Using Fortanix DSM with AWS External Key Store (XKS)

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with AWS External Key Store (XKS) to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations.

When using Fortanix DSM as an External Key Store for AWS Key Management Service, AWS allows two ways of communication:

• Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint.

• Using Amazon VPC endpoint service - AWS KMS connects to the external key store proxy (XKS proxy) by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS PrivateLink, which enables AWS KMS to privately connect to your Amazon VPC and your external key store proxy without using the public internet.

This article describes how to successfully integrate Fortanix DSM as an external keystore for Amazon KMS using public endpoint connectivity method. You can follow the documentation – Fortanix DSM with AWS External Key Store (XKS) - Concepts and Data Security Manager with Amazon XKS Using Virtual Private Cloud using Amazon VPS Integration Guide for the Amazon VPC endpoint service method.

2.0 Prerequisites

• Fortanix DSM version 4.9 and above: Fortanix introduced XKS support in DSM version 4.9 but requires the feature to be enabled through Fortanix Support until it has been enabled by default in DSM version 4.16.

• AWS Console

• AES 256 key – For the initial implementation, only AES 256 keys are supported.

  NOTE

  The AES key can either be imported or created in Fortanix DSM.

3.0 Using Fortanix DSM with AWS XKS

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the customer’s data in AWS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (that is, Bring Your Own Key) functionality where the key material for a key in Fortanix DSM (External HSM) is imported into AWS KMS with an optional expiration period and cryptographic operations happen inside an AWS data center.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Create/Import an AES Key

Perform the following steps to generate a tokenization key in the Fortanix DSM:

1. Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to add a security object.

   

2. On the Add new Security Object page, enter the following details:

   • Security Object Name: Enter the name of your security object. 

   • Group: Select the group as created in Section 4.3: Creating a Group.

   • Select the GENERATE radio button.

   • Choose a type: Select the AES key type to generate.

   • Key Size: Indicates the size of the key in bits. Keep it as 256.

   • Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

     NOTE

     Ensure that the new key has Encrypt and Decrypt key operations allowed.

3. Click the GENERATE button to create the new security object.

You can also import an AES encryption key. Refer to the Key Lifecycle Management guide for instructions to import a key.

The new security object is added to the Fortanix DSM successfully.

4.5 Copy the UUID of the AWS Key

The UUID of the AES key is required in Section 4.6: Create an Application to create the key in AWS XKS.

Perform the following steps to copy the UUID of the key:

1. Go to the detailed view of the key and click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID and make a note of it.  

   

4.6 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application. For example: XKS app 3.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default AWS XKS as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

     NOTE

     Ensure that the new application has access to the AES 256 key. This can be done by creating the app in the same group as the key created in the previous section.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

   

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

4.7 Updating the Authentication Method

You can also change the authentication method for an existing app to AWS XKS from the detailed view of an app.

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.6: Creating an Application and click the Change authentication method button and select the AWS XKS option to change the authentication method to AWS XKS.

2. Click the SAVE button.

4.8 Configure DSM as an XKS with AWS

You can register Fortanix DSM as an XKS with AWS using the following steps:

1. In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button.  

   

2. In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once in a clipboard in JSON format.

   1. Path prefix: A fixed path containing the Fortanix DSM App UUID.

   2. Access key ID and Secret access key: Access key and Secret access key are used by AWS to access Fortanix DSM.

   

   NOTE

   "amer.smartkey.io" opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.

3. Go to the AWS Console.

4. Click Services → Key Management Service.  

   

5. From the left menu select Custom key stores → External key stores.

6. On the External key stores page, click Create external key store.  

   

7. In the Create external key store form, fill in the following details:

   1. Key store name: Enter a name for your key store. For example: XKS Test.  

      

   2. In the Proxy Connectivity section:

      1. Select Public endpoint to communicate with the Fortanix DSM proxy.

      2. In the Proxy URI endpoint field, enter the URI that you copied in Step 2. For example: https://amer.smartkey.io which opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.   

         

   3. In the Proxy configuration section, you can enter the configuration details in the following ways:

      1. Paste the individual configuration values that you copied in Step 2 in the Proxy URI path prefix, Access key ID, and Secret access key fields respectively OR

      2. Click Upload configuration file and paste the JSON configuration details that you copied in Step 2.  

         

   4. If you selected option (ii) above, then paste the JSON Configuration in the text box and click Use this proxy configuration to save the configuration.  

      

   5. Click Create external key store to complete the XKS creation process.  

      

   6. Click Connect key store to connect the XKS with Fortanix DSM so that you can start creating the keys in this key store.  

      

4.9 Create Keys in the External Key Store

After the connection between AWS XKS and Fortanix DSM is successful, you can start creating keys in this key store using the following steps:

1. Click Create a KMS key in this key store to create a key.  

   

2. In the section External key, enter the UUID of the AES 256 key you copied in Section 4.5: Copy the UUID of the AES Key in the External key ID field.

3. Select the check box for Confirm the user of external key store.

4. Click Next.  

   

5. In the Add labels page, Enter the key Alias.

6. Click Next.  

   

7. Next, select the key administrators who can administer this key using the KMS API and click Next.  

   

8. Select the users who will use the key for cryptographic operations and click Next.  

   

9. Review the updates and click Finish.

10. The AWS KMS key is now successfully created in the XKS.