[3.23] Patch - Jan 17, 2021

This release is superseded by Feb 5, 2021 release

1. New Functionality/Features(s)

1.1 Group based on external AWS KMS and Bring Your Own Key (BYOK) for AWS.

With the 3.23 release AWS Key Management Service is added to the list of supported Key Management Systems in HSM/external KMS groups. Fortanix Self-Defending KMS can now manage keys in AWS and allows to:

  • Configure the AWS KMS group in Fortanix Self-Defending KMS.
  • Import and copy key (Bring Your Own Key - BYOK) into AWS KMS.
  • Rotate Keys in AWS group. This allows users to rotate keys natively in AWS KMS in a specific AWS account and region.
  • Schedule key deletion and delete the key material in AWS.
  • Enable/Disable keys in AWS KMS directly.
  • Edit AWS Customer Master Key attributes such as tag and alias for keys.

AWSKMS.png

To learn more about AWS KMS groups refer to https://support.fortanix.com/hc/en-us/articles/360055605471-User-s-Guide-AWS-External-KMS

1.2 IP Policy Restriction (Network-based access controls)

The 3.23 release provides IP Policy for network-based access control to users by controlling:

  • Principal types
  • API classes

An account administrator in Fortanix Self-Defending KMS can restrict the functionalities originating from the IP addresses which are allowed for the IP policies configured in the account.

IPPolicy1.png

To learn more about IP Policy restrictions refer to https://support.fortanix.com/hc/en-us/articles/360055606411-Fortanix-Self-Defending-KMS-Sysadmin-Settings-IP-Policy

1.3 Added new security object state - “Destroyed”

The 3.23 release introduces a new DESTROY KEY button for a security object. When a key is destroyed its key material is deleted but the key metadata is still retained. To delete even the key metadata a user can use the DELETE KEY button which deletes a key completely.

DestroyObj.png

For more details refer to https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#ImportSecurityObjects

1.4 Support for DSA Security Objects

The 3.23 release allows generating and importing security objects of type “DSA”.

The key sizes supported for key generation are:

  • 2048 bits – subgroup size: 224, 256 bits
  • 3072 bits – subgroup size: 256 bits

 Allowed operations: Sign, Verify, App Manageable, and Export.

DSA3.png

For more details on DSA keys refer to Import and generate sections in https://support.fortanix.com/hc/en-us/articles/360038354592#SecurityObjectTypes   

2. Enhancements to Existing Features

2.1 Support import/export of additional formats for a key of type SECRET.

The 3.23 release allows to define the type of “SECRET” in the import key workflow. The "Secret" object can be used to store and export keys of any format. For easy identification, you can set any string to Attribute field while importing (optional). This filed will be stored as x-format custom attribute on secret object and will be shown in the Info field when viewing the secret.

These values can also be added from the detailed view of a key in the ATTRIBUTES/TAGS tab.

SecretKey.png

For more details refer to h https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#ImportSecurityObjects

This release also supports key export operations for “SECRET” type keys.

ExportSecret.png

For more details refer to https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

2.2 Support for LDAP Roles for auditors, administrators, regular apps, and admin apps

This release adds support for LDAP roles for auditors, administrators, regular apps, and administrative apps apart from the existing account member role. These will also be optional, and the value would be the distinguished name of an LDAP role if specified.

If an account member/auditor/administrator does not have the corresponding LDAP role, they will not be able to manage the account.

LDAP.pngLDAP2.png

To learn more about LDAP authorization, refer: https://support.fortanix.com/hc/en-us/articles/360033005052-User-s-Guide-Authorization

2.3 Added support for RSA key export:

The 3.23 release allows an RSA key to be exported.

 

RSAExport.png

To learn more about Fortanix Self-Defending KMS Security Objects export operations, refer: https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

2.4 Added verification step for key component and KCV

The 3.23 release allows verifying the KCV and key component combination before importing it.

KCV_Verify.png

 

To learn more about Fortanix Self-Defending KMS key components, refer: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

2.5 Search keys based on Custom Attributes

The 3.23 release allows searching for security objects based on custom attributes using the Search bar in the Security Object table view.

CustomAttribute.png

CustomAttribute1.png

CustomAttribute2.png

To learn more about custom attributes, refer: https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management

2.6 Enforce HSM Ordering

When there are multiple HSM connections configured, the users will have the option to reorder the HSM connection that helps to set the priority of the HA instances.

HSMordering.png

For more details refer to the HSM gateway Documentation https://support.fortanix.com/hc/en-us/articles/360042056431#FortanixSelf-DefendingKMSHSMGatewayWorkflow

2.7 The 3.23 release adds support for hash algorithm SHA-224. 

2.8 Support for Certificate download

The 3.23 release allows downloading a certificate for a key of type “Certificate”.

DownloadCert.png

3. Client Improvements and Bug Fixes

3.1 CLI

  • Fix TypeError on AES export

4. Quality Enhancements / Updates

  • Password confirmation when creating a cluster
  • Removed unattended upgrade package for Azure/AWS
  • Upgraded Cassandra DB to 3.11.9
  • Included script to run on-demand backup
  • Enhancements in cleanup script
  • 3.23 release now supports using Cassandra as storage for audit logs to further improve the security of audit log backups. This enhancement enables all-new audit logs to be encrypted at-rest by default and enables the backup-restore operation of audit logs to be easily manageable. This feature requires an opt-in and will have an impact on sustained high-throughput crypto operations that has audit logging enabled. To enable this new feature, please contact Fortanix Support.

5. Security Fixes

  • Disable JMX host port on Cassandra
  • Updated Lodash JavaScript library

5. Known Issue(s)

  • When using IP-policy to restrict health API to certain IP addresses, Web-UI will encounter errors. health API should be allowed on IP addresses where Web-UI access is required.
  • HSM configuration may not get saved correctly when switching between configurations that require mutual TLS and the ones not using mutual TLS. As a workaround, when switching between configurations one can delete and reconfigure the HSM entry instead of editing the current entry.
  • Sustained throughput might be degraded if the Cassandra audit-log feature is enabled. As a workaround, one can disable audit logging on security objects with heavy usage or opt-out of using the Cassandra audit logging feature.
  • After restoring the cluster from backup, if a delete operation is performed on restored data it may not get deleted completely.

7. Fortanix Self-Defending KMS Performance Numbers

7.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption

4078/4040

AES 128 Key Generation

1191

AES 128: Format Preserving Encryption

2150

AES 256: CBC Encryption/Decryption

4054/3993

AES 256: GCM Encryption/Decryption

4024/3984

   
RSA 2048 Encryption/Decryption

1462/573

RSA 2048 Key Generation

28

RSA 2048 Sign/Verify

584/1506

EC NISTP256 Sign/Verify

691/373

   
Self-Defending KMS Plugin (Hello world plugin)

2119 (invocations/second)

7.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption

5469/5220

AES 128 Key Generation

1501

AES 128: Format Preserving Encryption

2449

AES 256: CBC Encryption/Decryption

5410/5409

AES 256: GCM Encryption/Decryption

5125/5430

   
RSA 2048 Encryption/Decryption

1870/885

RSA 2048 Key Generation

49

RSA 2048 Sign/Verify

890/2024

EC NISTP256 Sign/Verify

615/773

   
Self-Defending KMS Plugin (Hello world plugin)

2813 (invocations/second)

 

8. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

 

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful