1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) on-premises with Amazon Web Service (AWS) External Key Store (XKS) using Amazon’s Virtual Private Cloud network to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations.
It also describes how to:
Create and configure the AWS Network Load Balancer and Target Groups
Create the VPC Endpoint Service
Create Fortanix DSM objects
Create the External Key Store in AWS
When using Fortanix DSM as an external key store, AWS allows two ways of communication:
Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. You can follow the documentation link – Fortanix DSM with AWS XKS Concepts Guide and Fortanix DSM with AWS External Key Store (XKS) Integration Guide for the Public Endpoint Connectivity method.
Using Amazon VPC endpoint service - AWS KMS connects to the external key store proxy (XKS proxy) by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your external key store proxy without using the public internet. This procedure is covered in this article.
2.0 Architecture Workflow
The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:
Figure 1: AWS Accessing Fortanix External Key Store using AWS VPC
The components of the above diagram include:
Amazon VPC connected to AWS XKS - needs to be created, or you can choose to use an existing VPC. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.
Amazon VPC endpoint service powered by AWS PrivateLink with a network load balancer and target group.
An external proxy is configured within the on-premises environment to intercept AWS KMS traffic and relays it to the Fortanix DSM service.
Private DNS assigned to an external proxy.
Fortanix DSM installed in an on-premises environment.
The following steps explains the workflow:
An AWS Service or custom application sends a request for a key to AWS KMS.
AWS KMS finds the double-enveloped key in its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.
A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.
Fortanix DSM decrypts the outer envelope and sends the inner envelope back to AWS KMS.
AWS KMS decrypts the inner envelope and sends the plaintext DEK to the calling service or application.
An external proxy created in an on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The Fortanix DSM service certificate must contain the proxy endpoint as a SAN (Subject Alternate Name).
3.0 Prerequisites
NOTE
Creation and configuration of the VPC and establishment of connectivity between the VPC and the on-premises environment are out of the scope of this guide.
AWS resources:
Network Load Balancer (NLB)
Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html#configure-load-balancerVPC (with private subnet)
VPC Endpoint Service (Ensure to add .TXT record as per documentation. “Domain verification status” should be "Verified")
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-nlbKMS
The connection between AWS Cloud and Fortanix DSM on-premises (VPN/Direct Connect)
On-premises resources:
Fortanix DSM on-premises version 4.9 and above.
High Availability Proxy: A minimum of two nodes are recommended to achieve high availability.
NOTE
Fortanix used the HAProxy proxy service for testing.
4.0 Fortanix DSM with AWS XKS Using VPC
With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the Data Encryption Keys in AWS KMS. Leveraging this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as, Bring Your Own Key or BYOK) functionality where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS with an optional expiration period while cryptographic operations happen inside an AWS data center.
5.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
5.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
5.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM. For example, AWSXKS_TEST.
Figure 2: Logging In
5.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 3: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group. For example, AWS_XKS_GROUP.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
5.4 Create/Import an AES Key and Copy the Key UUID
Perform the following steps to generate an AES key in the Fortanix DSM:
Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to add a security object.
Figure 5: Add Security Object
On the Add New Security Object page, enter the following details:
Security Object name: Enter the name of your security object. For example, XKS_TEST_KEY.
Group: Select the group as created in Section 5.3: Creating a Group, which is AWS_XKS_GROUP.
Select the GENERATE radio button.
Choose a type: Select the AES key type.
Key Size: Indicates the size of the key in bits. Keep it as 256 bits.
Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
NOTE
Ensure the new key has Encrypt and Decrypt key operations are allowed.
Click the GENERATE button to create the new security object.
You can also import an AES encryption key. Refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management guide for instructions to import a key.
Figure 5: AES Key
The new security object is added to the Fortanix DSM successfully.
The UUID of this AES key is required in Section 6.3: Create External Key Store in AWS KMS to create the key in AWS XKS. To copy the UUID of the key, XKS_TEST_KEY:
Click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID to the system clipboard. You may choose to paste this UUID into Notepad or an equivalent program for later use.
5.5 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 6: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application. For example, DSM_XKS_APP.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default AWS XKS as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Assign the app to the same group, that is, AWS_XKS_GROUP that contains the AES 256 key created in Section 5.4: Create/Import an AES Key and Copy the Key UUID.
Figure 3: Create a DSM App
Click the SAVE button to add the new application.
In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button.
In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format. The following are the configuration values:
Path prefix: A fixed path containing the Fortanix DSM App UUID.
Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.
Figure 4: Copy the AWS XKS App Configurations
The new application has been added to the Fortanix DSM successfully.
6.0 Configure HAProxy Service in Fortanix DSM On-Premises
It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.
NOTE
You must follow the operating system-specific HAProxy installation instructions. You can use other proxy services as per your choice. Here we used HAProxy for this testing.
apt-get install haproxyEdit the configuration /etc/haproxy/haproxy.cfg.
