Using Fortanix Data Security Manager with Dell PowerFlex Using CloudLink

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Dell PowerFlex using CloudLink through Key Management Interoperability Protocol (KMIP) server configuration.

Dell PowerFlex, combined with CloudLink, offers a comprehensive data security solution by integrating data encryption and centralized key management into a high-performance, software-defined storage platform. PowerFlex ensures outstanding scalability, flexibility, and performance to meet the demands of modern workloads. CloudLink enhances data security by encrypting data at rest and providing key management capabilities such as key generation, rotation, and revocation.

This integration ensures compliance with industry regulations, simplifies key management, and protects critical data both at rest and in motion, without compromising the agility and performance of the PowerFlex platform in modern data centers.

2.0 Prerequisites

To successfully integrate Fortanix DSM with PowerFlex using CloudLink, ensure you have the following:

• Dell CloudLink and PowerFlex are set up and running, with root, administrator, and security administrator access.

• Secure connectivity must be established between Fortanix DSM, Dell PowerFlex, and CloudLink.

• Administrator access to the Fortanix DSM. For more information, refer to Section 5.1: Signing Up and Section 5.2: Creating an Account.

3.0 Product Tested Version

This integration has been tested on the following versions:

• Fortanix DSM version 4.27, 4.31, and 4.34

• PowerFlex version 4.5.1.0

• CloudLink version 8.0.2. To know the compatible PowerFlex versions, refer to Dell CloudLink Support Matrix table.

4.0 Architecture Diagram

This architecture diagram illustrates the workflow between Dell PowerFlex, Dell CloudLink, and Fortanix DSM to secure data.

Dell PowerFlex is a software-defined storage infrastructure that contains important information and connects to different storage devices, such as USB drives and servers. To protect this data, Dell CloudLink acts as a security tool that encrypts it so that only authorized users can access the information. Fortanix DSM generates and securely stores the encryption keys.

When data is stored in PowerFlex, CloudLink encrypts it using a key provided by DSM. If access is required, CloudLink requests the appropriate key from DSM, allowing authorized systems or users to retrieve it.

This integration keeps the data protected. Even if an unauthorized user tries to access or steal the stored information, they cannot decrypt it without the proper encryption key from DSM. This setup strengthens data security and prevents unauthorized access.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group. For example, Dell-Powerflex-Group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application. For example, Dell-Powerflex-App.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

     • By default, apps are created with the API Key authentication method. However, you can change it to the Certificate authentication method depending on the option that you will choose in the Credential Type field when configuring the keystore in CloudLink. For more details, refer to Section 6.2: Creating a Local Keystore and Section 6.3: Creating an External Keystore. For steps to update the authentication method, refer to Section 5.7: Updating the Authentication Method.

   • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. Click the USERNAME/PASSWORD tab.

4. From the Credentials Details dialog box, copy the Username (app UUID) and Password as it will be used in Section 5.6: Generating the Client Certificate and Private Key as the value of Common Name (CN).

5.6 Generating the Client Certificate and Private Key

There are two types of client certificates that can be used based on your security policy:

• Self-Signed Certificates: These certificates are generated and signed by the user. They are suitable if your security policy permits self-signing.

• Externally Signed Certificates: These certificates are generated using a Certificate Signing Request (CSR) and signed by a trusted Certificate Authority (CA).

Perform the following steps to generate a private key and create a CSR for obtaining a signed certificate from a trusted CA:

1. Log in to a system with OpenSSL installed.

2. Run the following OpenSSL command to generate the private key and client certificate:

   openssl req -newkey rsa:2048 -nodes -keyout <privatekey>.key -x509 -days 365 -out <clientcertificate>.crt

   For example:

   openssl req -newkey rsa:2048 -nodes -keyout test.key -x509 -days 365 -out test.crt

   When prompted, enter the following details:

   • Country Name: Enter the two-letter code representing your country.

   • State or Province Name: Enter the full name of your state or province.

   • Locality Name: Enter the full name of your city.

   • Organization Name: Enter the full name of your organization.

   • Organizational Unit Name: Enter the full name of your department within the organization.

   • Common Name: Use the app UUID as noted in Section 5.5: Copying the App UUID.

   • Email Address: Enter the email ID of the user.

This command will generate a client certificate and a private key. Ensure that both files are securely stored on your system.

5.7 Updating the Authentication Method

NOTE

Based on the selected authentication method, the Credentials Type required for creating a keystore in CloudLink will vary.

• Username and Password-based authentication: The DSM app Username and Password are required.

• Certificate-based authentication: The DSM app Username and Password are not required in this case.

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 5.4: Creating an Application, and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the client certificate generated in Section 5.6: Generating the Client Certificate and Private Key.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

5.8 Extracting Fortanix DSM Internal CA Certificate

Perform the following steps to extract the Fortanix DSM internal CA certificate:

1. Log in to a system with OpenSSL installed.

2. Run the following OpenSSL command to display the certificates of Fortanix DSM. The first certificate is the server certificate and the second is the root certificate:

   $ openssl s_client -connect <Your_DSM_Service_URL>:5696 - showcerts

   

6.0 Configure CloudLink

This section describes the steps for configuring a keystore in CloudLink to integrate with Fortanix DSM, adding a machine group, and ensuring proper communication between CloudLink and DSM.

CloudLink supports both local database keystore and external KMIP server keystore, offering flexibility for users. They can choose between faster access with the local database, protected by an external keystore, or enhanced security and compliance with the external KMIP server.

• Local Database keystore: It stores the encryption keys securely within the local database protected by external KMIP server of the CloudLink appliance, offering minimal latency and simplified management.

• External KMIP Server keystore: It integrates with KMIP-compliant external key management servers to enable the centralized key storage and lifecycle management across applications, such as Fortanix DSM.

6.1 Verifying the Connectivity

Perform the following steps to verify connectivity between Fortanix DSM and CloudLink:

1. Log in to the CloudLink application using valid credentials.

2. Click the SERVER → DNS menu item in the left navigation panel.

3. On the DNS Configuration page, click the Ping tab to verify connectivity between Fortanix DSM and CloudLink.

   NOTE

   This step verifies basic connectivity. It is critical to ensure that CloudLink establishes a connection to Fortanix DSM on Transmission Control Protocol (TCP) port 5696.

4. Enter the required load balancer IP address or Fortanix DSM URL in the provided field.

   

5. Click Ping and check the response displayed on the screen to confirm successful connectivity. A positive response indicates that Fortanix DSM and CloudLink are connected successfully.

6.2 Creating a Local Keystore

Perform the following steps to configure the local keystore with external KMIP protector in CloudLink and integrate it with Fortanix DSM:

1. Click the SYSTEM → Keystores menu item in the left navigation panel.

   

2. On the Keystores page, click the Add button to create a new keystore.

   

3. In the ADD NEW KEYSTORE dialog box, enter the following details:

   1. Enter a Name and Description for the keystore. Click Next.

      

   2. Select the Local Database option from the drop down menu for Key Location Type field to store encrypted keys locally within CloudLink. Click Next.

      

   3. Select the KMIP option from the drop down menu for Protector Type and enter the following required details:

      

      • KMIP Server Address: Enter the Fortanix DSM Load Balancer IP (Internet Protocol) or Fully Qualified Domain Name (FQDN).

      • Port: 5696. This is the default KMIP port.

      • Credential Type: Based on the selected DSM app authentication method in Section 5.4: Creating an Application, select the required option from the drop down menu.

        • If the app uses API Key as the authentication method, select Username and Password option as the keystore credential type and enter the following details:

          • Username/Serial Number: Enter the Username (app UUID) as copied in Section 5.5: Copying the App UUID.

          • Password: Enter the Password as copied in Section 5.5: Copying the App UUID.

        • If the app uses Certificate as the authentication method, select the No Credentials option.

      • Key: Browse and upload the private key generated in Section 5.6: Generating the Client Certificate and Private Key.

      • Certificate: Browse and upload the certificate generated in Section 5.6: Generating the Client Certificate and Private Key.

      • Trusted Certificate: Browse the full chain of Fortanix DSM certificates in Base64-encoded ASCII format as a certificate chain. Ensure the Trusted Certificate includes the entire chain.

   4. Click Test to verify connectivity between CloudLink and Fortanix DSM.

      

4. After the connectivity test is successful, click Add to add the local keystore to complete the setup.

5. Review and verify the keystore details to ensure proper configuration.

   

6. After the keystore is successfully configured in CloudLink, it generates a security object (AES 256 bits key) in Fortanix DSM for the local keystore. The security object contains information about the key, its intended use (for example: encryption, decryption, signing, and so on), its lifecycle management (for example: creation, modification, or deletion), and how it is linked to the CloudLink keystore.

   

7. Validate the activity logs in the detailed view of the security object in Fortanix DSM to ensure that the application details are correctly logged and verified.

   

   

8. Run the following command to verify the encryption status from the Storage Data Server (SDS) host:

   svm status

   

6.3 Creating an External Keystore

Perform the following steps to configure the external keystore in CloudLink and integrate it with Fortanix DSM:

1. Click the SYSTEM → Keystores menu item in the left navigation panel.

   

2. On the Keystores page, click the Add option to create a new keystore.

   

3. In the ADD NEW KEYSTORE dialog box, enter the following details:

   1. Enter a Name and Description for the keystore. Click Next.

      

   2. Select the External KMIP Server option from the drop down menu for Key Location Type field to store encrypted keys externally on KMIP server. Click Next.

      

   3. Select the KMIP Proxy option from the drop down menu for Protector Type and enter the following required details:

      

      • KMIP Server Address: Enter the Fortanix DSM Load Balancer IP (Internet Protocol) or Fully Qualified Domain Name (FQDN).

      • Port: 5696. This is the default KMIP port.

      • Credential Type: Based on the selected DSM app authentication method in Section 5.4: Creating an Application, select the required option from the drop down menu.

        • If the app uses API Key as the authentication method, select Username and Password option as the keystore credential type and enter the following details:

          • Username/Serial Number: Enter the Username (app UUID) as copied in Section 5.5: Copying the App UUID.

          • Password: Enter the Password as copied in Section 5.5: Copying the App UUID.

        • If the app uses Certificate as the authentication method, select No Credentials option.

      • Key: Browse and upload the private key generated in Section 5.6: Generating the Client Certificate and Private Key.

      • Certificate: Browse and upload the certificate generated in Section 5.6: Generating the Client Certificate and Private Key.

      • Trusted Certificate: Browse the full chain of the Fortanix DSM certificates.

   4. Click Test to verify connectivity between CloudLink and Fortanix DSM.

      

4. After the connectivity test is successful, click Add to add the external keystore to complete the setup.

5. Review and verify the keystore details to ensure proper configuration.

   

6.4 Adding Approved Network

Perform the following steps to add approved networks in the CloudLink application:

1. Click the SYSTEM → Approved Networks menu item in the left navigation panel.

2. On the Approved Networks page, click the Add button to create a new approved network.

3. In the ADD APPROVED NETWORK dialog box, enter the following details,

   1. Network Name: Enter a descriptive name for the network.

   2. Network IP Address Range: Specify the IP address range of the network you want to approve. For example, 192.168.1.0/24.

   3. Description (Optional): Enter a description for the network to help identify it later.

4. Click Save to add the approved network to the list.

   

The newly added network will appear in the Approved Networks list. Verify that the IP range and description are correct.

6.5 Creating Machine Group

Perform the following steps to create a machine group in the CloudLink application:

1. Click the AGENTS → Machine Groups menu item in the left navigation panel.

2. On the Machine Groups page, click the Add button to create a new machine group.

3. In the ADD NEW GROUP dialog box, enter the following details:

   1. Enter a Name and Description for the machine group.

   2. Encryption Policy: Select the required option from the drop down menu. Selecting All Data option will display a new field named, Managed SED Drives.

      1. Select Enabled option from the drop down menu for Managed SED Drives field.

   3. Keystore: Select the required keystore from the drop down menu.

   4. Managed By: Select the appropriate management option from the drop down menu.

   5. Approved Networks: Select the network from the approved list using the IP addresses as created in Section 6.4: Adding Approved Network.

   6. Key Lifetime: Select the key lifetime from the drop down menu.

   7. Machine Agent Upgrade: Select the upgrade as Manual or Auto as required from the drop down menu.

   

4. Click Add to add machine group to complete the setup.

   

6.5 Downloading the Agent

Perform the following steps to download the agent from the CloudLink application:

1. Navigate to the AGENTS → Agent Download menu item in the left navigation panel.

2. On the Agent Download page, select the required agent from the list and click the Download Selected button. Refer to the Dell CloudLink Deployment guide for the latest CloudLink version.

   

3. Select the appropriate agent version based on your operating system or environment from the drop down menu.

4. Click Download to start the download process.

6.6 Installing and Configuring CloudLink Agent

Perform the following steps to install and configure the CloudLink agent on your system:

1. Run the following command to create the CloudLink directory and navigate to it:

   mkdir -p /root/CL
   cd /root/CL

2. Run the following command to download the CloudLink agent installation script:

   wget --no-check-certificate https://<server-ip>/cloudlink/agent -O clagent.sh

   Where,

   • <server-ip> refers to the IP address of the CloudLink server.

3. Run the following command to retrieve the certificate from the CloudLink server and save it as cloudlink-<hostname>.pem :

   openssl s_client -servername <server-ip> -connect <server-ip>:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cloudlink-<hostname>.pem

   Where,

   • <server-ip> refers to the IP address of the CloudLink server.

