Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - AWS

Overview

There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 

Prerequisite

Download Fortanix DSM CLI from here.

AWS

AWS KMS provides a wrapping key and a token in order to import customer keys. The steps are very similar to Google Cloud GCE setup:

  1. Log in to AWS Console.
  2. Search for Key Management Service (KMS).
  3. Create a Customer Master Key (CMK) which is a 256-bit AES Symmetric Key that has no key material associated.sdkms_aws_byok1.png
          Figure 1: Configure the Symmetric key
      sdkms_aws_byok2.png
          Figure 2: Add labels

    sdkms_aws_byok3.1.png
          Figure 3: Define key administrative parameters
      sdkms_aws_byok4.1.png
          Figure 4: Review and edit the key policy
     
  4. Download the import wrapping key and import token from the AWS KMS. sdkms_aws_byok5.png
          Figure 5: Download the wrapping key and Import token
     
  5. Import the AWS Wrapping Key provided by KMS into Fortanix DSM. sdkms_aws_byok6.png
    Figure 6: Import AWS Wrapping key in Fortanix DSM
     
  6. Create an AES 256-bit Symmetric Key in Fortanix DSM. sdkms_aws_byok7.png
    Figure 7: Create AES Symmetric key in Fortanix DSM
     
  7. Wrap the Fortanix DSM AES 256-bit Symmetric CMK with the imported AWS wrapping key.
    export FORTANIX_API_ENDPOINT=<https://sdkms.fortanix.com>
    export FORTANIX_API_KEY=<MzI...c3R>
    sdkms-cli app-login
    sdkms-cli wrap-key --kid c66a0486-bf71-43d4-9960-7ca8e1f242fd --alg RSA --mode OAEP_MGF1_SHA256 --wrapping-kid 40e1ae80-2848-4eec-9ac6-26bc5b5334dc --out ~/blob_file.bin
    Where,
    • --kid is the Fortanix DSM key identifier UUID of AES key.
    • --wrapping-kid is the UUID of the RSA key that you downloaded from AWS and imported in Fortanix DSM.
       
  8. Import this Wrapped Symmetric key and import token from Step 4 in AWS KMS to complete the import. sdkms_aws_byok8.png
    Figure 8: Upload wrapped key and token in AWS
     
  9. Use this imported key for server-side encryption in AWS Services.  sdkms_aws_byok9.1.png
    Figure 9: Final Key

 

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful