Why a Key Management System for the cloud?
In a cloud sensitive data should not store in unencrypted form. Cloud providers usually provides ability to encrypt data. Provider Managed encryption keys or Customer Managed encryption keys are the approaches offered. Today encrypting data is not enough. It is critical to protect the keys (known as Data Encryption Keys) used for encrypting the data. Because if one has the keys, they have the data. It also means that if you lost the keys, you also lose the data. It is for that reason; external key management system is important. In the on-premises environment HSMs manages keys. But, HSMs are expensive and hard to maintain.
IBM Key Protect for IBM Cloud is a cloud-based security service. It provides life cycle management for encryption keys. you can use such keys with many IBM Cloud services or customer applications. Key Protect provides envelope encryption techniques. It involves encrypting the data encryption keys (DEKs) using the root keys. The provisioning and encryption happens insides the FIPS 140–2 Level 3 certified HSMs.
Now Let’s take a look at how to encrypt files or any type of data using the keys managed by IBM Cloud Key Protect.
IBM Cloud CLI and Openssl are tools we can use to encrypt and decrypt files.
IBM Cloud CLI — It provides unified way to interact with services. Such services include infrastructure, containers and applications. It also provides commands for managing resources in IBM Cloud. You can locate the Instructions to install the CLI here.
OpenSSL — This cryptographic toolkit implements network protocols. Such protocols include Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It also implements related cryptography standards required by them.
The openssl program is a command line program for using the various cryptography functions of OpenSSL’s crypto library from the shell of an operating system. Along with many cryptographic features it provides Encryption and Decryption with Ciphers.
Most modern operating systems come pre-installed with the openssl toolkit. If not installed, operating system specific package manager can install the openssl toolkit.
High level steps
- Create a Root Key in Key Protect Instance
- Get Data Encryption Key from Key Protect using the wrap operation
- Encrypt the data with Data Encryption Key
- Decrypt the data with Data Encryption Key
Create a Root Key in Key Protect Instance
Log into IBM Cloud using the installed CLI.
foo@bar:~$ ibmcloud login --ssoIf Key Protect instance does not exist, create one.
foo@bar:~$ ibmcloud resource service-instance-create demo-keyprotect-instance kms eedd3585-90c6-4c8f-be3d-062069e99fc3 us-south Creating service instance my-demo-kp in resource group Default of account IBM as bhakta@.... OK Service instance my-demo-kp was created.
Name: demo-keyprotect-instance
ID: crn:v1:bluemix:public:kms:us-south:a/11ae7cf626494c8397c8ce6105d6c47f:94e067bd-78e6-48ad-ab69-6dacdbcfcb67::
GUID: 94e067bd-78e6-48ad-ab69-6dacdbcfcb67
Location: us-south
State: active
Type: service_instance
Sub Type: kms
Allow Cleanup: false
Locked: false
Created at: 2022-03-09T05:42:36Z
Updated at: 2022-03-09T05:42:37Z
Last Operation:
Status create succeeded
Message Completed create in stance operation
- demo-keyprotect-instance is the name of the instance you are creating.
- kms is the service name of Key Protect in the ibm catalog
- eedd3585–90c6–4c8f-be3d-062069e99fc3 is the plan id for the service. There is only one plan at the moment.
- us-south is the region where the instance will be created. There are other regions available globally.
Lets create a root key that will be used to encrypt our Data Encryption key (DEK). Assuming you have installed the Key Protect Plugin. If you have not, check IBM Cloud CLI plugin installation guide.
foo@bar:~$ ibmcloud kp -i 6b9908b3-cff4-4389-ac9b-dad438968122 key create "myencryption-root-key" -a "myencrypt-root-key"Creating key: 'myencryption-root-key', in instance: '6b9908b3-cff4-4389-ac9b-dad438968122'...
OK
Key ID Key Name
a03f9037-a57a-45f6-bd69-447a885954e1 myencryption-root-keyfoo@bar:~$ ibmcloud kp -i 6b9908b3-cff4-4389-ac9b-dad438968122 keys
Retrieving keys...
OK
Key ID Key Name
a03f9037-a57a-45f6-bd69-447a885954e1 myencryption-root-key
e3d599f2-972c-47f8-ad14-88058831a5cf my-encryption-root-key
Get Data Encryption Key from Key Protect using the wrap operation
Lets create a Data Encryption Key using wrap feature of the Key Protect. This feature allows you to pass your own DEK or you can request one to be created. Since Key Portect uses HSMs to generate all its keys, we will let Key Protect create it and send it back to us in wrapped form.
foo@bar:~$ ibmcloud kp -i 6b9908b3-cff4-4389-ac9b-dad438968122 key wrap a03f9037-a57a-45f6-bd69-447a885954e1 -o json{
"ciphertext": "eyJjaXBoZXJ0ZXh0IjoiTHB0VzFwNmhXalJvK3lHTUtwdlBLSHF5cXo4NEtqUEJzc0ZTZlJ6RnBpK3VSb2lpbVBuZm5HME9pVnM9IiwiaXYiOiJSQXlFVXI4aUp2YnllNzVrIiwidmVyc2lvbiI6IjQuMC4wIiwiaGFuZGxlIjoiYTAzZjkwMzctYTU3YS00NWY2LWJkNjktNDQ3YTg4NTk1NGUxIn0="
}foo@bar:~$ echo "eyJjaXBoZXJ0ZXh0IjoiTHB0VzFwNmhXalJvK3lHTUtwdlBLSHF5cXo4NEtqUEJzc0ZTZlJ6RnBpK3VSb2lpbVBuZm5HME9pVnM9IiwiaXYiOiJSQXlFVXI4aUp2YnllNzVrIiwidmVyc2lvbiI6IjQuMC4wIiwiaGFuZGxlIjoiYTAzZjkwMzctYTU3YS00NWY2LWJkNjktNDQ3YTg4NTk1NGUxIn0=" > wraped-dek-with-my-encryption-root-key.wrapped
The wrapped form is the encrypted version of the DEK. Key Protect uses the root (myencryption-root-key) key generated in the previous step to wrap(encrypt) the DEK. In order for us to encrypt our local file with the DEK, we need to first get the DEK in the text form.
