Using Fortanix Self-Defending KMS for Cohesity Encryption Keys

Introduction

This article describes how to use Fortanix Self-Defending Key Management Service (KMS) to manage Cohesity Encryption Keys.

KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cohesity cluster and Fortanix Self-Defending KMS. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix Self-Defending KMS also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix Self-Defending KMS.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix Self-Defending KMS and the Cohesity Cluster. Fortanix Self-Defending KMS is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cohesity cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

Prerequisites

• Cohesity DataPlatform version 6.5.1a or later is installed and operational, and the cluster is configured to use encryption. You can only enable encryption at the cluster level when you create the Cohesity cluster.
• Fortanix Self-Defending KMS version 3.21 or later.
• Fortanix Self-Defending KMS is installed and operational, and is accessible by the Cohesity cluster on port 5696 (for default) or custom KMIP port.
• You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

Considerations

The following are some key points to understanding the Fortanix Self-Defending KMS and Cohesity DataPlatform integration:

• Once encryption is enabled at the cluster level in Cohesity DataPlatform, it cannot be disabled in the future.
• Once you configure a Cohesity cluster to use an external Key Management System (KMS), it cannot be returned to using the internal KMS.
• The Cohesity cluster supports only one (1) external KMS, and the IP address of the KMS cannot be altered once configured.
• Once it establishes a TLS connection with Fortanix Self-Defending KMS, a Cohesity cluster never tears down that connection unless services are restarted or stopped. This results in a persistent TLS connection.

Setting up Fortanix Self-Defending KMS

Fortanix Self-Defending KMS supports KMIP clients to authenticate using a certificate through Apps. To successfully connect the Cohesity cluster to authenticate with Fortanix Self-Defending KMS, the Cohesity cluster also requires you to extract the Fortanix Self-Defending KMS internal CA certificate.

Configure App in Fortanix Self-Defending KMS

1. Log in to the Fortanix Self-Defending KMS UI.
2. Click the Application icon , and then click to create a new application.
3. Enter the following details:
   • App name: This is the name to identify your Cohesity cluster (customizable)
   • Interface: KMIP
   • Authentication method: This will need to be updated later and the default of API Key is ok at this stage.
   • Assigning the new app to groups: Keys created by the Cohesity cluster will be owned by this Group.
   
   Figure 1: Create an app
    
   Figure 2: App created
    
4. Once the App has been created, note the App UUID as it will be used as the Common Name (CN) when generating the client certificate:
   Figure 3: App UUID 

Extract Fortanix Self-Defending KMS Internal CA Certificate

1. Log in to a system with OpenSSL installed.
2. Enter the following OpenSSL command to display the certificates of Fortanix Self-Defending KMS. The first certificate is the server certificate and the second is the root certificate:
3. An example would look like: Figure 4: Server and root certificate 
4. Copy the second certificate in the command output and save this into a file on the system you will be accessing the Cohesity UI / CLI.

Create Client Certificate and Private Key

There are two different types of client certificates:

• Self-Signed Certificates: If your security policy allows it, you may generate and sign your client certificate yourself.
• Externally-Signed Certificates: Generate a Certificate Signing Request and sign using a Certificate Authority (CA).

Generate a Self-Signed Certificate and Private Key

To generate a self-signed certificate and private key for the Cohesity cluster:

1. Log in to a system with OpenSSL installed.
2. Use the genrsa command to generate the private key that will be written to the key filename and key length you specify.
3. Enter the following OpenSSL command to create the self-signed certificate per your security policy.
   • Country Name: Your two-letter country code
   • State or Province Name: Your full state name
   • City: Your full city name
   • Organisation: Your full organisation name
   • Organisational Unit: Your full department name
   • Common Name: The App UUID you have noted down when creating an App in Fortanix Self-Defending KMSEnter the following details:
   • Others: Optional
4. Ensure both the client certificate and private key file are stored securely on your system.

