The Fortanix Data Security Manager (DSM)supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. Policies are specified at the Account or Group level.
Fortanix Data Security Manager Cryptographic Policy Structure
By default, all types of keys are selected for the policy: AES, DES, DES3, DSA, RSA, EC, HMAC, SECRET, CERTIFICATE, and OPAQUE.
The key sizes allowed for any given key are:
- AES: 128, 192, or 256 bits
- DES3: 168 bits or 112 bits (for 2-key triple DES)
- DES: 56 bits only
- DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)
- RSA: minimum 1024 to 8192 bits
- HMAC: minimum 112 to 8192
- EC: Choose any of the following curves: SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224,NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519
The default key operations allowed for any given key are:
- AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
- DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
- RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE
- EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY
- DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE
- HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
When setting a Cryptographic Policy, a user can restrict which of the above key operations are allowed in an account or group. By default, all operations are allowed.
Create / Edit a Cryptographic Policy
Create Account Level Cryptographic Policy
A Fortanix DSM Account Administrator can restrict which types of keys, key sizes (or elliptic curves), padding policies, and key permissions are allowed for each key that is generated or imported into an account. Perform the following steps to create an account level cryptographic policy:
- Click the Settings tab in the Fortanix DSM UI.
Figure 1: Fortanix DSM Settings Tab
- In the Account Settings page, click the CRYPTOGRAPHIC POLICY tab, and click ADD CRYPTOGRAPHIC POLICY to add a new policy.
Figure 2: Add New Cryptographic policy
- Select the key types that you want to allow for this account.
- Add the allowed key size (s) for the keys.
- To handle existing non-compliant keys, refer to Section: Policy Enforcement.
- Select the permitted key operations that will be allowed for the keys.
- To store detailed audit logs for all the groups in the account, enable the toggle for Keep detailed log for all the groups in this account.
- Click SAVE POLICY to save the policy settings.
Figure 3: Account cryptographic policy
- Now, create a new group and add a security object. Refer to the Fortanix Data Security Manager Getting Started guide for instructions.
Figure 4: Create New Security Object
You can see the key types and key operations are restricted by the cryptographic policy settings at the account level. Account-level restricted values are greyed out.
Figure 5: Create Security Object with new Cryptographic Policy
If an account already contains keys that are not compliant with the policy being added, there will be an indication next to the key name in the security object table view.
Figure 6: Error Message for Non-Compliance An error message is also displayed in the detailed view of the key which shows the non-compliance setting selected at the account-level Cryptographic policy as seen below.
Figure 7: Error Message for Non-Compliance
Edit/Delete an Account Level Cryptographic Policy
A user may edit an account level policy when there is a need to add/remove key types, key operations, or modify the allowed key size. A user can also delete a cryptographic policy using the edit account policy option. To edit/delete an account level cryptographic policy:
- Click the EDIT POLICY button on the "Cryptographic policy for security objects" settings page.
Figure 8: Edit Account Cryptographic Policy
- Make some changes to the allowed key operations. For example, disable adding a “DES” key type, disable the “MacVerify” key operation, and then Save the policy.
Figure 9: Edit Cryptographic Policy This will disable the “DES” key type and the “MacVerify” key operation when a user creates a new security object.
Figure 10: Create New Security Object
- To delete an account-level cryptographic policy, click EDIT POLICY on the CRYPTOGRAPHIC POLICY page and click DELETE POLICY at the bottom of the page.
Figure 11: Delete account cryptographic policy
Create a Group Level Cryptographic Policy
A group-level cryptographic policy restricts what types of security objects can be added to the group and defines restrictions for other key parameters – size, curve, padding, and key permissions.
The groups that have a cryptographic policy set will be marked with an icon in the group’s table view.
Figure 12: Group Having a Cryptographic Policy
To add a cryptographic policy at the group level:
- Create a new group or open an existing group.
Figure 13: Create New / Open Existing Group
- In the INFO tab in the group detailed view, click ADD POLICY in the cryptographic policy section.
Figure 14: Add Cryptographic Policy for Group
- Select the key types that you want to allow for this group.
Figure 15: Select Allowed Key Types
- Select the allowed key size (s) for the keys.
Figure 16: Select Allowed Key Size
- To handle existing non-compliant keys, refer to the section Policy Enforcement.
- Select the permitted key operations that will be allowed for the keys.
- To enable audit logs for the object in the group, enable the toggle for Keep detailed log for the object. The initial state of the toggle is based on the parent crypto policy if any.
Figure 17: Key operations and audit log
- Click SAVE POLICY.
In this example, some of the key types and key operations are unavailable when creating a cryptographic policy at the group level. This is because an account-level cryptographic policy was applied before the group-level policy.
If a group already contains keys that are not compliant with the Cryptographic policy being added, an error message is displayed in the policy section as seen below.
Figure 19: Error Message for Non-Compliance
There is also an indication next to the group name in the table view of the Groups page as seen below.
Figure 20: Error Message for Non-Compliance
Delete a Group Level Cryptographic Policy
To edit or delete a group level cryptographic policy:
- Go to the detailed view of a group.
- In the INFO tab, under the Cryptographic policy section, click the EDIT POLICY button.
Figure 21: Edit group cryptographic policy
- Click the DELETE POLICY button, to delete the cryptographic policy.
Figure 22: Delete group cryptographic policy
All new keys will be allowed/denied based on the cryptographic policy rules.
- Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
- Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
- Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.
If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are 3 options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:
Figure 23: Handling Non-Compliant Keys
- Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
- Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
- Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.