This article describes how to integrate Fortanix Data Security Manager (DSM) with MinIO’s Key Encryption Service (KES) server that uses Fortanix DSM as a persistent and secure key store. KES server runs inside Kubernetes and distributes cryptographic keys to Fortanix DSM applications. This article also contains the information that a user needs to:
- Configure Fortanix DSM
- Set up KES server
Figure 1: KES with DSM architecture
KES Server acts as a bridge between a Fortanix DSM and cloud-native applications. Here Fortanix DSM is the central KMS that protects the master keys and acts as the root of trust in your infrastructure. Instead of deploying and managing one KMS per set of applications, when an application wants to encrypt data, it can request a new DEK from a KES server or ask the KES server to decrypt an encrypted DEK. This way the load on the central KMS (Fortanix DSM) does not increase much because KES can serve the vast majority of application requests without talking to Fortanix DSM.
For more details refer to https://blog.min.io/introducing-kes/.
Fortanix Data Security Manager Configuration
First, register a new application that can authenticate and communicate to the Fortanix DSM instance. To do that,
- Go to the Apps page in the Fortanix DSM UI and create a new App. Figure 2: Create new app
- Enter a descriptive name for the app. For example,
- Select REST as the Interface and select API Key as the Authentication method. Figure 3: Create app
Assign App to Group
- Next, assign the application to a group. This group will be the default group of the application. The newly created keys will belong to this group unless an explicit group ID is specified in the KES configuration file. Figure 4: Assign app to group
- Click SAVE to complete creating the application.
- Click COPY API KEY to copy the application’s API key. This key is the access credential to talk to Fortanix DSM as the application. Figure 5: Copy API key
KES Server Setup
First, you need to generate a TLS private key and certificate for the KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup, we highly recommend using a certificate signed by CA (for example, your internal CA or a public CA like Let's Encrypt).
Generate a TLS Private Key and Certificate for the KES Server
The following command will generate a new TLS private key
server.key and a
X.509 certificate server.cert that is self-signed and issued for the IP
127.0.0.1 and DNS name
localhost (as SAN). You may want to customize the command to match your setup.
kes tool identity new --server --key server.key --cert server.cert --ip "127.0.0.1" --dns localhost
Any other tooling for X.509 certificate generation works as well. For example, you could use
$ openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
$ openssl req -new -x509 -days 30 -key server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"
Create Private Key and Certificate for your Application
kes tool identity new --key=app.key --cert=app.cert app
You can compute the app identity using:
kes tool identity of app.cert
Create Configuration File
Now, you have defined all entities in your demo setup. Wire everything together by creating the config file
root: disabled # We disable the root identity since we don't need it in this guide
key : server.key
endpoint: "<your-fortanix-sdkms-endpoint>" # Use your Fortanix instance endpoint.
key: "<your-api-key>" # Insert the application's API key
Start the KES Server
Finally, start the KES Server in a new window/tab.
export APP_IDENTITY=$(kes tool identity of app.cert)
kes server --config=server-config.yml --auth=off
--auth=off is required since your
app.cert certificates are self-signed.
Connect to the Server
In the previous window/tab, you can now connect to the server using the following commands:
kes key create -k my-app-key
-k is required because your are using self-signed certificates.
Decrypt Data Encryption Keys
Finally, you can derive and decrypt the data keys from the previously created my-app-key.
kes key derive -k my-app-key
plaintext : ...
kes key decrypt -k my-app-key <base64-ciphertext>