Exporting SDKMS keys to Cloud Providers for BYOK - Alibaba

Overview

There are several ways to export SDKMS keys to major cloud providers that support BYOK for server-side encryption. 

Prerequisite

Download SDKMS CLI from here.

Alibaba

  1. Create an external key in Alibaba.
    1. Create a new key by selecting key material source as “External”. Alibaba-1a.png
    2. Newly created key should show up with status as “Pending Import” and key material source as "External".
      Alibaba-1b.png
  2. Download key encryption material.
    Download the key encryption material, you will need it for key wrapping in SDKMS and key importing into Alibaba.
    • Public key
    • Import Token
    Alibaba-2.png
  3. Import Alibaba public key into SDKMS.
    Import the public key from previous step into SDKMS as RSA key.
    Alibaba-3.png
  4. Create Customer Master Key in SDKMS.
    Create a new AES key and make sure to select the “exportable” option.
    Alibaba-4.png
  5. Wrap customer master key with Alibaba public key.
    1. Use SDKMS-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.
      $ sdkms-cli wrap-key --kid <customer master key> --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <Alibaba public key> --out alibabawrap.key 
    2. Apply base64 encoding on wrap key.
      $ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
      
  6. Upload key into Alibaba KMS.
    Import the encoded wrap key into Alibaba. You will also need the import token which we downloaded from Alibaba in Step 2.
    Alibaba-6.png
  7. Alibaba KMS should have external key enabled now.
    With successful import your external key should be "Enabled" now.
    Alibaba-7.png
Was this article helpful?
0 out of 0 found this helpful