Using Fortanix Data Security Manager For VMware Encryption on GCP

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) for VMware Encryption on GCP. It also contains the information that a user needs to:

• Deploy Fortanix DSM on Google Cloud Platform

• Perform Virtual Private Cloud (VPC) Peering with GCVE-VPC

• Configure GCVE-VPC vCenter

1.1 Before you Begin

Refer to Google documentation for the Google Cloud account creation and other steps.

2.0 Prerequisites

Ensure the following:

• Fortanix DSM installation package for GCP

• VM Type: "n1-standard-4" or higher

• VM Count: 3 or higher

3.0 Deploying Fortanix Data Security Manager on GCP

3.1 Creating a VPC Network

For security purposes, create a new network. You can control who has access by adding firewall rules or by using another access control method.

If your project has a default VPC network, do not use it. Instead, create your own VPC network so that the only firewall rules in effect are those that you create explicitly.

Create a new VPC with a subnet IP range different from GCVE-VPC.

3.2 Create an Instance Template

1. In the Create an instance page, select the option New VM instance from template in the left panel and then in the Machine type field select n1-standard-4 (4 vCPU, 15GB memory) or higher.

   

2. In the Boot disk field, select Ubuntu 16.04 LTS + 200GB SSD.

3. Click Create to create the Instance Template.  

   

3.3 Create an Instance Group

Create an “Instance Group” using the “Instance Template” created in the previous step.

1. In the Create an instance group page, select the option New managed instance group in the left panel.

2. Disable Auto-scaling.

3. In the Number of instances enter the number of Fortanix DSM cluster nodes.

4. Click Create. The VMs specified will be created after this step.

3.4 Create Health

1. In the Create a health check page, check for port 443.

2. Click Create to create a health check.  

   

3.5 Create an Internal TCP Load Balancer

1. In the Create a load balancer page, under Internal facing or internal only field, select the option Only between my VMs.  

   

2. Click Continue to create a new internal load balancer.

3. Select Backend configuration in the left panel,

   1. Select the “VPC” created in Section 3.1: Creating a VPC Network.

   2. Select the Instance group created in Section 3.3: Create an Instance Group.

   

4. Select Frontend configuration in the left panel,

   1. Select the “VPC” created in Section 3.1: Creating a VPC Network.

   2. Reserve an internal IP address in the Internal IP

   3. Expose ports "443,4445, and 5696" on this load-balancer in the Port number

   

3.6 Create an External Load Balancer

1. In the Create a load balancer page, under Internal facing or internal only field, select the option From internet to my VMs.

2. Click Continue.

   

3. Select Backend configuration in the left panel,

   1. Select the Region.

   2. Select the Instance group created in Section 3.3: Create an Instance Group.

   3. Select the Health check created in Section 3.4: Create Health.

   

4. Select Frontend configuration in the left panel,

   1. Select the “VPC” created in Section 3.1: Creating a VPC Network.

   2. Reserve a public IP address in the IP

   3. Expose ports "443,4445, and 5696" on this load-balancer.

   

3.7 Add a Firewall Rule

By default, an implied firewall rule blocks incoming connections outside your VPC network. To allow incoming connections, set up a firewall rule for your VM. After an incoming connection is established with a VM, traffic is permitted in both directions over that connection.

You can create a firewall rule to allow external access to specified ports, or to restrict access between VMs on the same network.

1. In the Cloud console, go to the Firewall rules page.

2. Add a firewall rule to allow the ports "443,4445, and 5696".

3. Select the “VPC” created as part of this process.

4. Restrict to source IP based on the security requirements.

   

3.8 Create a DNS

Create a DNS for internal and external load balancers.

• This can be either done in Google DNS or outside.

• For this example, sdkms.vpc.gcloud will be your VPC reachable endpoint of Fortanix DSM.

• Also, sdkms.external.gcloud will be your internet reachable endpoint.

3.9 Download and Install Fortanix Data Security Manager

The package needs to be installed on all the servers. To install the Fortanix DSM package:

1. The latest installation file is available at https://support.fortanix.com/hc/en-us/sections/360001900792-SDKMS-Releases. This needs a partner account, which Fortanix provides to the relevant contact person.

2. Download and copy the Fortanix DSM installation file sdkms_<version>_install.sh to each server. The latest installation files are hosted on https://support.fortanix.com.  

3. Install the package by running the following command, replacing the package name with the filename of the package in your Fortanix DSM distribution.

   sudo chmod +x sdkms_2.3.688-124_install.sh
   sudo ./sdkms_2.3.688-124_install.sh 

   Reboot the system if new version of kernel was installed.

   sudo reboot

   NOTE

   Swap must be disabled again after the node boots up.

4. Perform a reset on all servers by running the following command:

   sudo sdkms-cluster reset --delete-data

Install the Fortanix DSM software on each VM. Refer to the Fortanix Data Security Manager Installation Guide - On-Prem for the step-by-step installation steps.

For the GCP compatible installation package, contact Fortanix Support.

3.10 UI / KMIP Access

• The UI can be accessed using sdkms.external.gcloud.

• The KMIP for VMware can be accessed using sdkms.vpc.gcloud.

4.0 VPC Peering with GCVE-VPC

The following are instructions to establish VPC Peering between Project ID=fortanix, VPC name = gcve-vpc and the VMWare SDDC (Software-Defined Data Center).

4.1 Enable Service Networking APIs

To enable Service Networking APIs, use the following command:

gcloud services enable servicenetworking.googleapis.com --project=fortanix

4.2 Enable Service Management APIs

To enable Service Management APIs use the command:

gcloud services enable serviceconsumermanagement.googleapis.com --project=fortanix

4.3 Reserve an IP Block for VPN Gateway Address Space

Next, reserve an IP block used for VPN Gateway Address Space (prefix length must be 28). This range is already assigned to your environment (192.168.1.0/28).

gcloud beta compute addresses create gcvs-rsvd-vpngw --project=fortanix --addresses=192.168.1.0 --prefix-length=28 --description="IP range for VMware Private Cloud VPN gateway" --purpose=VPC_PEERING --network=gcve-vpc –global

4.4 Reserve an IP Block for Management Address Space

Next, reserve an IP block used for VPN Management Address space for your VMware Private Cloud. This range is already assigned to your environment (192.168.0.0/24).

gcloud beta compute addresses create gcvs-rsvd-mgmt --project=fortanix --addresses=192.168.0.0 --prefix-length=24 --description="IP range for VMware Private Cloud Network" --purpose=VPC_PEERING --network=gcve-vpc --global

4.5 Create a VPC Peering

Create a VPC peering using the following command:

gcloud beta services vpc-peerings connect --project=fortanix --service=vpc-peering.gcloud.gcve-vpc.com --network=gcve-vpc --ranges=gcvs-rsvd-vpngw,gcvs-rsvd-mgmt

4.6 Accept the VPC Peering Request

After creating the VPC peering connection, wait for the GCP-GCVE-VPC to accept the VPC-peering request.

5.0 Configuring GCVE-VPC vCenter

To configure GCVE-VPC vCenter, follow the steps described below:

1. Configure a new account/group/app on the Fortanix DSM.

2. Configure internal IP sdkms.vpc.gcloud into vCenter Key-Management-Servers.

   1. In the “Applications” page and click “VIEW CREDENTIALS” of the app you just created. Then, click the “Username/Password” tab and note the Username and Password to configure KMS in vCenter.

   2. Establish trust with Fortanix DSM : Make vCenter trust KMS.

   

   

   Make KMS Trust vCenter:

   

   Choose a Certificate:

   

   Download vCenter Certificate:

   

   

   For more information, refer to the article Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments.

3. Enable vSAN encryption.

   1. In the VMware vSphere Client, go to Cluster → vSAN → Services.

      

   2. Enable vSAN Encryption.

      

   Fortanix DSM is ready for use with vSAN encryption and vCenter VM encryption. A tamper proof audit log captures all the crypto operations performed by the application.

   

   
   For VSAN encryption, new security keys are created in Fortanix DSM using the KMIP protocol.