AWS External Key Store Resources
External Key Store (XKS) resources for integration with Amazon Web Services Key Management Service (AWS KMS) allow you to manage keys held in Luna Network HSMs (Hardware Security Module) or a CipherTrust Manager, and allows AWS KMS to use the keys for cryptographic operations on demand.
The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material stored in HSM partitions or a CipherTrust Manager, while preserving end user control to manage those source keys outside of AWS KMS.
The external custom key store contains Hold Your Own Key (HYOK) keys, which acts as an intermediary to the source key material stored in Luna HSM or CipherTrust Manager. Luna or CipherTrust Manager (depending on which key source you are using) executes the cryptographic operations.
External custom key stores and HYOK keys on CCKM can be created as linked or unlinked to an external key store in AWS KMS. Linked key stores and keys automatically synchronize with objects in AWS KMS, and unlinked key stores do not. Unlinked key stores and HYOK keys require you to either link those objects, which automatically creates corresponding external key stores and KMS keys on AWS KMS, or to manually create corresponding objects in AWS KMS.
Required Resources
If using a Luna HSM as a key source, then ensure to have at least one Thales Luna Network HSM (v7.4 or higher), with at least one initialized network trust link (NTLS) or Secure Trusted Channel (STC) partition. Preferably, you should have two HSMs for redundancy. When you connect multiple Luna Network HSM partitions to CipherTrust Manager, the partitions automatically become HA (High Availability) enabled and replicate keys to each other.
Warning
HSMs configured for Functionality Modules (FMs) are not compatible with this integration.
An AWS Account.
Suggested Deployment Architectures
We recommend deploying at least two CipherTrust Managers in cluster to provide proper redundancy and availability to AWS KMS. All XKS resources and configurations are replicated across all nodes. If using Luna HSM as a key source, then we recommend connecting two or more Luna Network HSM partitions for redundancy. When you connect multiple partitions, they automatically become HA enabled and replicate keys to each other.
If using Luna HSM as a key source, you must establish connections with the CipherTrust Manager instances and the AWS account that manages corresponding KMS keys and external key stores, as described in Managing External Key Store Resources.
If using CipherTrust Manager as a key source, you must establish connections between the CipherTrust Manager instances and the AWS account.
Deployment topologies vary based on usage of AWS Virtual Private Cloud (VPC). The following are the supported deployment topologies:
Host the CipherTrust Manager instances on a VPC
Host the CipherTrust Manager instances on premises with a VPC connection
Host the CipherTrust Manager instances on premises and make them public routable and available over the Internet
In these topologies, the key source is either Luna HSM or CipherTrust Manager. When using Luna HSMs, these are deployed on premises.
Deployment Prerequisites
The CipherTrust Manager must be reachable through a Fully Qualified Domain Name (FQDN).
In VPC deployments, you provide this value to set the
Private DNS Name
in the VPC endpoint service. If you are operating an unlinked key store and manually creating an external key store on AWS KMS, you also provide this value as theProxy URI endpoint
.You provide this as the
Proxy URI endpoint
for public routable deployments without a load balancer.
You can change the default port of 443 for the CipherTrust Manager web interface. One would have to ensure to change it BEFORE configuring the given cloud service on CCKM. However, in the case of AWS XKS, AWS KMS only accepts and sends requests on the default port of 443. If you wish to use a different port for the web interface other than the default, add a network component, such as a load balancer or a firewall, in front of CipherTrust Manager. Then configure port mapping on this component by mapping port 443 to the non-default port on the CipherTrust Manager you plan to use. For more information, refer to Support for Changing the Default Port of Web Interface Setting.
The web interface must have a TLS certificate signed by an external Certificate Authority (CA) trusted by AWS. AWS trusts certificates issued by well-known public CAs such as Verisign.
The Common Name (CN) in the web interface certificate must be set to a specific value.
A good default value for the CN is the CipherTrust Manager FQDN.
For VPC deployments with more than one AWS KMS external key store, the CN should include the wildcard
*
asterisk character.If you are using a load balancer with a publicly routable deployment, and the load balancer is set to do SSL passthrough, include the wildcard
*
asterisk character in the CN.
We recommend setting up all networking elements before creating the external custom key store on CCKM. This is especially important when you create an external custom key store in the linked state. Successful validation of the connection between AWS KMS and the new external custom key store must take place before a linked key store can be created. For example, for CipherTrust Manager hosted on premise with VPC connection, configure VPC endpoints as described in AWS documentation, before creating the external custom key store on CCKM.
The Health Check Key must be created before creating a key store.
Depending on the location of the key store, the health check is initiated.
If the key store is on Luna HSM, the Health Check Key must have the following attributes:
CKA_EXTRACTABLE = FALSE
CKA_SENSITIVE = TRUE
CKA_ENCRYPT = TRUE
CKA_DECRYPT = TRUE
CKA_WRAP = TRUE
CKA_UNWRAP = TRUE
If the key store is on CipherTrust Manager, the Health Check Key must have the following attributes:
Key Not Exportable
Key Not Deletable
Usage Masks -
Encrypt
,Decrypt
,Wrap
,Unwrap
CipherTrust Manager Hosted on VPC
CipherTrust Manager deployment inside a VPC is described in the Amazon Web Services deployment page. Detailed VPC configuration, such as availability zones, is described in AWS Key Management Service Deployment Guide.
CipherTrust Manager Hosted on VPC Using Luna HSM as a Key Source
CipherTrust Manager Hosted on VPC Using CipherTrust Manager as as a Key Source
CipherTrust Manager Hosted on Premise with VPC Connection
Configuration of VPC endpoints is described in AWS Key Management Service Deployment Guide.
CipherTrust Manager Hosted on Premise Using Luna HSM as a Key Source
CipherTrust Manager Hosted on Premise Using CipherTrust Manager as as a Key Source
CipherTrust Manager on Premise with Public Routable Connection
CipherTrust Manager on Premise with Public Routable Connection Using Luna HSM as a Key Source
CipherTrust Manager on Premise with Public Routable Connection Using CipherTrust Manager as as a Key Source
Network Considerations for Optimal Stability and Performance
There are some important network considerations for deployments of an external key store.
AWS KMS, Luna HSM appliances (if using Luna HSMs as a key source), and CipherTrust Manager instances should all be as geographically close together as possible. The supported AWS regions are described in AWS Key Management Service Deployment Guide.
When Luna HSM is the key source, we recommend a network latency of round-trip communication of 25 ms or less between CipherTrust Manager and the HSM.
When CipherTrust Manager is the key source, we recommend a network latency of round-trip communication of 35 ms or less between AWS KMS and the CipherTrust Manager.
We recommend preparing only one or two external key stores per deployment.
For a summary of AWS XKS performance, refer to AWS XKS Performance Summary.
High Level Integration Process Using Luna HSM as a Key Source
These are the high level steps to allow AWS KMS to begin making cryptographic requests to source keys through external custom key stores within CCKM. Unlinked external custom key stores and HYOK keys require additional steps.
Deploy two CipherTrust Manager instances in keeping with the deployment prerequisites. Cluster the instances together.
Deploy one or more Luna Network HSM partitions with initialized NTLS or STC partitions, as described in Luna Network HSM documentation. Preferably, you would have two HSM servers with at least one partition each.
If needed for a VPC connection, configure VPC endpoints as described in the AWS Key Management Service Developer Guide.
Prepare an External Custom Key Store.
As part of this process, you establish CipherTrust Manager connections to Luna HSM partitions and to the AWS account, and create an external custom key store on CCKM.
If you created an unlinked key store on CCKM, you must either link the key store or create a corresponding external key store on AWS KMS as described in AWS Key Management Service Deployment Guide.
In the CipherTrust Manager web console for AWS keys, you create a Hold Your Own Key (HYOK) key. An associated backing Luna HSM source key is implicitly created.
In the CipherTrust Manager REST API, you create a Luna HSM source key, provide its value to create a virtual key, and then create an HYOK key associated with the virtual key.
If you have created an unlinked HYOK key on CCKM, either link the key or create a KMS key in the AWS external key store, associated with the the HYOK key on CCKM.
High Level Integration Process Using CipherTrust Manager as a Key Source
These are the high level steps to allow AWS KMS to begin making cryptographic requests to CipherTrust Manager source keys through external custom key stores within CCKM. Unlinked external custom key stores and HYOK keys require additional steps.
Deploy two CipherTrust Manager instances in keeping with the deployment prerequisites. Cluster the instances together.
If needed for a VPC connection, configure VPC endpoints as described in the AWS Key Management Service Developer Guide.
Prepare an External Custom Key Store.
As part of this process, you establish a CipherTrust Manager connection to the AWS account and create an external custom key store on CCKM.
If you created an unlinked key store on CCKM, you must either link the key store or create a corresponding external key store on AWS KMS, as described in AWS Key Management Service Deployment Guide.
If you have created an unlinked HYOK key on CCKM, either link the key or create a KMS key in the AWS external key store, associated with the the HYOK key on CCKM.
AWS and CCKM Terminology
Terms used in AWS documentation, API, or AWS Console can differ from terms used in CCKM documentation, CipherTrust Manager REST API, and CipherTrust Manager web console for the same concepts. The following table provides equivalencies.
AWS term(s) | CCKM term(s) | Notes |
---|---|---|
External key | Luna HSM source key or CipherTrust Manager source key | Generally refers to the key material which performs cryptographic operations. |
External Key ID , XksKeyId | XKS ID , XksKeyConfiguration:Id , HYOK ID | This is the key identifier which AWS KMS specifies in cryptographic requests. Important Note: This XKS ID is associated with the HYOK. It is not the source CipherTrust Manager or Luna HSM key's ID. |
External Key Store | External Custom Key Store, Custom Key Store | CCKM documentation refers to the CCKM object as external custom key store and the AWS object as external key store. Product interfaces may use these terms interchangeably. |
Proxy URI endpoint | XKS Proxy URI Endpoint | This value is the hostname of the server entity which AWS KMS first connects to for cryptographic requests. In VPC deployments, this is the Private DNS Name set for the VPC endpoint service. In non-VPC deployments, this is usually a load balancer. |
Proxy URI Path | XKS Proxy URI Path | This is the path associated with an external custom key store in CCKM. |
XKS proxy configuration file | Credentials file | The downloadable file available in CCKM when you create a new external custom key store or rotate the credentials for an external custom key store. This file contains the external custom key store's Proxy URI path prefix, Access key ID, and Secret access key values. |