Google Cloud Platform Customer Supplied Encryption Key

1Configure Luna HSM

2Set up Google Cloud Platform

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by HAProxy.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.4.0-417. Copyright (c) 2021 SafeNet. All rights reserved.
Available HSMs:

Slot Id ->                           0
Label ->                             TPA01
Serial Number ->                     1312109862201
Model ->                             LunaSA 7.7.1
Firmware Version ->                  7.7.1
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
FM HW Status ->                      Non-FM   
Current Slot Id ->                   0

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Note

For proper configuration of a PED-based Luna HSM, it is recommended to activate partition policies 22 and 23, allowing for both activation and auto-activation.

Note

This integration is fully tested with both HA and FIPS modes.

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

Note

This integration has been certified on the RHEL platform.

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

4Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

Note

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

1Ensure you have a Google account or create one if you don't.

2Navigate to the Google Cloud Console at https://console.cloud.google.com and log in with your Google account.

3Download and install the Google Cloud SDK from https://cloud.google.com/sdk/.

4Install the Google Cloud SDK on your system following the instructions provided on the download page.

5Use the SDK's tools like gcloud, gsutil, and bq either interactively or in scripts for managing Compute Engine, Cloud Storage, BigQuery, etc.

Note

Before proceeding, check if your country supports Customer-Supplied Encryption Keys (CSEK) as there might be restrictions. Look up the list of unsupported countries in Google Cloud's documentation.

Note

Familiarize yourself with concepts like disks, images, snapshots, and VM instances by reading Google Cloud Platform's documentation.

Note

To use command-line examples, ensure the Luna HSM partition is accessible, install OpenSSL and add it to your PATH environment variables, and initialize the Google Cloud SDK with your default region and zone using the installation and initialization guide at https://cloud.google.com/sdk/docs/install-sdk.

Note

For further guidance, refer to the Google Cloud SDK documentation at https://cloud.google.com/sdk/docs/install-sdk.

1Download the Google Compute Engine public certificate from: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem. Save the file in the Luna Client installation directory to simplify execution of subsequent commands.

2Open a command prompt and navigate to the Luna Client installation directory:

cd "C:\Program Files\SafeNet\LunaClient"

3Extract the public key from the certificate using OpenSSL:

openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem

4Import the extracted public key into the HSM partition using the cmu utility:

cmu import -pubkey RSA -inputFile pubkey.pem -label "google public key"

When prompted, enter the HSM partition password.

5Verify that the key has been imported successfully by running:

cmu list

Enter the HSM partition password when prompted.

6Ensure that the public key attributes (Encrypt, Verify, Wrap) are set to true using the following command:

C:\Program Files\SafeNet\LunaClient>cmu getAttribute -handle=62

Note

Replace 62 with the key handle of the imported public key and enter the HSM partition password when prompted. If the attributes are not set to true, update them using the command cmu setAttribute -handle=62 -encrypt=true -wrap=true. Again, replace 62 with the public key handle and provide the HSM partition password when prompted.

7Create an AES-256 key on the Luna HSM partition for encrypting data on Google Cloud. Use the ckdemo utility:

C:\Program Files\SafeNet\LunaClient>ckdemo

When prompted, follow these options to generate the AES-256 key:

(1) Open Session

Enter your choice: 1

(3) Login

Enter your choice: 3

Select the Crypto Officer role:

Partition SO            [0]  
Crypto Officer          [1]  
Crypto User             [2]: 1  
Enter PIN            : ********

(45) Simple Generate Key

Enter your choice: 45

Choose AES key type:

> 16

Provide key attributes:

Enter Key Length in bytes (16, 24, 32): 32  
Enter Is Token Attribute [0-1]: 1  
Enter Is Sensitive Attribute [0-1]: 1  
Enter Is Private Attribute [0-1]: 1  
Enter Encrypt Attribute [0-1]: 1  
Enter Decrypt Attribute [0-1]: 1  
Enter Sign Attribute [0-1]: 1  
Enter Verify Attribute [0-1]: 1  
Enter Wrap Attribute [0-1]: 1  
Enter Unwrap Attribute [0-1]: 1  
Enter Derive Attribute [0-1]: 1  
Enter Extractable Attribute [0-1]: 1

Once complete, the system outputs the generated AES key handle:

Generated AES Key: 139 (0x0000008b)

Here, 139 is the key handle of the generated AES-256 key. Keep this handle for later use.

