and Google Compute Engine (GCE).

While the sdkms.fortanix.com free trial deployment supports us-west2 region, production deployments of Fortanix SDKMS supports any GCP regions. 

Note.png NOTE: Please keep in mind that sdkms.fortanix.com is a test instance and not supported for production use. Supported use for production workloads requires engaging Fortanix and Google Cloud. Please email info@fortanix.com for more information.

Enable KMS API in Your GCP project

See Google documentation for steps on how to enable Google External Key Manager API in your GCP project.

Obtain Your Google Service Account Email Address

Fortanix SDKMS requires the identity of the GCP service account in your Google cloud project. This is usually an email address of the form:

service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com

In the example above, PROJECT-NUMBER is the project number of your Google Cloud Platform project.

You can look up the Service Account email address from the GCP Service Account page.

Obtaining Access in SDKMS

Create an account in Fortanix SDKMS if you do not have one already. See the Fortanix SDKMS  Getting Started guide for more information.

Create/Import an AES Key

In your Fortanix SDKMS console, follow the process below to create/import an AES encryption key:

  1. Click the Security Objects SecurityObjects.png tab (Figure 1).
  2. Click NewSecurity.png to create a new Security Object.

SecurityObjectTab.png

Figure 1: Security Objects tab in SDKMS

In the Add New Security Object form, you can create or import an AES key. See the example below to import an AES key (Figure 2):

ImportAES.png

Figure 2: Create/Import AES key

  1. Type a name for the Security Object (Key).
  2. Click Import to set the option to import an AES key.
  3. Click AES for the type of key to import.
  4. Select an option for the key value format.
  5. Click UPLOAD A FILE to upload your AES key.

Note.png NOTE: Make sure the new key has “encrypt” and “decrypt” key operations allowed.

   To generate a new AES key, follow the instruction below (Figure 3):

GenerateAES.PNG

Figure 3: Generate a New AES key

  1. Type a name for the Security Object (Key).
  2. Click Generate to set the option to generate an AES key.
  3. Click AES for the type of key to import.
  4. Type a value for the key size, in the Key size
  5. Select the permitted key operations for this key.
  6. Assign a group for the key.
  7. Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object. it is an optional field.
  8. Click Generate to generate the AES key.

Note.png NOTE: Make sure the new key has “encrypt” and “decrypt” key operations allowed.

Create an App in SDKMS

To create an application in Fortanix SDKMS, specify the Google service account email as the application name and the Google Service Account as the authentication method.

Note.png NOTE: The Google EKM feature is a beta offering for beta users. 

  1. In the SDKMS account, click the Applications AppTab.png tab (Figure 4).
  2. Create a new SDKMS app using the button NewSecurity.png(Figure 4).

    CreateNewApp.png

                         Figure 4: Create New Application

  3. In the Adding new app form (Figure 5 and Figure 6), do the following:
    1. In the App name field, type the name of the service account email you acquired before.

       Note.png NOTE:  The app name must match the email address of an existing Google Service Account.1.png

                                                              Figure 5: Name of the Application
    2. In the Authentication method, click Google Service Account (alpha).
    3. Assign the new application to a group or create a new group if there are no existing groups already.

      Note.png NOTE:  Ensure that the new application has access to the AES key.

      2.png                                             Figure 6: Add new Application
    4. Click Save to create the new application.

Enable GCP Service to Access AES Key in SDKMS

GCP services would need to know a URL that allows the service to access a key stored in SDKMS. This is known as the external_key_uri .

1.  Replace <key_id > in the below URL with the UUID of the AES key to obtain the external_key_uri:

https://sdkms.fortanix.com/v0/gcp/key/<key_id >

2.  To obtain the UUID of the AES key, click the Security Objects SecurityObjects.png  tab, and then click the new AES key which you created/imported.

ApplicatioPage.png

Figure 7: Security Objects page

3. In the AES key detailed view, copy the UUID of the AES Key using the Copy Copy.png icon.

AESKeyUUID.png

Figure 8: AES Key UUID

4. Replace the <Key_id > with the UUID in the below URL, for example:

https://sdkms.fortanix.com/v0/gcp/key/b5105b49-0fde-4522-8e0d-6064fde6688e

5. Use the resource URL above to complete the GCP setup.

5.0  References

1. Google Cloud Key Management Service

https://cloud.google.com/kms/ekm/docs/

2. GCP Key Manager Service API

https://cloud.google.com/kms/docs/reference/rest/

3. SDKMS Getting started

https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-SDKMS

4. Advanced Encryption Standard

https://www.researchgate.net/publication/317615794_Advanced_Encryption_Standard_AES_Algorithm_to_Encrypt_and_Decrypt_Data

5. Enable Billing in GCP

https://cloud.google.com/billing/docs/how-to/modify-project