Following is an example of the HAProxy configuration.
global
log /dev/log local0 info
stats socket [email protected]:9999 level admin
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
defaults
log global
option tcplog
timeout client 10s #Applies to all FrontEnd
timeout connect 10s #Applies to all Backend
timeout server 10s #Applies to all Backend
frontend stats
bind *:1936
mode http
stats uri /
stats show-legends
stats refresh 5s
no log
frontend https
bind *:443
mode tcp
default_backend bk_app
backend bk_app
mode tcp
server testdsm 10.197.192.40:443 check6.1 Create and Configure AWS Network Load Balancer and Target Groups
NOTE
Before you start this section, it is assumed that you have the following configuration already in place:
AWS VPC configured
Communication between DSM on-premises to AWS VPC is established. (Direct Connect/VPN)
HAProxy is configured
Perform the following steps to create the target groups:
Go to the Amazon EC2 console at the URL below:
https://console.aws.amazon.com/ec2/In the navigation pane, select Target Groups, and then click Create.
In the Basic configuration section, do the following:
Select the target type as IP addresses.
Enter a logical Target group name.
Select Protocol as TCP and Port as 443.
Select the IP address type as IPV4.
Select the VPC that you have created for the integration and click Next.
Figure 7: Create Target Group
Perform the following steps to register the targets in the Target Group.
Go to Target groups in the EC2 console, and then select Register targets.
Add the IP addresses of the HAProxy located in the on-premises environment. Enter Ports as 443 for routing to the target.
Figure 8: Register Targets in the Target Group
Perform the following steps to create the load balancer:
Search “load balancer” in the Search Box of AWS Console and select the Load Balancer EC2 feature.
Select Create Load Balancer, select Network Load Balancer, and then click Create.
Enter a logical name in the Load balancer name field.
Select the Scheme as Internal.
Select the IP address type as IPV4.
In the Network mapping section, select the VPC created for the integration, and then under Mappings select both the zones.
In the Listeners and routing section, select Protocol as TCP and Port as 443. Select the target group created above for the Default action field. Click Add listener.
Verify and then click Create load balancer.
6.2 Create VPC Endpoint Service
Perform the following steps to create the VPC endpoint service:
Go to VPC in the AWS Console and click Endpoint services. Select Create.
In the Create endpoint service form, do the following:
Enter a logical name for the VPC endpoint service.
Select Load balancer type as Network.
Then select the load balancer created above under Available load balancers.
Figure 9: Create endpoint service
In the Additional settings section, do the following:
Clear the Acceptance required option.
Select the Associate a private DNS name with the service option.
Enter the Proxy DNS for the Private DNS name field.
Select IPV4 as the Supported IP address types.
Click Create.
Figure 10: Create Endpoint Services
After the VPC endpoint is created, it will generate the domain verification name and value. The Domain verification status shows “pendingVerification”. You must copy the Domain verification name and Domain verification value and create a TXT record on Route 53 under your domain. After the successful verification, the Domain verification status shows “Verified”.
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html
Figure 11: Domain Verification Name and Value
You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.
In the navigation pane, choose Endpoint services.
Select the endpoint service and select the Allow principals tab.
To add permissions, click Allow principals.
In the Principals to add section, enter the ARN of the principal.
Figure 12: Allow Principal
6.3 Create External Keystore in AWS KMS
Perform the following steps to create an external keystore in AWS KMS:
Go to Key Management Service in the AWS console and select External key stores.
Click the Create option to create the external key store.
Enter a logical name for the Key store name field.
Select the VPC endpoint service in the Proxy connectivity section.
Select the VPC endpoint service created in the previous section.
In the Proxy URI endpoint field, enter the proxy DNS name.
Upload the configuration file from Fortanix DSM that you copied on the clipboard in Section 5.5: Create an Application. This will populate the fields in the Proxy Configuration section.
Click Create external key store.
Figure 13: Create External Keystore
After the external key store is created, click the keystore and check the Connection State.
It should show as Connected. This might take a while. If it shows a status other than Connected, then troubleshoot the connectivity.
Figure 14: XKS Connection State
Now, the KMS key can be created in this key store.
Click Create a KMS key in this keystore.
In the Key configuration form, enter the Key UUID copied in Section 5.4: Create/Import an AES Key and Copy the Key in the External key ID field.
Confirm the use of an external key store and click Next.
Figure 15: KMS Key Configuration
Enter the key Alias and click Next.
Figure 16: Add Labels
Select the Key administrators from the list, click on the check box for the Key deletion based on your requirements, and click Next.
Figure 17: Key Administrators Permission
Figure 18: Key Usage Permission
Key Administrative permissions: AWS IAM users or roles who can manage the AWS external keystore key from the console.
Key Usage Permissions: AWS IAM users or roles who can use the key for cryptographic operations.
Finally, review the Key configuration and click Finish.
Figure 19: Review Key Configuration
7.0 Using the XKS Key to Encrypt S3 Bucket
7.1 Create an S3 Bucket
This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.
Create an S3 bucket, Amazon S3 → Buckets → Create bucket.
Figure 20: Create an S3 Bucket
Upload a file to S3 and check the Fortanix key access logs.
Figure 21: Upload File to S3
Figure 22: Upload Successful
Figure 23: Fortanix Key Access Logs
8.0 References
AWS XKS troubleshooting guide
https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.htmlSupport key types with AWS external keystore:
https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.htmlSupport key types with AWS external keystore:
https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.htmlControlling access to your External keystore:
https://docs.aws.amazon.com/kms/latest/developerguide/authorize-xks-key-store.html