Exporting Fortanix Self-Defending KMS keys to Cloud Providers for BYOK - Azure Key Vault

Overview

There are several ways to export Fortanix Self-Defending KMS keys to major cloud providers that support BYOK for server-side encryption. 

Prerequisite

Download Fortanix Self-Defending KMS CLI from here.

Configuration

Azure App Configuration

You will need to provide the tool your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do the following to get these credentials:

1. Log in to https://portal.azure.com/.
2. Register an application. Figure 1: Initiate app registration  Figure 2: Register an App  Figure 3: App registered 
3. Create a client secret for the above application. Figure 4: Client secret for the app 
4. Give the App permission to access the Azure Key Vault. Figure 5: Key Vault permission to access app
5. Create an Azure Key Vault. Figure 6: Create Azure Key Vault
   Figure 7: Create Azure Key Vault 
6. Add the application in the Access Policy of the Key Vault. Figure 8: Add access policy      Figure 9: Access policy added   

Fortanix Self-Defending KMS Configuration

1. Log in to Fortanix Self-Defending KMS ( https://sdkms.fortanix.com/ ).
2. Create an account in Fortanix Self-Defending KMS.
3. Create a group in Fortanix Self-Defending KMS account.
4. Create an app in Fortanix Self-Defending KMS.

 Refer to the Fortanix Getting Started Guide for instructions on how to do the Steps 1-4 above.

Make sure that the app you are going to use, has access to the group where the Self-Defending KMS key exists that you want to use for this BYOK operation.

Fortanix Self-Defending KMS with Azure Key Vault - Manual Integration

Azure Key Vault supports the direct import of key material. Generate an exportable RSA key in Fortanix Self-Defending KMS and export its value to upload the key to Azure.

1. Perform Steps 1-6 in the section Azure App Configuration.
2. Perform Steps 1-4 in the section Fortanix Self-Defending KMS Configuration.
3. Log in to Fortanix Self-Defending KMS CLI.

   sdkms-cli app-login

4. Create an RSA Key in Fortanix Self-Defending KMS with the --exportable option enabled.

   sdkms-cli create-key --name sdkms-azure-byok --key-size 2048 --obj-type RSA --exportable

5. Export the RSA key created in the previous step. 

   sdkms-cli export-object --kid 57477f7c-f954-42e2-a4e3-db42b66ace4f >> sdkms_byok.pem

6. Import the RSA key in Azure that you have exported from Fortanix Self-Defending KMS.
   Figure 10: Import RSA key 
    
   Figure 11: Import RSA key  
   Figure 12: RSA key imported 
7. RSA Key is imported successfully.

Fortanix Self-Defending KMS with Azure Key Vault - Automatic Integration

Prerequisites

In order to run the Fortanix Self-Defending KMS Azure BYOK tool, you need the following:

• Python 3.x
• sdkms-cli
• Azure-CLI

Automation

1. Click the link Fortanix Self-Defending KMS Azure Key Vault BYOK  to download the automation tool. You can run this tool from any machine that can reach your Self-Defending KMS cluster over the network.
2. Perform Steps 1-6 in the section Azure App Configuration.
3. Perform Steps 1-4 in the section Fortanix Self-Defending KMS Configuration.
4. Export the environment variable using the following commands:

   export FORTANIX_API_ENDPOINT=<sdkms-api-endpoint>
   export FORTANIX_API_KEY=<sdkms-api-key>
   export AZURE_CLIENT_ID=<azure-client-id>
   export AZURE_CLIENT_SECRET=<azure-client-secret>
   export AZURE_TENANT_ID=<azure-tenant-id>
   

5. Run the following commands:
   
   • Help:

     python sdkms-aws.py -h

   • Import Private Key:

     python sdkms-azure.py import-private-key --name <key-name> --key-size <key-size> --vault-name <key-vault-name> --group-id <group-id> --key-type RSA
     python sdkms-azure.py import-private-key --name <key-name> --curve-type <curve-type> --vault-name <key-vault-name> --group-id <group-id> --key-type EC

   • Import AES key:

     python sdkms-azure.py import-secret --name <key-name> --key-size <key-size> --vault-name <vault-name> --group-id <group-id>

   • Rotate RSA and EC key:

     python sdkms-azure.py rotate-private-key --name <key-name> --vault-name <key-vault-name>

   • Rotate AES key:

     python sdkms-azure.py rotate-secret --name <key-name> --vault-name <key-vault-name>

Fortanix Self-Defending KMS with Azure Key Vault - Using Azure Key Vault Plugin

1. Go to the Fortanix Self-Defending KMS home page and click the Plugins icon. Figure 13: Plugins 
2. In the Plugins page, click the PLUGIN LIBRARY tab and then click the Self-Defending KMS-Azure Bring Your Own Key (BYOK) tile to load the associated plugin page with detailed information about the plugin, common use cases, setup, and format of the plugin inputs and outputs. Figure 14: Plugin Library 
3. In the "Self-Defending KMS-Azure Bring Your Own Key (BYOK) plugin" page, to install a plugin the user needs to click the GET PLUGIN button to go to the plugin creation page. Figure 15: Get Plugin 
4. Review the plugin name and assign it to a group, and then click Save. Figure 16: Review plugin details
5. Now go to the detailed view of the plugin, where you can also test the plugin's request and response using the Test Plugin text box where you can paste a sample request from the plugin code and see the response in the Test output section. To configure and run the plugin click the INVOKE PLUGIN button. Figure 17: Invoke Plugin  For more request and response operations go to Fortanix Self-Defending KMS Plugin Library -> <plugin-name> -> OVERVIEW page as shown in Figure 15.

For more details on how to use the Plugin Library, see the article https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library