Exporting SmartKey keys to Cloud Providers for BYOK

Updated: February 8th, 2018

Overview

Here we will go over several ways to export SmartKey keys to major cloud providers that support BYOK for server-side encryption.

Requisite: Download SmartKey CLI from here.

Google Cloud

1. Create a 256-bit AES key and import it into SmartKey as a SECRET object type with the EXPORT key operation enabled.

$ head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' = > mykey.txt
$ python smartkey-client.py import-key --in mykey.txt --obj-type SECRET --name Google-Cloud-Secret-Key -exportable

2. Download this key on your application environment.

$ python smartkey-client.py export-object --name Google-Cloud-Secret-Key

GCS (Cloud Storage)

1. Add the following option to the GSUtil section of GSUtil boto configuration file:

encryption_key = [YOUR_ENCRYPTION_KEY]
decryption_key1 = [YOUR_ENCRYPTION_KEY]

2. Now you can upload and download objects in GCS with encryption with your own keys.

$ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/
$ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

3. GCS browser shows that the object is customer encrypted.

GCE (Compute Engine)

1. Add the key in GCE and launch instance.

2. The disk says that it's encrypted with customer keys.

Wrapped Key export

GCE also supports import of customer keys wrapped by a Google public key. In this case we must export the key as a secret as mentioned before and wrap it using openssl.

1. Fetch Google public key.

$ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem
$ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem

2. Wrap SmartKey exported key with Google public key.

$ openssl rsautl -oaep -encrypt -pubin -inkey google-cloud-csek-public.pem -in smartkey_exported_key -out rsawrappedkey.txt

3. Set the key data in GCE as a wrapped key

Note: SmartKey is very soon providing support to OAEP padded key wrapping algorithm. With the support you can perform the wrapping operation in SmartKey itself, without the need of exporting the actual keys.

AWS

AWS KMS provides a wrapping key and a token in order to import customer keys. The steps are very similar to Google Cloud Wrapped Key export setup:

1. Create a 256 bit AES key and import in SmartKey as a SECRET type with EXPORT enabled.

$ head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' = > mykey.txt
$ python smartkey-client.py import-key --in mykey.txt --obj-type SECRET --name AWS-Cloud-Secret-Key -exportable

2. Download this key on your application environment.

$ python smartkey-client.py export-object --name AWS-Cloud-Secret-Key > my_secret.key

3. Initiate creation of key of external origin in KMS.

4. Download the zip containing the wrapping key and import token.

5. Wrap the exported secret key with the AWS Wrapping Key.

$ openssl rsautl -encrypt -in my_secret_key -oaep -inkey wrappingKey_fcb572d3-6680-449c-91ab-ac3a5c07dc09_080410435 \  -pubin -keyform DER -out aws-wrapped.key

6. Upload this wrapped key and the downloaded token to complete the import.

7. Use this imported key for server-side encryption in AWS Services. In S3 for example, one can enable this during bucket creation itself.

Azure

Azure Key Vault only supports direct import of keys with no wrapping. Thus, only SECRET ojbects are supported for BYOK. Check out the Google Cloud section to generate and export SECRET keys.

You have to choose to upload your key either as a software or hardware key depending on your requirement.