Note: We need to ensure that we store this wrapped key(DEK) securely. This is the key — we will use to encrypt our files. Once you encrypt the file using this key, you will not be able to decrypt it later if you misplace or lose the key. One strategy you can use is to store them as “Standard Keys” in key protect itself. This way you will be able to retrieve it later when you need it to decrypt your files.
Encrypt the data with Data Encryption Key
Assuming we had stored the wrapped key securely, we will use that key now to first get its plaintext form version of the key which then will be used to encrypt our local files.
foo@bar:~$ ibmcloud ic kp -i 6b9908b3-cff4-4389-ac9b-dad438968122 key unwrap a03f9037-a57a-45f6-bd69-447a885954e1 "eyJjaXBoZXJ0ZXh0IjoiTHB0VzFwNmhXalJvK3lHTUtwdlBLSHF5cXo4NEtqUEJzc0ZTZlJ6RnBpK3VSb2lpbVBuZm5HME9pVnM9IiwiaXYiOiJSQXlFVXI4aUp2YnllNzVrIiwidmVyc2lvbiI6IjQuMC4wIiwiaGFuZGxlIjoiYTAzZjkwMzctYTU3YS00NWY2LWJkNjktNDQ3YTg4NTk1NGUxIn0=" -o json
{
"plaintext": "K+Q8ABhXCF6W+FBoA1DEtPAwX6tA80kBCaWP3jIJl3E=",
"rewrappedPlaintext": ""
}
In the output above, the plaintext is the base64 encoded version of the data encryption key. Make sure to not store the plaintext version of the key locally.
Now lets encrypt a local file using the key above. Write the base64 decoded string to a file. Once you are done using the key, you should delete the file from local file system. Anytime in the future if you need to use it again, you would use the unwrap function above to retrieve the clear text again.
foo@bar:~$ echo "NK+Q8ABhXCF6W+FBoA1DEtPAwX6tA80kBCaWP3jIJl3E=" | base64 --decode > enc-data-keyNow you are ready to encrypt any file on your local file system. Lets say you have a password for your database and you want to store it locally on your filesystem but do not want to store it in clear text. We will write it to a file and then encrypt it using the DEK above.
foo@bar:~$ echo "My database password" > password.txt
foo@bar:~$ openssl enc -in ./password.txt -out ./passwords-encrypted.enc -e -aes256 -k ./enc-data-keyYou just encrypted the password.txt file using the key in ./enc-data-key (our DEK). If you try to display the content, you will not see it in clear text.
foo@bar:~$ cat passwords-encrypted.enc
=�Zr�S����~%Lets clean up the clear text key to ensure someone doesn’t see the encryption key.
foo@bar:~$ rm enc-data-key
foo@bar:~$ rm password.txDecrypt the data with Data Encryption Key
Now anytime you need the decrypt the encrypted passwords-encrypted.enc file, you would first get the clear text version of the DEK using the steps described above. Lets walk through the steps again and get the ./enc-data-key so we can use it to decrypt the file.
foo@bar:~$ cat wraped-dek-with-my-encryption-root-key.wrapped
eyJjaXBoZXJ0ZXh0IjoiaFRTSUtOM3djVzN0cXI4SUFvY01SUmYwMFFWVzAydllEMGd6bWVkaFdqdTFYdldNMzIzMWthUmc2dWs9IiwiaXYiOiI3dlNVSy9BU3NMV2R5cXBmIiwidmVyc2lvbiI6IjQuMC4wIiwiaGFuZGxlIjoiZTNkNTk5ZjItOTcyYy00N2Y4LWFkMTQtODgwNTg4MzFhNWNmIn0=foo@bar:~$ ic kp -i 6b9908b3-cff4-4389-ac9b-dad438968122 key unwrap a03f9037-a57a-45f6-bd69-447a885954e1 "eyJjaXBoZXJ0ZXh0IjoiaFRTSUtOM3djVzN0cXI4SUFvY01SUmYwMFFWVzAydllEMGd6bWVkaFdqdTFYdldNMzIzMWthUmc2dWs9IiwiaXYiOiI3dlNVSy9BU3NMV2R5cXBmIiwidmVyc2lvbiI6IjQuMC4wIiwiaGFuZGxlIjoiZTNkNTk5ZjItOTcyYy00N2Y4LWFkMTQtODgwNTg4MzFhNWNmIn0="-o json
{
"plaintext": "K+Q8ABhXCF6W+FBoA1DEtPAwX6tA80kBCaWP3jIJl3E=",
"rewrappedPlaintext": ""
}foo@bar:~$ echo "K+Q8ABhXCF6W+FBoA1DEtPAwX6tA80kBCaWP3jIJl3E=" | base64 --decode > enc-data-keyfoo@bar:~$ openssl enc -in ./password-encrypted.enc -out ./password-decrypted.txt -d -aes256 -k ./enc-data-keyfoo@bar:~$ cat passwords-decrypted.txt
My database password
Conclusion
Hope you were able to see how you can securely store your Data encryption key in IBM Key Protect and use it to encrypt and decrypt your local files.
