Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - AWS Automated


There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 


Download Fortanix DSM CLI from here.

AWS - Method to automate BYOK in AWS

Use the following script:

#Install aws cli, sdkms-cli before running this script 
# Setup environment variable and temporary files for storing key material
export FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com 
#run aws configure and enter your access key, secret key, region, and default output format (text) 
aws configure 

#Create external key in AWS 
aws_kid=$(aws kms create-key --origin EXTERNAL | awk '{print $6}')
#Get description of key
aws kms describe-key --key-id $aws_kid 
#Get import parameters for external key created in AWS
params=$(aws kms get-parameters-for-import --key-id $aws_kid --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048) 
echo $params | awk '{print $4}' | base64 -D > $wrappingkey_file 
echo $params | awk '{print $1}' | base64 -D > $import_token_file 

#Log in to Fortanix DSM
sdkms-cli app-login
#Generate Key in Fortanix DSM
key_name="AWS Key"$RANDOM 
kid=$(sdkms-cli create-key --name "$key_name" --obj-type AES --key-size 256 --exportable -f)  

#Import public key to Fortanix DSM
wrapping_key_name="AWS wrapping key"$RANDOM 
wrapping_kid=$(sdkms-cli import-key --in $wrappingkey_file --der --name "$wrapping_key_name" --obj-type RSA) 

#Wrap Fortanix DSM key with wrapping key obtained from Fortanix DSM
sdkms-cli wrap-key --wrapping-kid $wrapping_kid --kid $kid --alg RSA --mode OAEP_MGF1_SHA256 --out $wrapped_blob 
#Log out from Fortanix DSM
sdkms-cli app-logout 
#Import key to AWS
aws kms import-key-material --key-id $aws_kid --encrypted-key-material fileb://$wrapped_blob --import-token fileb://$import_token_file --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE 

#Get description of key
aws kms describe-key --key-id $aws_kid 
rm $wrappingkey_file $import_token_file $wrapped_blob 

AWS - Method #2


  • Python 3.x


  1. Click the link Fortanix Data Security Manager AWS BYOK  to download the automation tool.
  2. Run the following commands:
    • Help:
      python sdkms-aws.py -h
    • Import-key:
      python sdkms-aws.py import-key --name <key-name> --key-size 256 --group-id <sdkms-group-id>
    • Rotate key:
      python sdkms-aws.py rotate-key --name <key-name>

AWS BYOK Automation Using Plugin

  1. Go to the Fortanix DSM home page and click the Plugins icon. sdkms_aws_byok10.png
    Figure 1: Plugins
  2. In the Plugins page, click the PLUGIN LIBRARY tab and then click the AWS BYOK tile to load the associated plugin page with detailed information about the plugin, common use cases, setup, and format of the plugin inputs and outputs.sdkms_aws_byok11.png
    Figure 2: Plugin Library
  3. In the AWS BYOK plugin page, to install a plugin the user needs to click the GET PLUGIN button to go to the plugin creation page.sdkms_aws_byok12.png
    Figure 3: Get Plugin
  4. Review the plugin name and assign it to a group, and then click Save. sdkms_aws_byok13.png
    Figure 4: Review plugin details
  5. Now go to the detailed view of the plugin, where you can also test the plugin's request and response using the Test Plugin text box where you can paste a sample request from the plugin code and see the response in the Test output section. To configure and run the plugin click the INVOKE PLUGIN button. sdkms_aws_byok16.png
    Figure 5: Invoke Plugin
      For more request and response operations go to Fortanix DSM Plugin Library -> <plugin-name> -> OVERVIEW page as shown in Figure 3.

For more details on how to use the Plugin Library, see the article https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library 

Was this article helpful?
0 out of 0 found this helpful