8Wrap the AES-256 key using the public key extracted from the Compute Engine certificate. Use OAEP padding for wrapping. In the same ckdemo session, follow these steps:

(60) Wrap Key

Enter your choice: 60

Select the wrapping mechanism from the available options:

[1]DES-ECB   [2]DES-CBC      [3]DES3-ECB     [4]DES3-CBC
                                  [7]CAST3-ECB    [8]CAST3-CBC
[9]RSA        [10]TRANSLA      [11]DES3-CBC-PAD [12]DES3-CBC-PAD-IPSEC
[13]SEED-ECB      [14]SEED-CBC     [15]SEED-CBC-PAD [16]DES-CBC-PAD
[17]CAST3-CBC-PAD [18]CAST5-CBC-PAD [19]AES-ECB       [20]AES-CBC
[21]AES-CBC-PAD [22]AES-CBC-PAD-IPSEC [23]ARIA-ECB  [24]ARIA-CBC
[25]ARIA-CBC-PAD [26]RSA_OAEP    [27]SET_OAEP     [28]AES-CTR
[29]DES3-CTR     [30]AES-KW      [31]AES-KWP       [34]AES-KEY-WRAP
[35]AES-GCM

Choose RSA_OAEP as the wrapping mechanism:

Select mechanism for wrapping: 26

Specify the OAEP source data file:

Enter filename of OAEP Source Data [0 for none]: 0

Enter the handle of the wrapping key (Google Public Key):

Enter handle of wrapping key (0 to list available objects) : 62

Enter the handle of the AES key to be wrapped:

Enter handle of key to wrap (0 to list available objects) : 139

Once complete, the wrapped key is saved in the file wrapped.key. Here, 62 and 139 refer to the handles of the Google Public Key and the AES-256 key, respectively.

Note

wrapped.key is the output file containing the RSA-wrapped AES key.

9Exit the ckdemo session:

Enter your choice: 0

Exiting GESC SIMULATION LAB

10Encode the RSA-wrapped key in base64 format using the following OpenSSL command:

C:\Program Files\SafeNet\LunaClient>openssl enc -base64 -in wrapped.key > rsawrapencodedkey.txt

11Open rsawrapencodedkey.txt in any text editor. Ensure the entire key appears on a single line, and remove any unnecessary line breaks or carriage returns.

1Open a web browser and go to Google Cloud Console, then sign in with your Google Cloud account.

2Navigate to Compute Engine > Disks, then click Create Disk.

3Enter a Name and an optional Description, select a Zone, and set the Disk Type to Standard Persistent Disk. Choose a Source Type, then select the required Source Image (operating system) and specify the Size (GB).

4Under Encryption, select Customer-Supplied Encryption Key. In the provided text box, enter or paste the key from the rsawrapencodedkey.txt file. Confirm all details and click Create. The disk is now created and encrypted using the supplied encryption key. This disk can be used to create a virtual machine (VM).

5Go to Compute Engine > VM Instances, then click Create Instance to set up a VM using the encrypted disk.

6Enter a Name, select a Zone, and configure the Machine settings. In the Boot disk section, click Change, then select Existing disk. The encrypted disk created in the previous steps will be listed. When prompted, enter the same encryption key used earlier, select the Wrapped key checkbox, and click Select.

7In the Firewall section, select Allow HTTP traffic and Allow HTTPS traffic, then click Create.

After a few seconds, the instance will be ready to connect via SSH using the external IP assigned by the cloud network.

Note

Refer to the Google Cloud documentation or the Appendix for steps to connect to the VM through SSH.

Note

A VM encrypted with CSEK cannot be started using the Cloud Console. Use the gcloud compute utility as described in this Integration Guide or open Cloud Shell to start the VM. When doing so, provide the csek-key-file, which contains the encrypted resource and the wrapped encryption key.