   • <hostname> refers to the name of the host. For example, pfmpcl-sds1.

4. Run the following commands to copy the certificate to the required directories:

   cp cloudlink-<hostname>.pem /usr/share/pki/ca-trust-source/anchors/
   cp cloudlink-<hostname>.pem /etc/pki/ca-trust/source/anchors/

5. Run the following command to start the CloudLink agent on the PowerFlex storage device server CLI:

   ./clagent.sh -S <server-ip> -G <group-id> &

   Where,

   • <server-ip> refers to the IP address of the PowerFlex SDS server.

   • <group-id> refers to the specific group identifier for the CloudLink agent.

6.7 Encrypting SDS

Perform the following steps to encrypt the SDS from PowerFlex and CloudLink:

1. Navigate to the AGENTS → Machines menu item in the left navigation panel.

2. Click the Actions drop down menu and select Encrypt after verifying the RAW status.

   

   

7.0 Configure PowerFlex Manager

This section outlines the steps to encrypt PowerFlex Manager using CloudLink and then re-integrate it back into PowerFlex SDS.

7.1 Removing the Storage Device

Perform the following steps to remove the storage device from the SDS host:

1. Log in to the PowerFlex Manager application using valid credentials.

2. Click the Block menu from the ribbon navigation bar and select the SDSs option.

   

3. From the displayed list, select the specific SDS.

   

4. Identify and select the storage devices (for example, hard drives, SSDs) associated with or hosted by the selected SDS.

   

5. Clicking the Devices box will display the following screen:

   

6. Click More Actions and select the Remove option from the drop down menu to remove the device from the host.

   

7. Refresh the PowerFlex SDS page to confirm that the device has been successfully removed.

   

7.2 Encrypting a Storage Device Using CloudLink

Perform the following steps to encrypt a storage device using CloudLink:

1. After removing the device from the PowerFlex SDS host, go to CloudLink application and click the Machines menu in the left navigation panel.

   

2. Verify the status and type of the device to confirm that it is listed as RAW before proceeding with encryption.

   

3. After the device is ready for encryption, select the Encrypt option from the Actions drop down menu.

   

4. From the list of available devices, select the one that needs to be encrypted from the drop down menu.

   

5. The device status will update once the encryption process begins.

   

6. Monitor the encryption progress in the user Actions page.

   

7. After encryption is complete, check the device status. It must now be listed as Encrypted and RAW.

   

8. Navigate to the Audit Log page in Fortanix DSM to confirm that the encryption process was successfully completed.

   

7.3 Adding Device Back to SDS

Perform the following steps to re-integrate a removed storage device into PowerFlex SDS:

1. In the PowerFlex Manager application, click the Block menu from the ribbon navigation bar and select the SDSs option.

2. From the list, select the SDS for which the device was removed earlier. Then, click Add Device drop down menu and select the Storage Device option.

   

3. Enter the required details for the storage device in the prompted fields, then click Add Devices to finalize the addition.

   

   The following dialog box will be displayed to confirm that the device is added successfully.

   

4. Refresh the Storage Devices list to reflect the added device in the list.

   

5. Verify the encryption status of the device in the Machines tab.

   

7.4 Encrypting Devices Using External Keystore

Perform the following steps to encrypt devices using an external keystore:

1. Navigate to the Machine Group menu item and select the appropriate external keystore from the list.

   

2. Perform the steps to remove the storage device from the SDS in PowerFlex Manager application as outlined in the Section 7.1: Removing the Devices, before encryption.

   

3. Perform the encryption steps in CloudLink as outlined in the Section 7.2: Encrypting a Storage Device Using CloudLink.

4. After the storage device is encrypted using the external keystore, a new security object will be created for each device.

5. Verify the newly created security object.

   

6. Review the logs in Fortanix DSM to ensure the encryption was completed successfully.

   

8.0 Backup and Restore

CloudLink keystore can be backed up and restored within CloudLink for both local and external keystores. For more information, refer to the Dell CloudLink Deployment official guide.

9.0 Key Rotation

CloudLink supports key rotation, allowing the key to be rotated internally. For more information, refer to the Dell CloudLink Deployment official guide. Additionally, external keys can also be rotated using the Fortanix DSM user interface (UI).

10.0 Rollback/Reverse Migration

A restore can only be performed if a keystore backup exists prior to encryption. You can move the keys for this operation. For more information, refer to the Dell CloudLink Deployment official guide.