Fortanix Data Security Manager with Google Control Plane Using Virtual Private Cloud

1.0 Introduction

This article describes integrating Fortanix-Data-Security-Manager (DSM) with Google External Key Manager Control Plane using a Virtual Private Cloud (VPC) network.

It also contains the information that a user needs to:

• Enable the Cloud Key Management Service (KMS) API in your GCP project

• Obtain the GCP service account email address

• Configure a GCP External Key Manager (EKM) connection

• Create a key ring in Google Cloud KMS

• Create an external key in GCP EKM

• Complete the GCP key setup

Fortanix DSM supports the following customer-managed encryption keys (CMEK) integration services on the Google Cloud:

• Artifact Registry

• BigQuery

• Compute Engine

• Cloud Logging: Log Router

• Cloud Spanner

• Cloud SQL

• Cloud Storage

• Dataflow Appliance and Dataflow shuffle

• Dataproc

• Google Kubernetes Engine: Data on VM disks or Application-layer Secrets

• Pub/Sub

• Secret Manager

For the complete list, refer to the Cloud EKM documentation.

2.0 Why Use Fortanix DSM With Google Cloud EKM Control Plane Using VPC?

Google Cloud’s External Key Manager allows services running on the Google Cloud Platform (GCP), namely BigQuery and Google Compute Engine (GCE), to use encryption keys managed by an external key management service and controlled entirely by the customer. A Cloud Deployment Architect for GCP can access an EKM through a Virtual Private Cloud (VPC) network to meet data sovereignty requirements. Fortanix DSM implements the Cloud EKM control plane, enabling customers to perform key management operations such as creating, rotating, or destroying keys from Cloud Key Management Service (KMS), without having to access the Fortanix DSM user interface or APIs directly. This eliminates the need for customers to manually coordinate key maintenance between Cloud KMS and their EKM.

Fortanix DSM protects all your data on-premises as well as in the cloud. It provides end-to-end security for keys and data (at-rest, in-transit, and in-use) protected with layers of defense, including Fortanix Runtime Encryption®, Intel® SGX and FIPS-validated hardware. Only authorized users can access keys.

3.0 Terminology References

• Fortanix Data Security Manager (DSM)

  Fortanix DSM is the cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

• GCP - Google Cloud Platform

  Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage, and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators, and other enterprise IT professionals over the public internet or through a dedicated network connection.

• Google KMS - Google Key Management Service

  Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google Cloud services that enterprises can use to implement cryptographic functions. For more information, refer to the Google Cloud Key Management Service.

• VPC – Virtual Private Cloud

  A Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network. For more information on what a VPC network does, refer to the Google documentation.

• Crypto space

  A crypto space is a logical workspace that contains keys and in which new keys can be created. Crypto space is a combination of:

  • Fortanix DSM group

  • Fortanix DSM app with the same name as the Google service account:

• SGX - Software Guard Extensions

  Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is potentially malicious.

• FIPS - Federal Information Processing Standards

  FIPS is a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

4.0 Prerequisites

Ensure the following:

• Fortanix DSM

• GCP Services

• Google Cloud Project

• The GCP Project Owner must enable the Cloud Key Management Service (KMS) API in your GCP Project. For more information on how to enable Google EKM API in your GCP project, refer to the Google documentation.

• The user trying to create the GCP key ring must have a Cloud KMS Admin role.

• The GCP Project Owner must enable BigQuery API access in your GCP Project.

• The user using BigQuery must have permission to use BigQuery and permission to access the EKM key that Fortanix creates.

5.0 Fortanix DSM with GCP Service Using VPC

With Google Cloud Platform (GCP) External Key Manager Control Plane, users perform key lifecycle management operations such as creation, rotation, and destruction for keys stored in an EKM, directly from Cloud KMS to encrypt or decrypt GCP workloads, including BigQuery and Google Compute Engine (GCE). A GCP administrator can deploy a VPC network to reverse proxy EKM requests and access the EKM through this network to meet data sovereignty requirements.

5.1 Enable KMS API in Your GCP Project

For more information on how to enable Google EKM API in your GCP project, refer to the Google documentation.

5.2 Obtain Your Google Service Account Email Address

Fortanix DSM requires the identity of the GCP service account in your Google Cloud project. This service account is automatically created by GCP once the KMS API is enabled. It exists by default, has the necessary permissions (which cannot be modified), and is not visible in your IAM console, as it is a backend service account managed by GCP. The service account follows the email address format shown below, where you should substitute your own project number:

service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com

In the example above, PROJECT-NUMBER is the project number of your Google Cloud Platform project. For more information on your project number, refer to the Creating and managing projects  |  Resource Manager Documentation  |  Google Cloud.

5.3 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

      NOTE

      The app name must match the email address of an existing Google Service Account.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select Google Service Account as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. In the Allow access to wrap/unwrap keys for the following types of access justifications section, select the key access justification reason for wrapping or unwrapping the key.

      NOTE

      Selecting the allowed key justification reasons defines an access policy for the app.

      The user can allow access to wrap or unwrap keys for the following types of key access justification options:

      • Accept All: Select Accept All to allow access for all the justification reasons provided below. You can also customize your selection and select specific justification criteria for access.

        • Customer-initiated support – Support initiated by the customer, for example, Case Number: ####.

        • Customer-initiated access – Customer or a third-party authorized by the customer's IAM policy performs any access to the customer's data.

        • Google-initiated service – Google-initiated access, for example, to perform system management and troubleshooting, which includes:

          • Backup and recovery from outages and system failures.

          • An investigation will be conducted to confirm that the customer is not affected by suspected service issues.

          • Remediation of technical issues, such as storage failure or data corruption.

        • Google-initiated review – Google-initiated access for security, fraud, abuse, or compliance purposes, including:

          • Ensuring the safety and security of customer accounts and content.

          • Confirming if an event, such as malware infections, has affected the content and may impact account security.

          • Confirming whether the customer is using Google services in compliance with the Google Terms of Service.

          • Investigating complaints by other users and customers, or other signals of abusive activity.

          • Ensuring consistent use of Google services under relevant compliance regimes, such as anti-money laundering regulations.

        • Google-initiated system operation – Google-initiated access for security, fraud, abuse, or compliance purposes.

        • Third-party data request – Customer-initiated access by Google to respond to a legal request or legal process, including when responding to a legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs, in this case, may not be available if Google cannot legally inform the customer of such a request or process.

        • No justification reason provided – Indicates the actor accessing the data provided no access reason for the request. This may have been due to a transient error, a bug, or some other unexpected circumstance.

        • No justification reason expected – Indicates no reason is expected for this key request, as the service in question has never integrated with Key Access Justification or is still in the pre-GA state and therefore may still have residual methods that call the External Key Manager but do not provide a justification.

        • Modified customer-initiated access – A customer uses their account to perform any access, which is authorized by their own IAM policy; however, a Google administrator has reset the superuser account associated with the user’s organization within the last 7 days.

        • Modified Google-initiated system operation – Google initiated access to customer data to perform indexing, structuring, pre-computation, hashing, sharding, and caching to optimize the structure and quality of data for future uses by the customer.

        • Google responses to production alert – Google-initiated access to the main system reliability.

      • Allow missing justification: Select this option to allow access even if a justification reason is not provided.

      • For the Google Cloud EKM Control Plane implementation, the following permissions must be selected for the GCP app for objects in the group. These permissions map to the corresponding GCP crypto space permissions.

        • Manage → Create – Create a security object

        • Manage → Destroy – Destroy the security object

        • Encrypt

        • Decrypt

        • Get Public Key

        • Get Info

        In the DSM 4.23 version, the Get Public Key and Get Info permissions are not visible in the create GCP EKM application workflow. To edit or update these permissions, you must first create the application, and then from the detailed view of the application, you can access the Get Public Key and Get Info permissions by clicking the Edit Permissions icon.

   5. Assigning the new app to groups: Select the group created in Section 5.3.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.3.5 Creating a Security Object

Perform the following steps to generate or import an AES key in the Fortanix DSM:

Generating the Security Object

Perform the following steps to generate an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 5.3.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the AES key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

   NOTE

   Ensure that the Encrypt and Decrypt permissions are selected.

3. Click GENERATE to create the new security object.

   

Importing the Security Object

Perform the following steps to import an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 5.3.3: Creating a Group.

   3. Select IMPORT.

   4. In the Choose a type section, select the AES key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw, and click UPLOAD A FILE to upload the key file.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

   NOTE

   Ensure that the Encrypt and Decrypt permissions are selected.

3. Click IMPORT to create the new security object.

   

5.4 Configure GCP External Key Manager Connection

Set up Cloud External Key Manager (Cloud EKM) to connect to your external key management (EKM) provider over a Virtual Private Cloud (VPC) network. For more information on how to create an EKM connection, refer to the Google documentation.

5.5 Create a GCP Key Ring

A key ring is the root resource for Cloud KMS keys and key versions. To create a key ring in Cloud KMS, refer to Google’s Documentation – Create a Key Ring. 

5.6 Create an External Key with EKM Connection Type as VPC

To create a Cloud EKM key on a key ring in Cloud KMS, refer to Google’s Documentation: Create a Coordinated External Key.

After the required configuration is done to create an external key, the Cloud EKM sends a request to Fortanix DSM to create a new key. The key shows as Pending generation until the key path is returned by Fortanix DSM and the Cloud EKM key is available.

6.0 References

1. Google Cloud Key Management Service: https://cloud.google.com/kms/ekm/docs/

2. GCP Key Manager Service API: https://cloud.google.com/kms/docs/reference/rest/

3. Fortanix DSM Getting started: users-guide-getting-started-with-fortanix-data-security-manager-ui 

4. Advanced Encryption Standard: https://www.researchgate.net/publication/317615794_Advanced_Encryption_Standard_AES_Algorithm_to_Encrypt_and_Decrypt_Data

5. Enable Billing in GCP: https://cloud.google.com/billing/docs/how-to/modify-project