Integration of GCP with Fortanix (a supported EKM partner)
I began questioning the use of EKM a while back because of its rising popularity, especially in sensitive industries like banking. In order to understand the nuances of the KMS solution offered by GCP, I dove into the documentation. I soon understood that practical experience was necessary in order for me to completely understand the process; theoretical understanding alone was insufficient. I’ll explain how I understand key management in GCP in general and give instructions on how to combine GCP with Fortanix to encrypt data in cloud storage in this article.
Alright, Let’s start with answering the most obvious(🤥) question of all time: “What in the world is KMS? 💥”. I will use some cheating skills and just copy-paste the official definition from the GCP documentation! But hey, who needs originality when we’ve got the holy words of Google, right?
“Cloud Key Management Service (Cloud KMS) lets you create and manage encryption keys for use in compatible Google Cloud services and in your own applications”
So far, so good, but what if I don’t trust the Google Cloud Platform and want to manage my own keys? What if I don’t want to retain my keys in the Google Cloud but still encrypt my data in the Cloud?
I thoroughly reviewed the KMS documentation in search of such solutions and came up with the following decision tree. My main area of interest was EKM (External Key Management), but I also considered in certain non-EKM-related choices.
I understand that some of you may feel that the decision tree doesn’t cover all branches and considerations, such as the availability of certain GCP services with specific key management methods, cost factors, CSEK, client-side encryption or supported key types. Your concerns are valid, and I acknowledge that there are further aspects to explore however considering whole inputs might be very challenging, therefore you can assume above diagram is main decision-tree which is avoiding some minor(?) branches and input arguments.
Enough with excuses! Let’s delve deeper into EKM. As seen in the above diagram, we’ve chosen Fortanix as the EKM partner for cases where you prefer not to manage your keys within Google Cloud. Fortanix offers a range of products and services, including secure enclaves, hardware security modules (HSMs), and other cryptographic tools to enhance data and application security, protecting against various threats.
However, it’s important to note that Fortanix isn’t the only EKM provider supported by GCP. As of today, there are other options available in the market. Here’s the current list:
- Fortanix
- Futurex
- Thales
- Virtru
In this article, we’ll utilize Fortanix to develop a use case scenario. As you might have noticed, to use Fortanix, you’ll need to create an account and sign in. However, it’s worth mentioning that they currently require a company email address, and they don’t support sign-ups with personal email providers like Gmail or Yahoo. This could be challenging for those facing unemployment, considering the current high unemployment rates 😔. Nevertheless, I hope you find a solution to create a Fortanix account and benefit from their services despite this limitation.
- We start our journey by creating a group as shown in below picture. This group will be used to keep all relevant information related with keys, like app permisions or justification for key usage and so on.
2. Later you need to add so called “Security Object” which basicly means key for us. Here we define type of key (AES) and permitted key operations and click on generate.
3. Once you create the key don’t forget to copy the Google EKMS URI as you would need to provide this URI in Google console while adding connection to KMS.
4. Now go back to Google console and just create a regional key-ring.
5. While creating a key, please remember to choose External as a protection level and let google know that you will be connecyting to EKM via internet, and copy paste the URI that you copied in step 3 to “Key URI” page:
6. And then boom 💣💣💣. You’ve got an error:
what might have gone wrong? yes, you guessed it right! you have forgotten to give a permission to GCP service account to talk to Fortanix. so let’s do it!
7. sign into Fortanix and add new app by specifying Google Service account
8. Now go back to GCP console and finalise key creation. Well done!!! you are using external key management now.
9. As we have established connection we can start encrypting and decrypting our data using Fortanix. let’s go and create cloud storage bucket and provide our Service account with the role of cloudkms.cryptoKeyEncrypterDecrypter.
10. Now that you’ve created a bucket and added some files to it, give it a try and see if you can view the content. As expected, you should be able to see the files. Moreover, you can access relevant access requests to the key from GCP in Fortanix Audit logs.
11. What if you use above button just to disable the key and go back to GCP bucket to see the content again? Then you will see something like below error message: “The Cloud Storage service agent does not have permission to access the KMS key in Cloud EKM. Grant the appropriate permissions in your external key manager.”
Now, here comes the very main question? 🎉 why did I use that ugly red color to obfuscate unnecessary numbers? I really don’t know, maybe just to be on safe side or old habit 🤷♂️
One minor note, we should be using more meaningful justifications while requesting for key as per the HSM/GCP requirement but I guess this is not enabled by default for users like me. It is enabled only for Assured workload customers which is certainly not me.
Short story long 😀 Here’s the process of creating and managing EKM with the supported Partner. I hope you found it enjoyable and useful. If you did, feel free to subscribe and hit that clap button! (It felt like almost a YouTube video, right? 😄)
