Introduction
This article describes how to integrate Fortanix Data Security Manager (DSM) with MinIO’s Key Encryption Service (KES) server that uses Fortanix DSM as a persistent and secure key store. KES server runs inside Kubernetes and distributes cryptographic keys to Fortanix DSM applications. This article also contains the information that a user needs to:
- Configure Fortanix DSM
- Set up KES server
Architecture
Figure 1: KES with DSM architecture
KES Server acts as a bridge between a Fortanix DSM and cloud-native applications. Here Fortanix DSM is the central KMS that protects the master keys and acts as the root of trust in your infrastructure. Instead of deploying and managing one KMS per set of applications, when an application wants to encrypt data, it can request a new DEK from a KES server or ask the KES server to decrypt an encrypted DEK. This way the load on the central KMS (Fortanix DSM) does not increase much because KES can serve the vast majority of application requests without talking to Fortanix DSM.
For more details refer to https://blog.min.io/introducing-kes/.
Fortanix Data Security Manager Configuration
Create Application
First, register a new application that can authenticate and communicate to the Fortanix DSM instance. To do that,
- Go to the Apps page in the Fortanix DSM UI and create a new App.
Figure 2: Create new app
- Enter a descriptive name for the app. For example,
KES
. - Select REST as the Interface and select API Key as the Authentication method.
Figure 3: Create app
Assign App to Group
- Next, assign the application to a group. This group will be the default group of the application. The newly created keys will belong to this group unless an explicit group ID is specified in the KES configuration file.
Figure 4: Assign app to group
- Click SAVE to complete creating the application.
- Click COPY API KEY to copy the application’s API key. This key is the access credential to talk to Fortanix DSM as the application.
Figure 5: Copy API key
KES Server Setup
First, you need to generate a TLS private key and certificate for the KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup, we highly recommend using a certificate signed by CA (for example, your internal CA or a public CA like Let's Encrypt).
Generate a TLS Private Key and Certificate for the KES Server
The following command will generate a new TLS private key server.key
and a X.509
certificate server.cert that is self-signed and issued for the IP 127.0.0.1
and DNS name localhost
(as SAN). You may want to customize the command to match your setup.
kes tool identity new --server --key server.key --cert server.cert --ip "127.0.0.1" --dns localhost
Any other tooling for X.509 certificate generation works as well. For example, you could use openssl
:
$ openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
$ openssl req -new -x509 -days 30 -key server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"
Create Private Key and Certificate for your Application
kes tool identity new --key=app.key --cert=app.cert app
You can compute the app identity using:
kes tool identity of app.cert
Create Configuration File
Now, you have defined all entities in your demo setup. Wire everything together by creating the config file server-config.yml
:
address: 0.0.0.0:7373
root: disabled # We disable the root identity since we don't need it in this guide
tls:
key : server.key
cert: server.cert
policy:
my-app:
allow:
- /v1/key/create/my-app*
- /v1/key/generate/my-app*
- /v1/key/decrypt/my-app*
identities:
- ${APP_IDENTITY}
keystore:
fortanix:
sdkms:
endpoint: "<your-fortanix-sdkms-endpoint>" # Use your Fortanix instance endpoint.
credentials:
key: "<your-api-key>" # Insert the application's API key
Start the KES Server
Finally, start the KES Server in a new window/tab.
export APP_IDENTITY=$(kes tool identity of app.cert)
kes server --config=server-config.yml --auth=off
Where, --auth=off
is required since your root.cert
and app.cert
certificates are self-signed.
Connect to the Server
In the previous window/tab, you can now connect to the server using the following commands:
export KES_CLIENT_CERT=app.cert
export KES_CLIENT_KEY=app.key
kes key create -k my-app-key
Where, -k
is required because your are using self-signed certificates.
Decrypt Data Encryption Keys
Finally, you can derive and decrypt the data keys from the previously created my-app-key.
kes key derive -k my-app-key
{
plaintext : ...
ciphertext: ...
}
kes key decrypt -k my-app-key <base64-ciphertext>
Comments
Please sign in to leave a comment.