Using Fortanix Data Security Manager for Cohesity Encryption Keys

1.0 Introduction

This article describes how to use Fortanix-Data-Security-Manager (DSM) to manage Cohesity Data Protection platform. Cohesity's file system actively protects the data at rest by employing the Federal Information Processing Standards (FIPS) approved AES-256 encryption.

The platform utilizes a two-tier key hierarchy:

• Data Encryption Keys (DEKs) for encrypting and decrypting the data.

• Key Encryption Keys (KEKs) for securing the DEKs.

The KEKs are securely stored in Fortanix DSM's FIPS 140-2 Level 3 certified Hardware Security Module (HSM). Cohesity implements the support for the Key Management Interoperability Protocol (KMIP) in their secondary storage solution allowing the customers to leverage Fortanix's KMIP compliant DSM for effective key management and protection of the Key Encrypting Keys.

2.0 Prerequisites

Ensure the following:

• Cohesity DataPlatform version 6.5.1a or later is installed and operational, and the cluster is configured to use encryption. You can only enable encryption at the cluster level when you create the Cohesity cluster.

• Fortanix DSM version 3.21 or later.

• Fortanix DSM is installed and operational, and the Cohesity cluster can connect to it on port 5696 or a custom KMIP port.

• You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

3.0 Architecture Workflow

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cohesity cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection. Fortanix DSM also uses TLS to authenticate a KMIP client so that it can create, retrieve, and use keys stored in Fortanix DSM.

Both Fortanix DSM and the Cohesity Cluster use X.509 certificates to facilitate communication and authentication and authenticate with each other. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to use tools like OpenSSL to create a client certificate for the Cohesity server. The certificate may be signed externally or can be self-signed.

The following are some key points to understand how the Fortanix DSM and Cohesity DataPlatform work together:

• After encryption is enabled at the cluster level in the Cohesity DataPlatform, it cannot be disabled in the future.

• After you configure a Cohesity cluster to use an external Key Management System (KMS), you cannot change it back to using the internal KMS. However, you have the option to create a new Storage Domain that will utilize the internal Key Management system.

• The Cohesity cluster supports only one (1) external KMS, and the IP address of the KMS cannot be altered once configured.

• After it establishes a TLS connection with Fortanix DSM, a Cohesity cluster never tears down that connection unless services are restarted or stopped. This results in a persistent TLS connection.

4.0 Configuring Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the KMIP option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 4.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 4.6: Generating the Client Certificate and Private Key as the value of Common Name (CN) to generate a self-signed certificate and a private key.

4.6 Generating the Client Certificate and Private Key

There are two different types of client certificates:

• Self-Signed Certificates: If your security policy allows it, you may generate and sign your client certificate yourself.

• Externally Signed Certificates: Generate a Certificate Signing Request (CSR) and sign using a Certificate Authority (CA).

Perform the following steps to create a private key along with a certificate signing request for signing a certificate from a trusted CA:

1. Log in to a system with OpenSSL installed.

2. Run the following openssl command to generate the private key and certificate:

   openssl req -newkey rsa:2048 -nodes -keyout cohesity.key -x509 -days 365 -out cohesity.crt

3. Enter the following details:

   • Country Name: Enter the two-letter code representing your country.

   • State or Province Name: Enter the full name of your state or province.

   • City: Enter the complete name of your city.

   • Organization: Enter the full name of your organization.

   • Organizational Unit: Enter the complete name of your department within the organization.

   • Common Name: Use the app UUID noted during the creation of an app in Fortanix DSM.

   • Others: Additional details, if required, can be provided here, but they are optional.

4. Ensure both the client certificate and private key file are stored securely on your system.

   

5. Ensure that a trusted Certificate Authority (CA) signs the CSR file and securely stores the resulting signed certificate.

4.7 Extracting Fortanix DSM Internal CA Certificate

Perform the following steps to extract the Fortanix DSM internal CA certificate:

1. Log in to a system with OpenSSL installed.

2. Run the following OpenSSL command to display the certificates of Fortanix DSM. The first certificate is the server certificate and the second is the root certificate:

   $ openssl s_client -connect <Fortanix_DSM_Address>:5696 - showcerts

   For example,

   

   Copy the second certificate in the output and save this into a file on the system you will be accessing the Cohesity user interface (UI) or CLI.

4.8 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

5.0 Configure Cohesity Key Management Settings

You may configure Fortanix DSM as an external KMS using either of the following options:

• Cohesity DataPlatform UI

• Cohesity DataPlatform CLI

5.1 Using Cohesity DataPlatform UI

Perform the following steps:

1. Log in to Cohesity DataPlatform UI.

2. Navigate to Settings → Cluster → Summary.

   

3. Navigate to the Key Management System tab.

   

4. On the Key Management System page, enter the following details:

   • Key Name: This serves as the identifier for your Fortanix DSM (customizable).

   • Key Type: Select the KMIP Compliant for Fortanix DSM.

   • Protocol Version: Currently, Fortanix DSM supports KMIP1_4 when integrated with Cohesity DataPlatform.

     NOTE

     By default, Fortanix supports KMIP version 1_4.

   • Server Address: Input the IP address of your Fortanix DSM.

     NOTE

     The KMS IP cannot be altered once configured.

   • Port: The default port for KMIP communication is 5696.

   • Client Certificate: Upload the client certificate file generated earlier.

   • Client Key: Upload the private key file generated earlier.

   • CA Certificate: Upload the root CA certificate file extracted from Fortanix DSM as detailed in Section 4.7: Extract Fortanix DSM Internal CA Certificate.

   

5. Click the Save button.

6. The Cohesity cluster promptly initiates a TLS session with Fortanix DSM to commence KMIP communication.

   

5.2 Using Cohesity DataPlatform CLI

Perform the following steps:

1. Run the following SSH command to access the cluster:

   openssl req -newkey rsa:2048 -nodes -keyout cohesity.key -x509 -days 365 -out cohesity.crt\
   $ ssh <user_account>@<ip_address_cohesity_node>

2. Run the following command to access the Cohesity DataPlatform CLI:

   Cohesity_shelll# iris_cli

3. Run the following command to create a new KMS in the CLI:

   kms create

   

   Where, ca-certificate is the root CA certificate file of Fortanix DSM extracted in Section 4.6: Generating the Client Certificate and Private Key.

4. Run the following command to view current settings and status:

   kms list

   

5.3 Modifying Cohesity DataPlatform KMS Settings

When modifying the Key Management settings after the initial configuration, it is necessary to restart the keychain service to apply the new settings.

NOTE

For detailed steps on accessing and general use of the Cohesity CLI, refer to the Cohesity CLI section of the Cohesity Virtual Edition Setup Guide.

Perform the following steps to restart the keychain service using CLI:

1. Run the following command to enter the Cohesity DataPlatform CLI:

   cohesity_shell# iris_cli

2. Run the following command to restart the service:

   cluster restart service-names=”keychain”

   

3. Run the following command to status the service:

   cluster status

   

5.4 Verification on Fortanix DSM

After the successful creation of the external KMS on the Cohesity cluster through DataPlatform UI or DataPlatform CLI, Fortanix DSM will display logs indicating the connection and created keys.

5.5 Enabling Cohesity DataPlatform Storage Domain Encryption

Perform the following steps to enable the encryption for each Cohesity DataPlatform Storage Domain:

1. Log in to Cohesity DataPlatform UI.

2. Navigate to Settings → Cluster → Summary.

3. Navigate to the Storage Domains tab.

   

4. Click the Add Storage Domain button.

5. In the Add Storage Domain page, ensure that Encryption is enabled when creating the new Storage Domain.

   

6. Click the Create Storage Domain button.

7. Verify that Encryption is enabled for the new Storage Domain.

   

   NOTE

   The encryption keys will be generated only when data is written to the disk.

6.0 Key Rotation

When utilizing an external Key Management System (KMS) for encryption, Cohesity maintains both the Data Encryption Key (DEK) and Key Encryption Key (KEK) locally. The KMS handles the management of the KEK. Whenever a component within the Cohesity system requires access to encrypted data, it initiates a request to the KMS, referencing the KEK ID. Upon receiving the KEK from the KMS, Cohesity decrypts the DEK and derives the Data Encryption Key (DEK), facilitating the decryption or encryption process.

Cohesity employs key caching mechanisms to optimize system performance and alleviate the load on the external KMS. This involves temporarily storing the DEK in the system's memory, minimizing the need for frequent requests to the KMS. In the event of unavailability or failure of the external KMS to provide the KEK, data stored within the Storage Domains remains securely encrypted and inaccessible.

By default, Cohesity initiates key rotation every 90 days to ensure robust security measures, although this interval can be customized according to specific requirements.

6.1 Configuring Key Rotation

• To configure key rotation, initiate the Cohesity CLI either remotely or locally. Specify the static IPv4 or IPv6 address of one of the Cohesity nodes.

  For instance, if the CLI is downloaded to a Linux system, run the following command, and provide the Cohesity cluster username and password:

  ./iris_cli -server 172.16.3.101 -username=admin

• Modify the key rotation period by specifying the time in seconds.

  For instance, to adjust the key rotation period to 30 days, run the following CLI command:

  admin>cluster edit enc-key-rotation-period-secs=2592000