User's Guide: Export Key


This article describes the Fortanix Data Security Manager (DSM) Export Key feature. It also contains the information related to:

  • The export key as Encrypted key material
  • Export key as components

Export Key

Encrypt Key Before Export

This section describes “Export Key as Encrypted Key Material” feature of Fortanix DSM. The example assumes that:

  • A key with “Export” key permissions exists in the group.
  • The group has the following quorum policy: the members Approver1 and Approver2 form a quorum group, and 1 out the 2 member’s approvals are required to approve an operation in the group.

In this example:

  • A group administrator User1 creates an “Export Key as Encrypted Key Material” request.
  • The goal is to export the AES key named “Key 1” so that User1 can download the key.
  1. First, the group administrator User1 creates an “Export Key as Encrypted Key Material” request by navigating to the detailed view of the key “Key 1” to be exported and should click EXPORT KEY. The following figure shows a detailed view of the SO "Key 1".
    The EXPORT KEY button will be disabled:
    • If the Key type is not AES, DES, SECRET, HMAC, RSA, or DES3.
    • If the Key does not have the “Export” permission selected.
    • If Quorum Policy is not set in the group for keys of type AES, DES, HMAC, or DES3. For SECRET and RSA key, the button will be enabled even without a Quorum policy.
    • The Wrapping Key must have the ”WRAP” permission.
    Figure 1: Export Key Disabled
    If you select the security type as 'Secret’ or ‘RSA’ and when you click the EXPORT KEY button, then, instead of showing the EXPORT KEY window, Fortanix DSM directly generates the export request as both these formats do not support the component export and wrapped key export. If a quorum policy is set for the group, an approval request is sent for exporting the key. Once the key is approved, you can download the key from the Tasks tab or from the dashboard.
  2. In the “EXPORT KEY” window, the administrator (User1) selects the AS ENCRYPTED KEY MATERIAL radio button and provides the following details:
    • Select Wrapping Key: Select the key with “WRAP” permission that will be listed to wrap the key “Key1” before being exported.
    • Cipher Mode: Select the cipher mode of encryption that should be applied to the key material. There are three types of encryption cipher modes to choose from:
      • ECB: In this method, plain text is divided into blocks of size 64bits each. Each such block is encrypted independently of other blocks. For all blocks, the same key is used for encryption.
      • KW: This method uses symmetric encryption to encapsulate key material.
      • KWP: In this method, additional padding of bits or bytes is appended to the encapsulated key material.export_as_encrypted_key_material.png
        Figure 2: Export Key
        A cipher mode of operation may not be available for selection based on the source and selected wrapping key combination.
  3. Click SUBMIT EXPORT REQUEST to submit the export request.submit_export_request.png
    Figure 3: Submit Export Request
  4. Once the “Export as Encrypted Key Material” request Is created, a quorum approval request will be sent to the quorum members that form the group quorum policy. In this example, Approver1 and Approver2 will receive a notification (Figure 4) that the requester User1 has created an “Export by Encrypted Key Material” request for the key “Key 1”.
  5. The following figure shows Approver1’s account page, where the “Export Key by Components” request is shown. At this point, Approver1 can approve or decline the request.Pending_Approval_Request.png
    Figure 4: Export Request to Approve        
    The Approvers can also review the export key request from TASKS Task.png tab -> PENDING tab -> Approval tab in the Fortanix DSM UI.

    Figure 5: Review Export Key Task

  6. The Approver1 can review the export request by clicking the APPROVE button. This step must also be performed by Approver2 so that quorum is achieved. Once the quorum approves the “Key Export” request, the Exported Key will now be available for User1 to download under the TASKS Task.png tab -> PENDING tab -> Import/Export tab in the Fortanix DSM UI or in the Dashboard view.

    Figure 6: Download the Key

  7. Any Approver can cancel the export operation by clicking the DECLINE button. At this point, the “Export by Encrypted Key Material” request is declined, and the users will not receive the key components. This state is final; once a request is declined by a quorum member, it cannot be approved. Even if other quorum members have approved the request.
  8. By clicking the DOWNLOAD THE KEY link, the user will be displayed with the export key details showing the Wrapped key, Key KCV, and the format to download the key. Click DOWNLOAD THE KEY to successfully download the key.Downloaded_the_exported_key.png
    Figure 7: Review and Download the Key - Key 1 Wrapped with Key 2

Encrypt Key as Components

The Export Key as Components feature allows a user to export a key as components to other users such that each user has a component of the key. To export a key as components:

  • A Key Custodian policy should be set at the group level.
  • A Quorum Policy should exist for the group.
  • In the absence of the above policies, the Export Key button will be disabled.

For the complete end-to-end workflow of the “Export key by component” feature, refer to the article


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful