User's Guide: Key Components

  • Updated on May 28, 2025
  • Published on Jun 6, 2024
  • 13 minute(s) read
Prev Next

1.0 Introduction

This article describes the key import and export functionality using the Fortanix Data Security Manager (DSM) Key Components feature.

It also contains the information related to:

  • Set up Key Custodian policy

  • Import key by Clear Components

  • Import encrypted key by Components

  • Export key Clear Components

  • Export encrypted key Components

2.0 Key Custodian Policy

A Key custodian is a role assigned to Account Members or Account Administrators in Fortanix DSM who can only perform the following activities:

  • Provision clear (unencrypted) components for an import component operation or receive clear components from an export component operation.

  • Provision encrypted components for an import component operation or receive encrypted components from an export component operation.

A Key custodian must have the following restrictions:

  • Exist on a group level in the Fortanix DSM.

  • Only be assigned to handle activities related to import or export key of clear components in a particular group.

  • Only be an Account Member or Account Administrator.

2.1 Setup Key Custodian Policy

A Key custodian policy allows Account Members or Account Administrators to participate as key custodians for a group. You must configure this policy with a minimum of 2 custodians (default is 2, but you can configure up to 3). Key custodians are required to approve any key import or export component operation initiated from the group.

NOTE

A Quorum approval policy must be set up for the Key custodian policy to function. Before configuring a Key custodian policy, create a Quorum approval policy first.

Perform the following steps to configure the Key custodian policy:

  1. In the Fortanix DSM user interface (UI), go to the detailed view of a group, and in the INFO tab click ADD POLICY for the Key custodian policy section.

    Figure 1: Add custodian policy

  2. In the Key custodian policy form, add the users who will participate as Key custodians for key import or export component operations.

    You can select Members, Administrators, or All (a combination of both roles) from the menu:

    1. If you select Administrators, the list displays users assigned the Account Administrator role.

    2. If you select Members, the list displays users assigned the Account Member role.

    3. If you select All, the list displays users with either the Account Member or Account Administrator role.

  3. Select the required users to serve as Key custodians, then click SAVE POLICY to apply the configuration.

    NOTE

    Since the group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click SAVE POLICY.

Figure 2: Select object custodians

2.2 Edit Key Custodian Policy

Perform the following steps to edit a Key custodian policy:

  1. Go to the detailed view of the group and then in the INFO tab, under the Key custodian policy section, click EDIT POLICY.

    Figure 3: Edit custodian policy

  2. In the Key custodian policy form, updated the configuration as required.

  3. Click SAVE POLICY to apply the changes.

2.3 Delete Key Custodian Policy

Perform the following steps to delete a Key custodian policy:

  1. Go to the detailed view of the Key custodian policy, scroll to the bottom of the screen and click DELETE POLICY.

    Figure 4: Delete custodian policy

  2. In the Delete Key custodian Policy confirmation dialog box, click DELETE to confirm the action.

3.0 Key Import

3.1 Import Key by Clear Components User Flow

This section describes the procedure for Import Key by Clear Components feature.

Assumptions:

  • A group named Import Key Component Test Group exists and has User 1, and User 2 as group administrators.

  • User 3 and User 4 are key custodians who are also group administrators.

In this example:

  • User 1 creates an Import Key by Clear Components request.

  • User 3 and User 4 are the key custodians of a symmetric key and possess clear components.

  • The goal is to import the symmetric by clear components in Fortanix DSM.

The User 1 must perform the following steps to create a request for importing the key by clear components:

  1. In the Fortanix DSM UI, go to the detailed view of the Import Key Component Test Group group, and in the SECURITY OBJECTS tab, click ADD SECURITY OBJECT.

    Figure 5: Add security object

  2. In the Add New Security Objects form, do the details:

    1. Security Object name: Enter a name for the security object. For example, Key 1.

    2. Select IMPORT to initiate the key import workflow.

    3. Select the Import Key from Components check box to start the process for importing key by components.

      NOTE

      The Import Key from Components check box will be disabled if the Key custodian policy is not set at the group level.

    4. In the Select at least 2 key custodians to provide key component section, select the users (for example, User 3 and User 4) who will upload their components to Fortanix DSM. The minimum number of participating Key Custodians is configured in the group's Key custodian policy. For example, if the policy requires a minimum of two custodians, you must select two users from the list of eligible users defined in the Key custodian policy to proceed with the component upload operation.

    5. In the Choose a type section, select the key type for the new key. For example, AES.

      NOTE

      The allowed key types for importing keys by components are AES, DES3, DES, or HMAC.

    6. In the Key size section, select the size of the key in bits.

      1. For AES, the key size can be 128, 192, or 256 bits.

      2. For DES3, the key size can be 112 or 168 bits.

      3. For DES, the key size can be 56 bits.

      4. For HMAC, choose key size from 112 to 8192 bits.

    7. In the Key Check Value (KCV) section, enter the KCV of the imported key, which can optionally be added by the administrator while creating the import request.

    8. In the Key operations permitted section, select the permitted key operations. For example, Encrypt, Decrypt, and Export.

  3. Click SUBMIT REQUEST FOR COMPONENTS. This action will notify User 3 and User 4 that the request has been created, and that they can now submit their key components.

    Figure 6: Create an import request

    Once the User 1 has submitted the import request to the key custodians (for example, User 3 and User 4) then User 3 and User 4 will be notified to submit their key components. The users can either submit or cancel the component import.

  4. When User 3 logs in to Fortanix DSM, the Home page will display the import component request under the Pending Approval Requests section. The Tasks table will display the approval request created by User 1 to import a key with the name Key 1.

    Figure 7: View pending requests Home page

    The user can also navigate to Tasks → PENDING → Import/Export tab.

    Figure 8: View pending requests

  5. The User 3 clicks ADD COMPONENT to submit the key component or CANCEL IMPORT to decline the import request.

  6. When User 3 clicks ADD COMPONENT, the Add a key component dialog box with the following information appears on the screen:

    1. The name of the user who has created the Import Key by Clear Components request. For example, User 1.

    2. The name (for example, Key 1), type, size, and KCV value of the imported key.

      The User 3 must provide the following details in the dialog box:

    3. In the Component section, enter the key clear component value.

    4. In the Component Key Check Value section, enter the component KCV value.

    5. Click Verify KCV link to verify if the component value and component KCV match. If they do not match, an error message will be displayed indicating the mismatch. At this point, the key custodian must re-type the key clear component and KCV and verify them again.

    Figure 9: Add component values

  7. Click ADD COMPONENT. This action will send the component value to TLS and stored securely by Fortanix DSM.

    NOTE

    If a user cancels the import request using CANCEL IMPORT, the following will occur:

    • Other custodians will no longer be able to submit their key components.

    • The key will not be imported.

    • Fortanix DSM will destroy all previously imported components.

    • To proceed with key import again, the group administrator must create a new Import Key by Clear Components request as described in Section 3.1: Import Key by Clear Components User Flow.

  8. After User 3 and User 4 complete Steps 1 to 4 to add their key components, the Import Key by Clear Components request moves to the Tasks → Pending → Import/Export tab in the Fortanix DSM UI.

    Figure 10: Import component added by User 3

  9. After all designated key custodians complete Steps 1 to 4 and submit their key components, Fortanix DSM automatically recombines the clear components to generate the key using the parameters specified in Step 2. Fortanix DSM retains each key component only until successful key creation, and then permanently destroys all components.

    Figure 11: Import component completed by all custodians

  10. Navigate to the Security Objects menu item to view the newly imported key. The imported key (for example, Key 1) appears in the list of security objects.

    Figure 12: Key created successfully

3.2 Key KCV Match

If the account administrator who created the import request optionally included a Key Check Value (KCV), Fortanix DSM verifies the recombined key’s KCV against the KCV provided in Step 2 of Section 3.1: Import Key by Clear Components User Flow. If the values do not match, Fortanix DSM aborts the key import and destroys all submitted components. The key import request will display an error message. To proceed, the group administrator must create a new Import Key by Clear Components request as described in Section 3.1: Import Key by Clear Components User Flow.

3.3 Import Encrypted Key by Components User Flow

This section describes the procedure for Import Encrypted Key by Components feature.

Fortanix DSM allows you to specify a Key Encryption Key (KEK) that will be used to unwrap (decrypt) the recombined key components during the import process.

The workflow for this process is as follows:

  1. Fortanix DSM waits until quorum approval is completed to import and unwrap the encrypted key material with the wrapping key.

  2. Once quorum is reached, Fortanix DSM allows the key to be unwrapped using the KEK specified during the Export Key as Components operation.

  3. Fortanix DSM waits until all the key custodians have submitted their components.

  4. Once all components have been provided, Fortanix DSM.

  5. Fortanix DSM uses the specified KEK to unwrap (decrypt) the recombined key material from Step 4.

  6. The resulting material from Step 5 is the final security objects that is imported.

NOTE

Recombining Components:

  • If the key is not wrapped with a KEK, recombining the components results in the original key.

  • If the key is wrapped with a KEK, an additional step is involved: unwrapping the recombined components to restore the original key.

The user flow for importing an encrypted key by components follows a process similar to the one outlined in the Section 3.1: Import Key by Clear Components User Flow, with two key differences:

  • In Step 2, the administrator selects the Unwrap this key before import check box and specifies the KEK (unwrapping key).

  • The KEK must already exist in Fortanix DSM at the time of creating the Import Encrypted Key by Components request and must have the UnwrapKey permission.

Figure 13: Encrypted import flow

3.4 Error Scenarios

If a request fails (such as an import request failure or if the wrapping key lacks the UnwrapKey permission) during the import or export operation, Fortanix DSM captures these failure scenarios in the FAILED tab on the Tasks page. The user will receive a notification about the failed task through the alert icon at the top of the page.

Figure 14: Import task failed

4.0 Key Export

4.1 Export Key Clear Components User Flow

This section describes the procedure for Export Key by Components feature.

Assumptions:

  • A group named Export Key Component Test Group exists and has an AES key named Key 1 with Export permissions.

  • Approver 1, Approver 2, and Approver 3 are the quorum approvers who were added in group’s Quorum approval policy. For an operation to be approved in the group, approval from at least 2 out of the 3 approvers is required.

In this example:

  • The group administrator User 1 creates an Export Key by Components request.

  • The group administrators User 3 and User 4 are the key custodians of a symmetric key.

  • The goal is to export the symmetric key (Key 1) by components so that both, User 3 and User 4, can each have a component of the key in Fortanix DSM.

The User 1 perform the following steps to create a request for exporting the key by components:

  1. In the Fortanix DSM UI, go to the detailed view of the Key 1, scroll to the bottom of the screen and click EXPORT KEY.

    NOTE

    The EXPORT KEY check box will be disabled if the Key custodian policy is not set at the group level.

    Figure 15: Export key button

  2. In the EXPORT KEY form, do the following:

    1. Select AS COMPONENT.

    2. In the Select at least 2 key custodians that will receive the key components section, select the users who are members of the group’s Key custodian policy. The administrator creating the request may assign themselves as one of the key custodians. The minimum number of participating key custodians is defined in the group's Key custodian policy. For example, if the policy requires at least 2 custodians, you must select two users from the list of eligible users defined in the group policy to receive the key components.

    3. Select Wrap key before export check box if you want to wrap the key before exporting it as component. For more information, refer to the Section 4.1: Export Encrypted Key Component User Flow.

  3. Click SUBMIT EXPORT REQUEST to submit the export request. This action will notify Approver 1, Approver 2, and Approver 3 to export Key 1 by components has been created.

    NOTE

    The members of the Quorum approval policy may or may not overlap with the users that have been selected as key custodians.

    Figure 16: Submit export request

    Once the User 1 has submitted the export request to the quorum approvers custodians (for example, Approver 1, Approver 2, and Approver 3 ), then then at least 2 approvers must review and act on the request to approve or decline it.

  4. When Approver 1 logs in to Fortanix DSM UI, the Home page will the approval request under the Pending Approval Requests section. The Tasks table will display the approval request created by User 1 to export a Key 1 as components.

    Figure 17: Key 1 export request to approve Home page

    The user can also navigate to Tasks → PENDING → Import/Export tab.

    Figure 18: Key 1 export request to approve

  5. Click APPROVE to approve the key export or DECLINE to reject it.

    NOTE

    If the user cancels the export request using DECLINE, the following will occur:

    • Other approvers will no longer be able to approve the export request.

    • The key custodians will no longer be able to receive the key component

    • The key will not be exported.

    • To proceed with key export, the group administrator must create a new Export Key by Components request as described in Section 4.1: Export Key by Components User Flow.

  6. Similarly, Approver 2 and Approver 3 must perform Steps 1 to 5 to approve the export component request.

  7. After all designated quorum approvers complete Steps 1 to 5 and accepts the approval request, Fortanix DSM notifies the designated key custodians that a key component has been granted to them. The Exported component will now be available for User 3 and User 4 under the TASKS → PENDING → Import/Export tab in the Fortanix DSM UI.

    Figure 19: View component under tasks tab

  8. Click VIEW COMPONENT to view the export request details and the key component data they own.

    Figure 20: View component

    NOTE

    The key component value is displayed only once during the key export as a component. It is strongly recommended that the user securely record the component value by writing it down or printing it at the time of display.

    Figure 21: Warning

4.2 Export Encrypted Key Component User Flow

This section describes the procedure for Export Encrypted Key by Components feature.

Fortanix DSM allows you to specify a Key Encryption Key (KEK) that will be used to wrap the exported key with a Key Encryption Key (KEK) and then splits the key into components parts.

The workflow for this process is as follows:

  1. Fortanix DSM waits until quorum approval is achieved for the export operation.

  2. Once quorum is reached, Fortanix DSM wraps the key to be exported with the KEK specified during the Export Key as Components operation.

  3. Fortanix DSM splits the wrapped key material from Step b into components.

  4. The generated components from Step 3 are made available to the designated custodians.

The Exporting Encrypted Key in Components user flow is similar to the to the one described in Section 4.1: Export Key Clear Components User Flow, with two key differences:

  • In Step 2, the administrator (User 1) must select the Wrap key before export check box and select the KEK.

  • The KEK must already exist in Fortanix DSM when the Export Key by Components request is created. It must belong to the same group as the key to be exported and have WrapKey permission.

Figure 22: Wrap key before export

Related articles