User's Guide: Account Cryptographic Policy

Introduction

The Fortanix Data Security Manager (DSM)supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. Policies are specified at the Account or Group level.

Fortanix Data Security Manager Cryptographic Policy Structure

Allowed Keys

By default, all types of keys are selected for the policy: AES, DES, DES3, DSA, RSA, EC, HMAC, SECRET, CERTIFICATE, and OPAQUE.

Key Sizes

The key sizes allowed for any given key are:

  • AES: 128, 192, or 256 bits
  • DES3: 168 bits or 112 bits (for 2-key triple DES)
  • DES: 56 bits only
  • DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)
  • RSA: minimum 1024 to 8192 bits
  • HMAC: minimum 112 to 8192
  • EC: Choose any of the following curves: SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224,NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519

Key Operations

The default key operations allowed for any given key are:

  • AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
  • DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
  • RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE
  • EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY
  • DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE
  • HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE

When setting a Cryptographic Policy, a user can restrict which of the above key operations are allowed in an account or group. By default, all operations are allowed.

Create / Edit a Cryptographic Policy

Create Account Level Cryptographic Policy

A Fortanix DSM Account Administrator can restrict which types of keys, key sizes (or elliptic curves), padding policies, and key permissions are allowed for each key that is generated or imported into an account. Perform the following steps to create an account level cryptographic policy:

  1. Click the Settings tab in the Fortanix DSM UI. SDKMS_Settings.png
    Figure 1: Fortanix DSM Settings Tab
  2. In the Account Settings page, click the CRYPTOGRAPHIC POLICY tab, and click ADD CRYPTOGRAPHIC POLICY to add a new policy. Crypto11.png
    Figure 2: Add New Cryptographic policy
  3. Select the key types that you want to allow for this account.
  4. Add the allowed key size (s) for the keys.
  5. To handle existing non-compliant keys, refer to Section: Policy Enforcement.
  6. Select the permitted key operations that will be allowed for the keys.
  7. To store detailed audit logs for all the groups in the account, enable the toggle for Keep detailed log for all the groups in this account.
  8. Click SAVE POLICY to save the policy settings. Crypto1.png Crypto2.png
    Figure 3: Account cryptographic policy
  9. Now, create a new group and add a security object. Refer to the Fortanix Data Security Manager Getting Started guide for instructions. Create_new_security_object2.png
    Figure 4: Create New Security Object
  10. You can see the key types and key operations are restricted by the cryptographic policy settings at the account level. Account-level restricted values are greyed out.

    Create_so_with_new_policy1.png
    Figure 5: Create Security Object with new Cryptographic Policy
    If an account already contains keys that are not compliant with the policy being added, there will be an indication next to the key name in the security object table view.
    Error2.png Figure 6: Error Message for Non-Compliance An error message is also displayed in the detailed view of the key which shows the non-compliance setting selected at the account-level Cryptographic policy as seen below.
    Error3.pngFigure 7: Error Message for Non-Compliance

Edit/Delete an Account Level Cryptographic Policy

A user may edit an account level policy when there is a need to add/remove key types, key operations, or modify the allowed key size. A user can also delete a cryptographic policy using the edit account policy option. To edit/delete an account level cryptographic policy:

  1. Click the EDIT POLICY button on the "Cryptographic policy for security objects" settings page. Crypto10.png
    Figure 8: Edit Account Cryptographic Policy
  2. Make some changes to the allowed key operations. For example, disable adding a “DES” key type, disable the “MacVerify” key operation, and then Save the policy. Crypto3.pngCrypto4.png
    Figure 9: Edit Cryptographic Policy This will disable the “DES” key type and the “MacVerify” key operation when a user creates a new security object. Create_new_SO_Object_3.png
    Figure 10: Create New Security Object
  3. To delete an account-level cryptographic policy, click EDIT POLICY on the CRYPTOGRAPHIC POLICY page and click DELETE POLICY at the bottom of the page. Crypto5.png
    Figure 11: Delete account cryptographic policy
    WARNING
    Deleting an account-level cryptographic policy will remove all the key restriction rules for the groups that were set at the account level.

Policy Enforcement

  • All new keys will be allowed/denied based on the cryptographic policy rules.

  • Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
    • Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
    • Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.

If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are 3 options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:

Crypto9.png
Figure 23: Handling Non-Compliant Keys

  1. Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
  2. Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
  3. Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.
NOTE
If the non-compliance setting for account-level Cryptographic policy is different from the group-level Cryptographic policy, then the more restrictive setting is applied for the existing keys.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful