Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - AWS

Overview

There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 

Prerequisite

Download Fortanix DSM CLI from here.

AWS

AWS KMS provides a wrapping key and a token in order to import customer keys. The steps are very similar to Google Cloud GCE setup:

1. Log in to AWS Console.
2. Search for Key Management Service (KMS).
3. Create a Customer Master Key (CMK) which is a 256-bit AES Symmetric Key that has no key material associated.      Figure 1: Configure the Symmetric key        Figure 2: Add labels
   
         Figure 3: Define key administrative parameters        Figure 4: Review and edit the key policy 
4. Download the import wrapping key and import token from the AWS KMS.       Figure 5: Download the wrapping key and Import token
    
5. Import the AWS Wrapping Key provided by KMS into Fortanix DSM. Figure 6: Import AWS Wrapping key in Fortanix DSM
    
6. Create an AES 256-bit Symmetric Key in Fortanix DSM. Figure 7: Create AES Symmetric key in Fortanix DSM 
7. Wrap the Fortanix DSM AES 256-bit Symmetric CMK with the imported AWS wrapping key.

   export FORTANIX_API_ENDPOINT=<https://<fortanix_dsm_url>>
   export FORTANIX_API_KEY=<MzI...c3R>
   sdkms-cli app-login
   sdkms-cli wrap-key --kid c66a0486-bf71-43d4-9960-7ca8e1f242fd --alg RSA --mode OAEP_MGF1_SHA256 --wrapping-kid 40e1ae80-2848-4eec-9ac6-26bc5b5334dc --out ~/blob_file.bin

   Where,
   
   • --kid is the Fortanix DSM key identifier UUID of AES key.
   • --wrapping-kid is the UUID of the RSA key that you downloaded from AWS and imported in Fortanix DSM.
      
8. Import this Wrapped Symmetric key and import token from Step 4 in AWS KMS to complete the import. Figure 8: Upload wrapped key and token in AWS 
9. Use this imported key for server-side encryption in AWS Services.  Figure 9: Final Key