User's Guide: Account Cryptographic Policy

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Cryptographic Policy User Guide. This article describes the cryptographic policies of the Fortanix DSM.

It also contains the information related to Fortanix DSM account-level cryptographic policies.

1.1 Fortanix DSM Cryptographic Policy Definition

The Fortanix DSM supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. The policies are specified at the account or group level.

2.0 Fortanix DSM Cryptographic Policy Structure

The Fortanix DSM Cryptographic Policy defines how cryptographic keys are managed. It allows administrators to control key types, sizes, and operations to maintain security.

2.1 Allowed Keys

By default, all types of keys are selected in the policy, including AES, DES, DES3, RSA, EC, HMAC, SECRET, CERTIFICATE, OPAQUE, LMS, ML-KEM, Tokenization, ML-DSA, XMSS, BIP32, EC-KCDSA, KCDSA, SEED, ARIA, and BLS.

2.2 Key Sizes

The following key sizes are allowed for each key type:

• AES: 128, 192, or 256 bits

• DES3: 168 bits or 112 bits (for 2-key triple DES)

• DES: 56 bits only

• DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)

• RSA: minimum 1024 to 8192 bits

• HMAC: minimum 112 to 8192

• EC: Supported curves include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519, and X448.

• Tokenization: 128, 192, or 256 bits.

• ML-KEM: 512, 768, or 1024 bits.

• ML-DSA: 44, 65, or 87 bits.

• EC-KCDSA: Supported curve include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, or NistP521 and hashing algorithm include SHA1, SHA224, SHA256, SHA384, or SHA512.

• KCDSA: Key size: 2048 bits and Subgroup size: 224 or 256 bits.

• SEED: 128 bits.

• ARIA: 128, 192, or 256 bits.

2.3 Key Operations

The following default key operations are allowed for each key type:

• AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE

• DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT

• RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE

• EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY

• DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE

• HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE

• ML-KEM: ENCAPSULATE, DECAPSULATE, EXPORT, APPMANAGEABLE

• ML-DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT

• EC-KCDSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT

• KCDSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT

• SEED: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, EXPORT

• ARIA: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT  

• BLS: SIGN, VERIFY, APPMANAGEABLE, EXPORT

• Tokenization: TOKENIZE, DETOKENIZE, APPMANAGEABLE

• LMS: SIGN, VERIFY, APPMANAGEABLE

• XMSS: SIGN, VERIFY, APPMANAGEABLE

When setting a Cryptographic Policy, users can restrict the key operations allowed for an account. By default, all operations are permitted.

3.0 Managing a Cryptographic Policy

You can manage cryptographic policies by creating, editing, or deleting them to control key types, sizes, and operations across the account.

3.1 At the Account Level

You can create, edit, and delete the Cryptographic policies at the account level to apply security settings across the entire account.

3.1.1 Creating the Policy

The Fortanix DSM account administrator controls the types of keys, key sizes (or elliptic curves), padding policies, and key permissions that allow keys to be created or imported into an account.

Perform the following steps to create an account level cryptographic policy:

1. Navigate to the Settings menu item in the DSM left navigation bar.

   

2. On the Account settings page, click the CRYPTOGRAPHIC POLICY tab, and click the ADD CRYPTOGRAPHIC POLICY button to add a new policy.

   

3. In the Allowed object types for the account section, select the key types that you want to allow for this account. By default, all the key types are selected.

4. In the Allowed key sizes section, add the required allowed key size(s) for the keys.

5. In the Handling existing non-compliant keys section, select the required radio button to handle the existing non-compliant keys. By default, the radio button for Accept option is selected. For more information, refer to Section 4.0: Policy Enforcement.

6. Click the RESTRICT KEY OPERATIONS button to select the permitted key operations that will be allowed for the keys. By default, all the key operations are selected.

7. In the Audit Log section, enable the toggle button to store the detailed audit logs for all the groups in the account.

   

8. Click the SAVE POLICY button to save the policy settings.

After the policy is saved, you need to create a new group and add a security object. For detailed information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

You will notice that key types and operations are restricted based on the cryptographic policy settings at the account level. The restricted values are greyed out.

If there are existing keys in the account that do not comply with the newly added policy, a warning will appear next to the non-compliant keys in the security object table view.

Additionally, an error message will be displayed in the detailed view of the key, highlighting the non-compliance based on the account-level cryptographic policy settings.

3.1.2 Editing or Deleting a Policy

A user can edit an account-level policy to add or remove key types, change key operations, or modify key sizes.

Perform the following steps to edit an account level cryptographic policy:

1. Navigate to Settings → CRYPTOGRAPHIC POLICY → Cryptographic policy for security objects page and click the EDIT POLICY button.

   

2. Modify the allowed key operations as required. For example, disable adding a “DES3” key type, disable the “MacVerify” key operation.

   

3. Click the SAVE POLICY button.

   This action will restrict the users from selecting the “DES3” key type and the “MacVerify”, “Sign”, “Verify”, “AgreeKey”, and “Transform” key operation when creating a new security object.

   

4. Click the DELETE POLICY button at the bottom of the page to delete the cryptographic policy.

   

WARNING

Deleting an account-level cryptographic policy will remove all the key restriction for the groups that were set at the account-level.

4.0 Policy Enforcement

• All new keys will be allowed/denied based on the cryptographic policy rules.

• Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:

  • Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.

  • Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.

If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are three options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:

1. Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.

2. Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.

3. Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.