2 posts tagged with "Crypto Operations"

When managing sensitive data in the cloud, organizations increasingly seek control over their encryption keys. Amazon Web Services (AWS) allows for this with the Bring Your Own Key (BYOK) feature, which integrates seamlessly with AWS Key Management Service (KMS) and CloudHSM. This guide provides a step-by-step approach to setting up BYOK in AWS, enabling you to maintain strict control over key management processes while leveraging AWS's secure infrastructure.

Preliminary Steps: Environment Setup​

1. Prepare Your EC2 Instance​

First, establish a secure environment on your EC2 instance by creating a new folder specifically for this process:

mkdir /opt/vb-hsm/hsm-10
cd /opt/vb-hsm/hsm-10

2. Create the AWS KMS Key​

AWS KMS Key

Initiate a KMS key with no key material:

aws kms create-key --origin EXTERNAL --region us-east-1

Record the key ID displayed in the output as you will need it for subsequent steps.

Configuring the Key Alias​

Configuring the Key Alias

Create a user-friendly alias for your new KMS key to simplify management:

aws kms create-alias --alias-name alias/byok-mrk --target-key-id YOUR_KEY_ID

Preparing for Key Import​

3. Retrieve Import Parameters​

Retrieve Import Parameters

Generate and save the necessary parameters for key import:

aws kms get-parameters-for-import --key-id YOUR_KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --region us-east-1 > ./WrappingParameters.json

4. Extract and Prepare the Import Token​

Extract and Prepare the Import Token

Extract the import token and public key, converting them into usable formats:

jq -r '.ImportToken' ./WrappingParameters.json > ./ImportToken.b64
echo -e "-----BEGIN PUBLIC KEY-----\n$(jq -r '.PublicKey' ./WrappingParameters.json)\n-----END PUBLIC KEY-----" > ./PublicKey.pem
openssl enc -d -base64 -A -in ./ImportToken.b64 -out ./ImportToken.bin

Importing the Public Key to CloudHSM​

5. Initialize Crypto User Environment​

Crypto User Environment

Set the environment variables to operate as a crypto user in CloudHSM:

export CLOUDHSM_ROLE=crypto-user
export CLOUDHSM_PIN=cu_user1:password123

6. Import the Public Key​

Import the Public Key

Import the public key to your HSM:​

/opt/cloudhsm/bin/cloudhsm-cli key import pem --path ./PublicKey.pem --label wrapping-key-example-11 --key-type-class rsa-public --attributes wrap=true

Key Wrapping and Import​

7. Generate or Import Your Symmetric Key​

Generate or Import Your Symmetric Key

If you do not already possess a symmetric AES key:

/opt/cloudhsm/bin/cloudhsm-cli key generate-symmetric aes --key-length-bytes 32 --label byok-kms-13

8. Wrap the Symmetric Key​

Wrap the Symmetric Key

Use the imported public key to wrap your symmetric key:

/opt/cloudhsm/bin/cloudhsm-cli key wrap rsa-oaep --payload-filter attr.label=byok-kms-13 --wrapping-filter attr.label=wrapping-key-example-11 --hash-function sha256 --mgf mgf1-sha256 --path ./KMS-BYOK-May2024-11-wrapped.bin

9. Import the Key Material to KMS​

Finally, import the wrapped key material into AWS KMS:

aws kms import-key-material --key-id YOUR_KEY_ID --encrypted-key-material fileb://KMS-BYOK-May2024-11-wrapped.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2024-09-01T12:00:00-08:00 --region us-east-1

Read about Key Management

Conclusion​

By following these steps, you've successfully integrated BYOK with AWS KMS using CloudHSM, granting you enhanced control over your cryptographic keys. This process not only ensures compliance with stringent regulatory standards but also enhances the security posture of your cloud deployments. Remember, managing your keys securely involves careful planning and execution to protect your data effectively.

Amazon Web Services (AWS) CloudHSM offers a robust solution for securing cryptographic keys and operations within the cloud, leveraging hardware security modules (HSMs) to enhance security. This guide walks through the process of setting up an AWS CloudHSM environment, from configuring EC2 instances to initializing and managing the HSM cluster.

Initial Setup: EC2 and CloudHSM Cluster​

EC2 Configuration​

• Instance Selection: Start by provisioning an Amazon EC2 instance, choosing either a t2.micro or t2.small with Amazon Linux 2.
• VPC Configuration: Ensure that the EC2 instance is set up within the same Virtual Private Cloud (VPC) as the intended CloudHSM cluster to facilitate seamless connectivity.

CloudHSM Cluster Creation​

• Access AWS Console: Navigate to the CloudHSM section within the AWS Console and start the process by selecting "Create Cluster".
• VPC and AZ Selection: Choose the appropriate VPC and for simplicity in this setup, select only one Availability Zone (AZ), though typically two is recommended for better resilience.
• Cluster Configuration: After providing necessary configurations like backups and tags, create the cluster. Once created, the cluster status will initially show as Uninitialized.

Initializing the CloudHSM Cluster​

Key Management​

• Generate Key Pair: Before initializing, generate a new RSA key pair referred to as the customer key pair. This involves creating a private key and a corresponding self-signed certificate using OpenSSL commands.

Cluster Initialization​

• CSR Process: Navigate to the 'Initialize' action in the CloudHSM console and create an HSM instance in your cluster. You will need to download a Certificate Signing Request (CSR).
• Sign CSR: Use the previously generated private key to sign the CSR. This confirms your ownership of the HSM cluster.

openssl x509 -req -days 3652 -in <Cluster_ID>_ClusterCsr.csr \
    -CA customerCA.crt -CAkey customerCA.key -CAcreateserial \
    -out <Cluster_ID>_CustomerHsmCertificate.crt

Upload Certificates​

• Finalizing Initialization: Back in the AWS CloudHSM console, upload the signed cluster certificate and your issuing certificate. After uploading, finalize the initialization.

Activating the Cluster​

Once initialized, configure the issuing certificate on each EC2 instance connecting to the cluster to enable the cluster's activation.

/opt/cloudhsm/bin/cloudhsm-cli interactive
cluster activate

Configuring HSM CLI and User Management​

HSM CLI Setup​

• Install CLI: Download and install the CloudHSM CLI tools on your EC2 instance.

wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-cli-latest.el7.x86_64.rpm
sudo yum install ./cloudhsm-cli-latest.el7.x86_64.rpm

User Setup​

• Create Admin User: Utilize the HSM CLI to create an admin user. Once the admin user is set up, log in and start managing the HSM cluster.

user create --username admin --role admin
login --username admin --role admin

Crypto User Creation​

• Manage Keys and Crypto Operations: Create crypto users (CUs) who will manage and use cryptographic keys. Each CU can create, delete, share, import, and export keys, and perform cryptographic operations like encryption and decryption.

Conclusion​

AWS CloudHSM provides a secure platform for cryptographic operations in the cloud. By following these detailed steps, you can set up your CloudHSM cluster, manage keys and users, and ensure high security and compliance with organizational standards. This setup not only enhances security but also provides a scalable solution for managing cryptographic keys and operations efficiently.