On November 20th, Fortanix announced integration between the Fortanix Self-Defending KMS with the Google Cloud External Key Manager (Cloud EKM) service in the session Bringing You More Control: New Services for Data Security and Transparency, featuring a demonstration by joint customer PayPal. On the same day, I published Part 1 of this blog with an overview of the joint solution that enables enterprises using Google Cloud Platform (GCP) services including Big Query and Google Compute Engine (GCE) to maintain control of the master keys used to encrypt data. In this Part 2 of the blog, I’ll dive deeper into the technical details of how to setup and configure Cloud EKM with Fortanix.
Before we get into the technical details of the solution, the video below can provide you with a quick overview of the Cloud EKM service, the value to customers and how Fortanix integrates with GCP to manage master keys.
Cloud EKM has defined a set of REST APIs that an external key management system can implement. The APIs define the format for identifying the key held in the external KMS, and the operations that can be performed on the key. Fortanix Self-Defending KMS implements the Cloud EKM APIs, and supports the following configuration:
AES 256-bit keys stored in Fortanix Self-Defending KMS are identified by Cloud EKM using a URI, formatted as
https://sdkms.fortanix.com/v0/gcp/key/<id>. The actual URI may depend on the domain specific to the Fortanix Self-Defending KMS deployment.
Fortanix Self-Defending KMS supports performing encryption and decryption operations on these keys by making POST API calls on the following URIs -
https://sdkms.fortanix.com/v0/gcp/key/<id>:unwrap. The request and response for these REST APIs are in JSON format.
These API calls can only be made with the right authorization. This is obtained when authenticating to Fortanix Self-Defending KMS using a JSON Web Token (JWT) signed by the Google Cloud, which specifies the Google service account the request is originating from. The JWT can be verified by Fortanix Self-Defending KMS using Google Cloud’s public key. The service account name is used to determine which keys are accessible in a particular request. This access control requires an Fortanix Self-Defending KMS “application” (see https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-SDKMS) to be created with the same name as the Google service account and added to an Fortanix Self-Defending KMS group containing the key which is being requested.
The corresponding configuration in Cloud KMS to access an externally managed key consists of the following:
A Google service account is created in GCP. The email address for this service account is used as an identifier of the request for Cloud EKM, and a corresponding application is created in Fortanix Self-Defending KMS with this email address as the name.
Once the application and key are created in Fortanix Self-Defending KMS, and the key URI is available, an externally managed key is created in Cloud KMS with the URI configured according to the above specification. This key gets a resource ID in GCP, which can be used by other GCP services as if it were any other key stored in Cloud KMS. When a call is made to use an externally managed key in Google Cloud Cloud EKM makes a call to Fortanix Self-Defending KMS to authenticate itself and perform the requested operation.
Cloud EKM is available today in beta on GCP. The Fortanix Self-Defending KMS integration is available immediately as an on-premises solution with a FIPS 140-2 Level 3 validated™ Fortanix Runtime Encryption Appliance, as software that can be deployed on-premises, and as SaaS offering through Equinix SmartKey, powered by Fortanix. TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments
Get our blog updates in your inbox: