Overview
There are several ways to export DSM keys to major cloud providers that support BYOK for server-side encryption.
Prerequisite
Download DSM CLI from here.
Alibaba
- Create an external key in Alibaba.
- Create a new key by selecting key material source as “External”.
- Newly created key should show up with status as “Pending Import” and key material source as "External".
- Create a new key by selecting key material source as “External”.
- Download key encryption material.
Download the key encryption material, you will need it for key wrapping in DSM and key importing into Alibaba.- Public key
- Import Token
- Import Alibaba public key into DSM.
Import the public key from previous step into DSM as RSA key. - Create Customer Master Key in DSM.
Create a new AES key and make sure to select the “exportable” option.
- Wrap customer master key with Alibaba public key.
- Use DSM-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.
$ sdkms-cli wrap-key --kid <customer master key> --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <Alibaba public key> --out alibabawrap.key - Apply base64 encoding on wrap key.
$ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
- Use DSM-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.
- Upload key into Alibaba KMS.
Import the encoded wrap key into Alibaba. You will also need the import token which we downloaded from Alibaba in Step 2.
- Alibaba KMS should have external key enabled now.
With successful import your external key should be "Enabled" now.
Comments
Please sign in to leave a comment.