Using Fortanix DSM with AWS External Key Store (XKS)

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with AWS External Key Store (XKS) to protect the data in AWS using keys stored in Fortanix DSM that users can use to perform cryptographic operations.

When using Fortanix DSM as an external key store for AWS Key Management Service, AWS allows two ways of communication:

• Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint.

• Using Amazon VPC endpoint service - AWS KMS connects to the XKS proxy by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS PrivateLink, which enables AWS KMS to privately connect to your Amazon VPC and your XKS proxy without using the public internet.

This article describes how to successfully integrate Fortanix DSM as an external keystore for AWS KMS using the public endpoint connectivity method. You can follow the documentation – Fortanix DSM with AWS External Key Store (XKS) - Concepts and Data Security Manager with Amazon XKS Using Virtual Private Cloud using Amazon VPS Integration Guide for the Amazon VPC endpoint service method.

2.0 Prerequisites

• Fortanix DSM version 4.9 and above: Fortanix introduced XKS support in DSM version 4.9 but requires the feature to be enabled through Fortanix Support. This feature became available by default starting with DSM version 4.16.

• AWS Console

• AES 256 key – For the initial implementation, only AES 256 keys are supported. This key is created in Fortanix DSM.

  NOTE

  The AES key can either be imported or created in Fortanix DSM.

3.0 Using Fortanix DSM with AWS XKS

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting data in AWS. In this method, cryptographic operations are performed inside Fortanix DSM. This differs from the import-key (known as Bring Your Own Key, or BYOK) functionality, where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS, optionally with an expiration period, and cryptographic operations occur within an AWS data center.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating or Importing an AES Key

Perform the following steps to generate an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name of your security object.

   2. Group: Select the group as created in Section 4.3: Creating a Group.

   3. Select the GENERATE radio button.

   4. In the Choose a type section, select the AES key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

      NOTE

      Ensure that the new key has Encrypt and Decrypt key operations allowed.

3. Click GENERATE to create the new security object.

The new security object is added to the Fortanix DSM successfully.

4.5 Copying the UUID of the AES Key

Perform the following steps to copy the security object UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the security object created in Section 4.4: Creating a Security Object to go to the detailed view of the security object.

2. From the top of the security object’s page, click the COPY ID drop down menu and then select COPY UUID to copy it to use later.

4.6 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select AWS XKS as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.7 Updating the Authentication Method

You can also change the authentication method for an existing app to AWS XKS from the detailed view of an app.

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.6: Creating an Application and click Change authentication method and select the AWS XKS option to change the authentication method to AWS XKS.

2. Click SAVE.

4.8 Copying the App Configuration File

Perform the following steps to copy the app configuration file from the Fortanix DSM to configure DSM as an XKS in AWS:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.6: Creating an Application to go to the detailed view of the app.

2. In the INFO tab and the AWS XKS section, click VIEW INSTRUCTIONS.

3. In the AWS XKS modal window, click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format or copy the URI and the configuration info individually and make a note of it.

   The following are the configuration values:

   • Path prefix: A fixed path containing the Fortanix DSM app UUID.

   • Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.

NOTE

"amer.smartkey.io" opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.

5.0 Configure DSM as an XKS with AWS

1. Go to the AWS Console.

2. Click Services → Key Management Service.

   

3. From the left menu, select Custom key stores → External key stores.

4. On the External key stores page, click Create external key store.

   

5. In the Create external key store form, fill in the following details:

   1. Key store name: Enter a name for your key store. For example: XKS Test.

      

   2. In the Proxy Connectivity section:

      1. Select the Public endpoint to communicate with the Fortanix DSM proxy.

      2. In the Proxy URI endpoint field, enter the URI that you copied in Step 2. For example: https://<fortanix_dsm_url>.

         

   3. In the Proxy configuration section, you can enter the configuration details in the following ways:

      1. Paste the individual configuration values that you copied in Step 2 in the Proxy URI path prefix, Access key ID, and Secret access key fields, respectively OR

      2. Click Upload configuration file and paste the JSON configuration details that you copied in Step 2.

         

   4. If you selected option (ii) above, then paste the JSON Configuration in the text box and click Use this proxy configuration to save the configuration.

      

   5. Click Create external key store to complete the XKS creation process.

      

   6. Click the Connect key store to connect the XKS with Fortanix DSM so that you can start creating the keys in this key store.

      

6.0 Create Keys in the External Key Store

After the connection between AWS XKS and Fortanix DSM is successful, you can start creating keys in this key store using the following steps:

1. Click Create a KMS key in this key store to create a key.

   

2. In the External key ID section, enter the UUID of the AES 256 key as copied in Section 4.5: Copying the Security Object UUID.

3. Select the check box to Confirm use of external key store.

4. Click Next.

   

5. In the Add labels page, Enter the key Alias.

6. Click Next.

   

7. Next, select the key administrators who can administer this key using the KMS API and click Next.

   

8. Select the users who will use the key for cryptographic operations and click Next.

   

9. Review the updates and click Finish.

10. The AWS KMS key is now successfully created in the XKS.