Generate an Externally Signed Certificate and Private Key

To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request

1. Log in to a system with OpenSSL installed.
2. Use the genrsa command to generate the private key that will be written to the key filename and key length you specify.
3. Enter the following OpenSSL command to generate a CSR file as per your security policy.
4. Enter the following details:
   • Country Name: Your two-letter country code
   • State or Province Name: Your full state name
   • City: Your full city name
   • Organisation: Your full organisation name
   • Organisational Unit: Your full department name
   • Common Name: The App UUID you have noted down when creating an App in Fortanix Self-Defending KMS
   • Others: Optional
5. Ensure both the client certificate and private key file are stored securely on your system.
6. Have a trusted CA sign the CSR file and store the signed certificate securely.

Update Fortanix Self-Defending KMS App

To ensure the client certificate is used to authenticate with Fortanix Self-Defending KMS, the client certificate needs to be uploaded to the App settings.

1. Log in to the Fortanix Self-Defending KMS UI.
2. Click the Application icon , and select the application that you want to update from the Apps table.
3. In the App detailed view, click the Change authentication method drop down, and select the Certificate option.
   Figure 5: Change authentication method
    
4. Copy or upload the client certificate.
   Figure 6: Upload client certificate
    
5. Click Update. Now the App is configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.

Configure Cohesity Key Management Settings

You may configure Fortanix Self-Defending KMS as an external KMS using the Cohesity DataPlatform UI or from the Cohesity DataPlatform CLI.

Configure Fortanix-Self Defending KMS Using Cohesity Dataplatform UI

1. Log in to Cohesity DataPlatform UI.
2. Navigate to Settings -> Cluster -> Summary.
   Figure 7: Summary in Cohesity Data Platform
    
3. Navigate to Key Management System.
   Figure 8: Cohesity key management system
    
4. In the Key Management System form, enter the following details:
   • Server Type: Select KMIP Compliant for Fortanix Self-Defending KMS
   • Server Name: This is the name to identify your Fortanix Self-Defending KMS (customizable).
   • Protocol Version: Currently Fortanix Self-Defending KMS supports KMIP2_0 with Cohesity DataPlatform.
   • Server IP: Fortanix Self-Defending KMS IP address. (KMS IP cannot be modified once configured).
   • Port: Default port for KMIP is 5696.
   • Client Certificate: Select the client certificate file which you created above.
   • Client Key: Select the private key file which you created above.
   • CA Certificate: Select the root CA certificate file of the Fortanix Self-Defending KMS extracted above.
   
   Figure 9: Key management system details
5. Click Save.
6. The Cohesity cluster immediately attempts to establish a TLS session with Fortanix Self-Defending KMS and initiate the KMIP communication.

Configure Fortanix Self-Defending KMS Using Cohesity Dataplatform CLI

You may also configure Fortanix Self-Defending KMS using the Cohesity DataPlatform CLI.

1. SSH to the cluster using the following command:
2. Enter the Cohesity DataPlatform CLI.
3. In the CLI, use the kms create command: Figure 10: KMS create command
    
4. Once successfully created, kms list command shows you the current settings and the status: Figure 11: KMS list command 

Modifying Cohesity Data Platform KMS Settings

If you update the Key Management settings at some point after initially configuring them, the keychain service must be restarted for the new settings to take effect. This restart is done using the CLI using the following steps.

1. Enter the Cohesity DataPlatform CLI.
2. Issue the following command to restart the service. Figure 12: Restart the service 

Verification on Fortanix Self-Defending KMS

Once the external KMS has been successfully created on the Cohesity cluster using DataPlatform UI or DataPlatform CLI, Fortanix Self-Defending KMS will show logs of the connection and key created as well.

Enable Cohesity Dataplatform Storagedomain Encryption

Cohesity cluster also supports enabling encryption per each Storage Domain.

1. Log in to Cohesity DataPlatform UI.
2. Navigate to Settings -> Cluster -> Summary.
3. Navigate to Storage Domains. Figure 14: Storage domains
    
4. Click Add Storage Domain.
5. Ensure Encryption is enabled when creating the new Storage Domain.
                                 Figure 15: Enable Encryption
    
6. Verify that Encryption is enabled for the new Storage Domain. Figure 16: Encryption enabled