1Create a key file in JSON format that contains the encrypted resource details. This file will store the fully qualified URI of the resource, the encryption key, and the key type. Save the following content as example-file.json, replacing YOUR_PROJECT_ID and YOUR_ZONE with the appropriate values:

  
[  
  {  
    "uri": "https://www.googleapis.com/compute/v1/projects/YOUR_PROJECT_ID/zones/YOUR_ZONE/disks/disk-1",  
    "key": "BASE64_ENCODED_RSA_WRAPPED_KEY",  
    "key-type": "rsa-encrypted"  
  }  
]  

2Create an encrypted disk using the key file by running the following command:

  
gcloud compute disks create disk-1 --size=30GB --image-family centos-7 --image-project centos-cloud --csek-key-file example-file.json  

3Create a VM instance using the encrypted disk with the following command:

  
gcloud beta compute instances create instance-1 --disk name=disk-1,boot=yes --csek-key-file example-file.json  

4Once the VM instance is created, connect to it via SSH. Refer to the Appendix for steps on connecting to the VM through SSH.

1Stop the VM instance by running the following command:

  
gcloud compute instances stop instance-1  

2Start the VM instance and provide the encryption key file using the following command:

  
gcloud beta compute instances start instance-1 --csek-key-file example-file.json  

Note

Each time a read or write operation is performed on the encrypted disk, the base64-encoded wrapped key must be provided. Google Cloud retains the CSEK only for the duration of the operation, and the encryption key remains secured in the Hardware Security Module (HSM). For additional operations with encrypted disks, refer to the Google Cloud documentation.

Note

Stopping or deleting a VM instance does not require the encryption key, but starting an encrypted VM or creating a snapshot of an encrypted disk does.

Note

The wrapped key can be deleted from the local system if no longer needed, but keeping it is safe as it can only be unwrapped using Google’s private key.

1Open the Google Cloud SDK Shell and run the following command:

  
gcloud compute --project "zinc-window-164420" ssh --zone "us-central1-b" "instance-1"  

This command establishes an SSH connection to the specified VM instance.

Note

The gcloud tool automatically generates SSH keys when connecting to an instance and applies them to the project. The public key is stored at C:\Users\[USER_NAME]\.ssh\google_compute_engine.pub, and the private key is stored at C:\Users\[USER_NAME]\.ssh\google_compute_engine.

2Download PuTTY and PuTTYgen.exe from the following URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

Note

Download the 64-bit Windows Installer.

3Run PuTTYgen by opening the puttygen.exe file that was downloaded. A window appears where you can configure key generation settings.

4Keep the default parameters selected and click Generate to create a new key pair. Once the key generation is complete, the public key value is displayed.

5Enter your Google username in the Key comment section. The key follows this format:

ssh-rsa [KEY_VALUE] [USERNAME]

Note

[KEY_VALUE] is the key generated by PuTTYgen and [USERNAME] is your Google username.

6(Optional) Enter a Key passphrase to add an extra layer of security.

7Click Save private key and save the file. For this example, name it my-ssh-key.ppk.

8Click Save public key to store your public key in a file for later use. Keep the PuTTYgen window open.

9In Google Cloud Console, go to Metadata → SSH Keys → Edit.

10Copy the entire public key value from PuTTYgen and paste it as a new entry in the SSH Keys list on the Metadata page. The public key value is displayed at the top of the PuTTYgen window.

11Scroll to the bottom of the SSH Keys page and click Save to apply the new project-wide SSH key.

12Run putty.exe. In PuTTY, enter your Google username and the external IP address of the instance you want to connect to in the Host Name field. The username is the same as the one used to access your Google Cloud project.

13On the left side of the PuTTY window, navigate to Connection → SSH → Auth.

14Specify the path to your private key file in the Private key file for authentication field. For this example, use the path to the my-ssh-key.ppk file.

15Click Open to establish a connection to the instance. If the connection is successful, a terminal window opens, allowing you to run commands on your instance.