1.0 Introduction
This article describes the Fortanix-Data-Security-Manager (DSM) copy key operation that can be performed on a security object.
2.0 Copy Key
The Copy Key feature of Fortanix DSM will allow users to copy a security object from a standard Fortanix DSM group to another standard group.
This feature has the following advantages:
It maintains a single source of key material by using/importing that key with other Fortanix DSM groups. This allows applications in respective groups to use a single key to meet some business objectives.
It maintains a link to copies of the original key material for audit and tracking purposes.
The following actions will happen as part of the copy key operation:
A new key will be created in the target group: The new key will have the same key material as the original key.
The Source key links to the copied keys: A link will be maintained between all copied keys and the source key.
The Source key will also have basic metadata-based information about the linked keys, such as:
Copied by <user-name/app id>
Date of Copy <time stamp>
Target copy group name
NOTE
The name of the copied key is suggested automatically to the user as
[original key name]_[copy1,2,...],
but can be replaced with an alternative unique name.
Perform the following steps to copy a key:
Go to the detailed view of a security object and click COPY KEY on the right of the screen.
NOTE
Fortanix DSM does not allow copying an LMS and XMSS keys.
Figure 1: Copy key button
In the COPY KEY window, you may update the name of the key by clicking on the pencil
icon. Copy the new key to a group(s) from the Group section. To filter only HSM/External KMS groups, select the Import key to HSM/External KMS option.
Figure 2: Edit key name and edit group details
Click EDIT PERMISSIONS if you want to modify the permissions of the key.
Figure 3: Set deactivation date
The Deactivation date of the security object can be set to 'Never' or to a specified time in the future. To specify the deactivation date, click EDIT.
Click CREATE COPY to create a copy of the key.
NOTE
If there is a Quorum approval policy configured in the source group that contains the original key, then a quorum approval request is created. Only after the request is approved, the copy key operation will be successful.
The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key.
Figure 4: Key link created
3.0 Create New AES Key
Perform the following steps to create a new AES key with similar settings to the currently available key:
Perform the following steps:
Go to the detailed view of the AES key and click CREATE NEW AES KEY on the right of the screen.
Figure 5: Create new RSA key button
On the Add New Security Object window, enter the name of the security object in the Security Object name field.
You can update the existing values in the sections as required.
After you have updated the values, click GENERATE at the bottom of the screen.
The new AES key is generated in Fortanix DSM.
Similarly, except for LMS and XMSS, you can copy other key types and create a new key of that type from the key detailed view.
4.0 Key Attestation
Fortanix DSM allows you to generate and download an attestation certificate of the asymmetric key managed in the DSM UI.
The following can be derived from a Fortanix DSM key attestation statement and certification:
The security attributes of the Fortanix DSM cluster that houses the key, such as whether it operates on hardware with physical safeguards.
The permissible uses of the key.
Confirmation of whether the key was created within the DSM framework.
Determination of whether the key has ever been made accessible externally.