Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - Azure Key Vault


There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 


Download Fortanix DSM CLI from here.


Azure App Configuration

You will need to provide the tool your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do the following to get these credentials:

  1. Log in to https://portal.azure.com/.
  2. Register an application. azure_byok1.png
    Figure 1: Initiate app registration
    Figure 2: Register an App
    Figure 3: App registered
  3. Create a client secret for the above application. azure_byok7.png
    Figure 4: Client secret for the app
  4. Give the App permission to access the Azure Key Vault. azure_byok4.1.png
    Figure 5: Key Vault permission to access app
  5. Create an Azure Key Vault. azure_byok5.1.png
    Figure 6: Create Azure Key Vault

    Figure 7: Create Azure Key Vault
  6. Add the application in the Access Policy of the Key Vault. azure_byok8.png
    Figure 8: Add access policy
    Figure 9: Access policy added

Fortanix Data Security Manager Configuration

  1. Log in to Fortanix DSM ( https://sdkms.fortanix.com/ ).
  2. Create an account in Fortanix DSM.
  3. Create a group in Fortanix DSM account.
  4. Create an app in Fortanix DSM.

 Refer to the Fortanix Getting Started Guide for instructions on how to do the Steps 1-4 above.

Make sure that the app you are going to use, has access to the group where the DSM key exists that you want to use for this BYOK operation.

Fortanix Data Security Manager with Azure Key Vault - Manual Integration

Azure Key Vault supports the direct import of key material. Generate an exportable RSA key in Fortanix DSM and export its value to upload the key to Azure.

  1. Perform Steps 1-6 in the section Azure App Configuration.
  2. Perform Steps 1-4 in the section Fortanix Data Security Manager Configuration.
  3. Log in to Fortanix DSM CLI.
    sdkms-cli app-login
  4. Create an RSA Key in Fortanix DSM with the --exportable option enabled.
    sdkms-cli create-key --name sdkms-azure-byok --key-size 2048 --obj-type RSA --exportable
  5. Export the RSA key created in the previous step. 
    sdkms-cli export-object --kid 57477f7c-f954-42e2-a4e3-db42b66ace4f >> sdkms_byok.pem
  6. Import the RSA key in Azure that you have exported from Fortanix DSM. azure_byok10.png
    Figure 10: Import RSA key 

    Figure 11: Import RSA key 
    Figure 12: RSA key imported
  7. RSA Key is imported successfully.

Fortanix Data Security Manager with Azure Key Vault - Automatic Integration


In order to run the Fortanix DSM Azure BYOK tool, you need the following:


  1. Click the link Fortanix Data Security Manager Azure Key Vault BYOK  to download the automation tool. You can run this tool from any machine that can reach your DSM cluster over the network.
  2. Perform Steps 1-6 in the section Azure App Configuration.
  3. Perform Steps 1-4 in the section Fortanix Data Security Manager Configuration.
  4. Export the environment variable using the following commands:
    export FORTANIX_API_ENDPOINT=<sdkms-api-endpoint>
    export FORTANIX_API_KEY=<sdkms-api-key>
    export AZURE_CLIENT_ID=<azure-client-id>
    export AZURE_CLIENT_SECRET=<azure-client-secret>
    export AZURE_TENANT_ID=<azure-tenant-id>
  5. Run the following commands:
    • Help:
      python sdkms-aws.py -h
    • Import Private Key:
      python sdkms-azure.py import-private-key --name <key-name> --key-size <key-size> --vault-name <key-vault-name> --group-id <group-id> --key-type RSA
      python sdkms-azure.py import-private-key --name <key-name> --curve-type <curve-type> --vault-name <key-vault-name> --group-id <group-id> --key-type EC
    • Import AES key:
      python sdkms-azure.py import-secret --name <key-name> --key-size <key-size> --vault-name <vault-name> --group-id <group-id>
    • Rotate RSA and EC key:
      python sdkms-azure.py rotate-private-key --name <key-name> --vault-name <key-vault-name>
    • Rotate AES key:
      python sdkms-azure.py rotate-secret --name <key-name> --vault-name <key-vault-name>

Fortanix Data Security Manager with Azure Key Vault - Using Azure Key Vault Plugin

  1. Go to the Fortanix DSM home page and click the Plugins icon. sdkms_aws_byok10.png
    Figure 13: Plugins
  2. In the Plugins page, click the PLUGIN LIBRARY tab and then click the Self-Defending KMS-Azure Bring Your Own Key (BYOK) tile to load the associated plugin page with detailed information about the plugin, common use cases, setup, and format of the plugin inputs and outputs. azure_byok13.png
    Figure 14: Plugin Library
  3. In the "Self-Defending KMS-Azure Bring Your Own Key (BYOK) plugin" page, to install a plugin the user needs to click the GET PLUGIN button to go to the plugin creation page. azure_byok14.png
    Figure 15: Get Plugin
  4. Review the plugin name and assign it to a group, and then click Save. azure_byok15.png
    Figure 16: Review plugin details
  5. Now go to the detailed view of the plugin, where you can also test the plugin's request and response using the Test Plugin text box where you can paste a sample request from the plugin code and see the response in the Test output section. To configure and run the plugin click the INVOKE PLUGIN button. sdkms_aws_byok14.png
    Figure 17: Invoke Plugin
      For more request and response operations go to Fortanix DSM Plugin Library -> <plugin-name> -> OVERVIEW page as shown in Figure 15.

For more details on how to use the Plugin Library, see the article https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library 

Was this article helpful?
0 out of 0 found this helpful