User's Guide: Cryptographic Policy

Introduction

The Fortanix Data Security Manager (DSM)supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. Policies are specified at the Account or Group level.

Fortanix Data Security Manager Cryptographic Policy Structure

Allowed Keys

By default, all types of keys are selected for the policy: AES, DES, DES3, DSA, RSA, EC, HMAC, SECRET, CERTIFICATE, and OPAQUE.

Key Sizes

The key sizes allowed for any given key are:

  • AES: 128, 192, or 256 bits
  • DES3: 168 bits or 112 bits (for 2-key triple DES)
  • DES: 56 bits only
  • DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)
  • RSA: minimum 1024 to 8192 bits
  • HMAC: minimum 112 to 8192
  • EC: Choose any of the following curves: SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224,NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519

Key Operations

The default key operations allowed for any given key are:

  • AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
  • DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
  • RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE
  • EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY
  • DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE
  • HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE

When setting a Cryptographic Policy, a user can restrict which of the above key operations are allowed in an account or group. By default, all operations are allowed.

Create / Edit a Cryptographic Policy

Create Account Level Cryptographic Policy

A Fortanix DSM Account Administrator can restrict which types of keys, key sizes (or elliptic curves), padding policies, and key permissions are allowed for each key that is generated or imported into an account. Perform the following steps to create an account level cryptographic policy:

  1. Click the Settings tab in the Fortanix DSM UI. SDKMS_Settings.png
    Figure 1: Fortanix DSM Settings Tab
  2. In the Account Settings page, click the CRYPTOGRAPHIC POLICY tab, and click ADD CRYPTOGRAPHIC POLICY to add a new policy. Crypto11.png
    Figure 2: Add New Cryptographic policy
  3. Select the key types that you want to allow for this account.
  4. Add the allowed key size (s) for the keys.
  5. To handle existing non-compliant keys, refer to Section: Policy Enforcement.
  6. Select the permitted key operations that will be allowed for the keys.
  7. To store detailed audit logs for all the groups in the account, enable the toggle for Keep detailed log for all the groups in this account.
  8. Click SAVE POLICY to save the policy settings. Crypto1.png Crypto2.png
    Figure 3: Account cryptographic policy
  9. Now, create a new group and add a security object. Refer to the Fortanix Data Security Manager Getting Started guide for instructions. Create_new_security_object2.png
    Figure 4: Create New Security Object
  10. You can see the key types and key operations are restricted by the cryptographic policy settings at the account level. Account-level restricted values are greyed out.

    Create_so_with_new_policy1.png
    Figure 5: Create Security Object with new Cryptographic Policy
    If an account already contains keys that are not compliant with the policy being added, there will be an indication next to the key name in the security object table view.
    Error2.png Figure 6: Error Message for Non-Compliance An error message is also displayed in the detailed view of the key which shows the non-compliance setting selected at the account-level Cryptographic policy as seen below.
    Error3.pngFigure 7: Error Message for Non-Compliance

Edit/Delete an Account Level Cryptographic Policy

A user may edit an account level policy when there is a need to add/remove key types, key operations, or modify the allowed key size. A user can also delete a cryptographic policy using the edit account policy option. To edit/delete an account level cryptographic policy:

  1. Click the EDIT POLICY button on the "Cryptographic policy for security objects" settings page. Crypto10.png
    Figure 8: Edit Account Cryptographic Policy
  2. Make some changes to the allowed key operations. For example, disable adding a “DES” key type, disable the “MacVerify” key operation, and then Save the policy. Crypto3.pngCrypto4.png
    Figure 9: Edit Cryptographic Policy This will disable the “DES” key type and the “MacVerify” key operation when a user creates a new security object. Create_new_SO_Object_3.png
    Figure 10: Create New Security Object
  3. To delete an account-level cryptographic policy, click EDIT POLICY on the CRYPTOGRAPHIC POLICY page and click DELETE POLICY at the bottom of the page. Crypto5.png
    Figure 11: Delete account cryptographic policy
    WARNING
    Deleting an account-level cryptographic policy will remove all the key restriction rules for the groups that were set at the account level.

Create a Group Level Cryptographic Policy

A group-level cryptographic policy restricts what types of security objects can be added to the group and defines restrictions for other key parameters – size, curve, padding, and key permissions.

The groups that have a cryptographic policy set will be marked with an icon in the group’s table view.

Group_having_crypto.png
Figure 12: Group Having a Cryptographic Policy

To add a cryptographic policy at the group level:

  1. Create a new group or open an existing group. Create_Open_Existing_group.png
    Figure 13: Create New / Open Existing Group
  2. In the INFO tab in the group detailed view, click ADD POLICY in the cryptographic policy section. Add_Crypto_for_Group.png
    Figure 14: Add Cryptographic Policy for Group
  3. Select the key types that you want to allow for this group. CryptoGroup_keyTypes.png
    Figure 15: Select Allowed Key Types
  4. Select the allowed key size (s) for the keys. CryptoGroup_keysizes.png
    Figure 16: Select Allowed Key Size
  5. To handle existing non-compliant keys, refer to the section Policy Enforcement.
  6. Select the permitted key operations that will be allowed for the keys.
  7. To enable audit logs for the object in the group, enable the toggle for Keep detailed log for the object. The initial state of the toggle is based on the parent crypto policy if any. Crypto6.png
    Figure 17: Key operations and audit log
  8. Click SAVE POLICY.
NOTE
  1. If a cryptographic policy was set at the account level before the group level, then the account level cryptographic policy takes precedence over a group level cryptographic policy.
  2. A cryptographic policy set at the account level can be narrowed for each group in the account to further restrict Security Object parameters. Crypto7.pngFigure 18: Account policy pre-applied

In this example, some of the key types and key operations are unavailable when creating a cryptographic policy at the group level. This is because an account-level cryptographic policy was applied before the group-level policy.

If a group already contains keys that are not compliant with the Cryptographic policy being added, an error message is displayed in the policy section as seen below.
Error1.png
Figure 19: Error Message for Non-Compliance

There is also an indication next to the group name in the table view of the Groups page as seen below.
Error4.png
Figure 20: Error Message for Non-Compliance

Delete a Group Level Cryptographic Policy

To edit or delete a group level cryptographic policy:

  1. Go to the detailed view of a group.
  2. In the INFO tab, under the Cryptographic policy section, click the EDIT POLICY button. Crypto1.png
    Figure 21: Edit group cryptographic policy
  3. Click the DELETE POLICY button, to delete the cryptographic policy. Crypto8.png
    Figure 22: Delete group cryptographic policy
    NOTE

    If an account-level cryptographic policy was set, then the account cryptographic policy rules will still be applicable for the group, even after deleting the group cryptographic policy.

Policy Enforcement

  • All new keys will be allowed/denied based on the cryptographic policy rules.

  • Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
    • Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
    • Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.

If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are 3 options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:

Crypto9.png
Figure 23: Handling Non-Compliant Keys

  1. Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
  2. Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
  3. Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.
NOTE
If the non-compliance setting for account-level Cryptographic policy is different from the group-level Cryptographic policy, then the setting which is more restrictive is applied for the existing keys.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful