Using Fortanix Data Security Manager with BeyondTrust Password Safe

Prev Next

1.0 Introduction

This article describes the steps to integrate Fortanix-Data-Security-Manager (DSM) with BeyondTrust Password Safe. The integration is based on PKCS#11.

Password Safe allows users and applications to check out passwords or sessions using passwords. It is also responsible for rotating the passwords for the privileged accounts it manages. For check-out operations, the passwords stored in Password Safe must be decrypted. When rotating or changing a password, the new value must be encrypted. While Password Safe can use self-generated keys to encrypt and decrypt passwords, there are benefits associated with externalizing all encryption and decryption operations to Fortanix DSM.

Customers benefit from enhanced visibility into key usage and the ability to invalidate a key, even if they cannot get access to Password Safe. Externalizing Password Safe keys to Fortanix DSM provides greater security controls and flexibility, enabling use cases such as BYOK (Bring Your Own Key) and HOYK (Hold Your Own Key).

This quick, step-by-step guide will show you how to set up a simple integration that enables Password Safe to send encryption and decryption requests to Fortanix DSM externally. More advanced configuration options, including the configuration of the HSM Gateway to support third-party on-premise or cloud-based HSM solutions, can be found here.

2.0 Product Tested Version

The following product versions were tested:

  • Fortanix DSM 4.14 and higher.

  • Password Safe (BeyondInsight) 21.3 and higher.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed  here  based on the application region.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 2: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 3: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key and Password of the app to use later.

4.0 Configure PKCS#11

Perform the following steps:

  1. Now download the latest Fortanix PKCS#11 Windows 64-bit client on your BeyondInsight server or appliance. For more information, refer to Fortanix PKCS#11.

  2. After installing the MSI (Microsoft Software Installer) on your BeyondInsight server or appliance, you should be able to find the PKCS#11 driver and a README.txt file.

    PKCS11ReadMe-BeyondTrust.png

    Figure 4: KMS client folder

  3. Configure the HSM Credentials using the BeyondInsight Configuration tool. The PIN is the API key of the Fortanix DSM app as copied in Section 3.5: Copying the API Key.

    ConfigureHSM-BeyondTrust.png

    Figure 5: Configure HSM credentials

  4. Now in Password Safe, test and change the password for a Managed Account using the Change Password option. You should see a successful message at the bottom for each test and password change action.

    ChangePassword-BeyondTrust.png

    Figure 6: Change password for managed account

  5. In Fortanix DSM, you should be able to find the new key created by Password Safe, with the name we used in Step 3 above.

    Figure 7: Key created

    NOTE

    • Managed Account passwords are encrypted by Fortanix DSM using the above encryption key, and when passwords are checked out, requests for decryption are submitted to Fortanix DSM.

    • When Managed Account passwords are rotated, requests for encryption of the password values stored in Password Safe are submitted to Fortanix DSM after the target apps and systems are updated.

  6. The activity logs for the Security-object in Fortanix DSM should confirm that Decryption (Test Password) and Encryption (Change Password) operations are performed by Password Safe.

    Figure 8: Activity logs

5.0 Frequently Asked Questions (FAQs)

  1. How often does the Beyond Trust Password Safe server communicate with Fortanix DSM to obtain the encryption key?

    To obtain the encryption key, the Beyond Trust Password Safe server communicates with Fortanix DSM in the following scenarios:

    • Every time Password Safe generates a new secret (password, SSH key, etc.). This results in the generation of an encrypted value in Fortanix DSM that Password Safe stores in its database.

    • Every time Password Safe needs the decrypted value of a secret, for example, to support a credential or session (using a credential) check-out.

    • Every time Password Safe validates or checks a credential value in a Managed System to validate, if its database and Managed Account values match. This is an option for Managed Accounts.

  2. Is the encryption key cached at the Beyond Trust Password Safe?

    No, the encryption key is not cached at the Beyond Trust Password Safe. When the key is needed to encrypt or decrypt secrets, communication is required with Fortanix DSM to perform encryption or decryption using the key, within Fortanix DSM or a managed HSM through the Gateway.

  3. Is each secret in Beyond Trust Password Safe encrypted with a unique key in Fortanix DSM?

    No, Beyond Trust Password Safe uses the same key from Fortanix DSM to encrypt each secret.

  4. Does the Fortanix HSM store a master encryption key that encrypts the data and passwords?

    Yes, the key, as shown in Figure 7, is the master key used for encryption and decryption of secrets.

  5. What happens when you perform a reverse migration where the integration between Password Safe and Fortanix DSM is disabled?

    If the integration is disabled:

    • Password Safe will be unable to decrypt the passwords encrypted by Fortanix DSM, so checking out or comparing current values is not possible.

    • Password Safe can trigger the rotation of password values (both within the Password Safe and for values in target systems and apps) to new values it encrypts with its key. Password Safe can decrypt the password values after rotation, allowing normal operation to resume.