Cloud-Scale HSM and Key Management for BIG-IP and NGINX TLS

The TLS Encryption Challenge

Nearly 90% of all internet traffic is encrypted with TLS. F5 solutions including BIG-IP and NGINX provide SSL orchestration using TLS encryption, which requires a hardware security module (HSM) and key management system (KMS) to execute and protect the cryptographic operations and keys. The security of the network traffic passing through the F5 systems is only as strong as the system protecting and managing the encryption keys.

Decrypting and re-encrypting traffic is computationally intensive, requiring a scalable and high-performance encryption solution. Any delay in processing cryptographic operations, means slowing down network traffic passing through the F5 systems.

At the same time, more and more customers want to migrate from on-premises systems to F5 Cloud Software such as BIG-IP Cloud Edition and NGINX Plus in public cloud environments. When migrating to public cloud or in hybrid environments, the HSM and key management either need to be able to support both environments or you need to implement new encryption systems. Maintaining multiple HSM and key management systems is costly, complex, and increases the risk of security incidents.

Having an HSM and KMS that scale to meet the performance challenges, provide military grade protection and support a variety of on-premises and cloud environments is essential to the successful operation of F5 SSL/ TLS services.

The Fortanix Solution

To address the above requirements, I turned to one of F5’s partners and deployed the Fortanix Self-Defending Key Management Service (SDKMS). The Fortanix SDKMS system checks all the boxes…
— Gregory Coward
Solutions Architect – Public Cloud, F5
How I Did It – “Integrating Fortanix SDKMS with BIG-IP"

The Fortanix solution delivers a cloud-scale data security platform that provides cryptographic services, shared secrets, and tokenization across cloud and on-premises environments from a single centralized point of management, control, and audit. With this powerful new platform, F5 customers can provide a single integrated HSM and key management solution across all the BIG-IP and NGINX deployment architectures to ensure that cryptographic operations are secure, provide optimal performance and scale to execute cryptographic operations across on-premises, hybrid cloud and public cloud deployments.

Fortanix For BIG-IP and NGINX On-Premises

F5-Fortanix

The Fortanix Self Defending Key Management Service (KMS) provides both a key management and HSM solution available as a FIPS 140-2 Level 3 appliance that integrates with on-premises BIG-IP and Cloud based NGINX deployments. The Fortanix appliance stores and manages all the SSL keys and performs crypto operations when called by the F5 platforms.

Fortanix Key Management and HSM for Multi-Cloud Environments

F5-Fortanix

The Fortanix Self Defending Key Management Service (KMS) provides both a key management and HSM solution available as a FIPS 140-2 Level 3 appliance or a virtual appliance that can run in private,hybrid or public cloud environments. In either case, Fortanix Self-Defending KMS integrates with BIG-IP and NGINX deployment across multiple cloud environment to store and manage all the SSL keys and performs crypto operations when called by the F5 platform. Customers can also leverage our HSM GW functionality to easily migrate their Keys from Legacy HSM’s to Self Defending KMS as they migrate their solution to cloud.

Fortanix for BIG-IP Cloud and NGINX Plus on Microsoft Azure

F5-Fortanix

The Fortanix Self-Defending Key Management Service (KMS) provides both a key management and. HSM solution available as a FIPS 140-2 Level 3 appliance or a virtual appliance running that can run in public cloud environments such as Microsoft Azure. In either case, Fortanix Self-Defending KMS integrates with BIG-IP and NGINX deployment across multiple cloud environment to store and manage all the SSL keys and performs crypto operations when called by the F5 platform.

Share this post:

Get our blog updates in your inbox: