Overview
There are several ways to export Fortanix Self-Defending KMS keys to major cloud providers that support BYOK for server-side encryption.
Prerequisite
Download Fortanix Self-Defending KMS CLI from here.
AWS - Method #1
Use the following script to automate BYOK in AWS:
#!/bin/bash # Install aws cli, sdkms-cli before running this script # Setup environment variable and temporary files for storing key material export FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com wrappingkey_file=$(mktemp) import_token_file=$(mktemp) wrapped_blob=$(mktemp) # run aws configure and enter your access key, secret key, region, and default output format (text) aws configure # Create external key in AWS aws_kid=$(aws kms create-key --origin EXTERNAL | awk '{print $6}') # Get description of key aws kms describe-key --key-id $aws_kid # Get import parameters for external key created in AWS params=$(aws kms get-parameters-for-import --key-id $aws_kid --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048) echo $params | awk '{print $4}' | base64 -D > $wrappingkey_file echo $params | awk '{print $1}' | base64 -D > $import_token_file # Log in to Fortanix Self-Defending KMS sdkms-cli app-login # Generate Key in Fortanix Self-Defending KMS key_name="AWS Key"$RANDOM kid=$(sdkms-cli create-key --name "$key_name" --obj-type AES --key-size 256 --exportable -f) # Import public key to Fortanix Self-Defending KMS wrapping_key_name="AWS wrapping key"$RANDOM wrapping_kid=$(sdkms-cli import-key --in $wrappingkey_file --der --name "$wrapping_key_name" --obj-type RSA) # Wrap Fortanix Self-Defending KMS key with wrapping key obtained from Fortanix Self-Defending KMS blobfile=$(mktemp) sdkms-cli wrap-key --wrapping-kid $wrapping_kid --kid $kid --alg RSA --mode OAEP_MGF1_SHA256 --out $wrapped_blob # Log out from Fortanix Self-Defending KMS sdkms-cli app-logout # Import key to AWS aws kms import-key-material --key-id $aws_kid --encrypted-key-material fileb://$wrapped_blob --import-token fileb://$import_token_file --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE # Get description of key aws kms describe-key --key-id $aws_kid # Cleanup rm $wrappingkey_file $import_token_file $wrapped_blob
AWS - Method #2
Prerequisites
- Python 3.x
- SDKMS-CLI
- AWS-CLI
Automation
- Click the link Fortanix Self-Defending KMS AWS BYOK to download the automation tool.
- Run the following commands:
- Help:
python sdkms-aws.py -h
- Import-key:
python sdkms-aws.py import-key --name <key-name> --key-size 256 --group-id <sdkms-group-id>
- Rotate key:
python sdkms-aws.py rotate-key --name <key-name>
- Help:
AWS BYOK Automation Using Plugin
- Go to the Fortanix Self-Defending KMS home page and click the Plugins icon.
Figure 1: Plugins - In the Plugins page, click the PLUGIN LIBRARY tab and then click the AWS BYOK tile to load the associated plugin page with detailed information about the plugin, common use cases, setup, and format of the plugin inputs and outputs.
Figure 2: Plugin Library - In the AWS BYOK plugin page, to install a plugin the user needs to click the GET PLUGIN button to go to the plugin creation page.
Figure 3: Get Plugin - Review the plugin name and assign it to a group, and then click Save.
Figure 4: Review plugin details - Now go to the detailed view of the plugin, where you can also test the plugin's request and response using the Test Plugin text box where you can paste a sample request from the plugin code and see the response in the Test output section. To configure and run the plugin click the INVOKE PLUGIN button.
Figure 5: Invoke Plugin For more request and response operations go to Fortanix Self-Defending KMS Plugin Library -> <plugin-name> -> OVERVIEW page as shown in Figure 3.
For more details on how to use the Plugin Library, see the article https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library