See more

Exporting Fortanix Self-Defending KMS keys to Cloud Providers for BYOK - AWS Automated

  • Last updated:
  • access_time Reading time:

Overview

There are several ways to export Fortanix Self-Defending KMS keys to major cloud providers that support BYOK for server-side encryption. 

Prerequisite

Download Fortanix Self-Defending KMS CLI from here.

AWS

Use the following script to automate BYOK in AWS

#!/bin/bash

# Install aws cli, sdkms-cli before running this script

# Setup environment variable and temporary files for storing key material
export FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com
wrappingkey_file=$(mktemp)
import_token_file=$(mktemp)
wrapped_blob=$(mktemp)

# run aws configure and enter your access key, secret key, region, and default output format (text) 
aws configure

# Create external key in AWS 
aws_kid=$(aws kms create-key --origin EXTERNAL | awk '{print $6}') 

# Get description of key
aws kms describe-key --key-id $aws_kid

# Get import parameters for external key created in AWS
params=$(aws kms get-parameters-for-import --key-id $aws_kid --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048)
echo $params | awk '{print $4}' | base64 -D > $wrappingkey_file
echo $params | awk '{print $1}' | base64 -D > $import_token_file 

# Log in to Fortanix Self-Defending KMS 
sdkms-cli app-login
 
# Generate Key in Fortanix Self-Defending KMS 
key_name="AWS Key"$RANDOM
kid=$(sdkms-cli create-key --name "$key_name" --obj-type AES --key-size 256 --exportable -f)
 
# Import public key to Fortanix Self-Defending KMS 
wrapping_key_name="AWS wrapping key"$RANDOM
wrapping_kid=$(sdkms-cli import-key --in $wrappingkey_file --der --name "$wrapping_key_name" --obj-type RSA)
 
# Wrap Fortanix Self-Defending KMS key with wrapping key obtained from Fortanix Self-Defending KMS 
blobfile=$(mktemp)
sdkms-cli wrap-key --wrapping-kid $wrapping_kid --kid $kid --alg RSA --mode OAEP_MGF1_SHA256 --out $wrapped_blob
 
# Log out from Fortanix Self-Defending KMS 
sdkms-cli app-logout

# Import key to AWS 
aws kms import-key-material --key-id $aws_kid --encrypted-key-material fileb://$wrapped_blob --import-token fileb://$import_token_file --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

# Get description of key 
aws kms describe-key --key-id $aws_kid

# Cleanup 
rm $wrappingkey_file $import_token_file $wrapped_blob