There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption.
Download Fortanix DSM CLI from here.
AWS KMS provides a wrapping key and a token in order to import customer keys. The steps are very similar to Google Cloud GCE setup:
- Log in to AWS Console.
- Search for Key Management Service (KMS).
- Create a Customer Master Key (CMK) which is a 256-bit AES Symmetric Key that has no key material associated.
Figure 1: Configure the Symmetric key Figure 2: Add labels Figure 3: Define key administrative parameters Figure 4: Review and edit the key policy
- Download the import wrapping key and import token from the AWS KMS.
Figure 5: Download the wrapping key and Import token
- Import the AWS Wrapping Key provided by KMS into Fortanix DSM.
Figure 6: Import AWS Wrapping key in Fortanix DSM
- Create an AES 256-bit Symmetric Key in Fortanix DSM.
Figure 7: Create AES Symmetric key in Fortanix DSM
- Wrap the Fortanix DSM AES 256-bit Symmetric CMK with the imported AWS wrapping key.
sdkms-cli wrap-key --kid c66a0486-bf71-43d4-9960-7ca8e1f242fd --alg RSA --mode OAEP_MGF1_SHA256 --wrapping-kid 40e1ae80-2848-4eec-9ac6-26bc5b5334dc --out ~/blob_file.bin
- --kid is the Fortanix DSM key identifier UUID of AES key.
- --wrapping-kid is the UUID of the RSA key that you downloaded from AWS and imported in Fortanix DSM.
- Import this Wrapped Symmetric key and import token from Step 4 in AWS KMS to complete the import.
Figure 8: Upload wrapped key and token in AWS
- Use this imported key for server-side encryption in AWS Services.
Figure 9: Final Key