Exporting keys from SmartKey to Cloud Providers for BYOK - AWS Automated


This topic describes how to export keys from SmartKey into AWS.


SmartKey Setup

You will need to have an account in SmartKey, where you should create a group and add an App in the group. Note the API key of this app as that will be needed to authenticate to SmartKey and perform various operations.


Programmatic procedure described in this document involves use of following tools for interacting with AWS and SmartKey.

  • SmartKey CLI
    • This is a python tool which provides a command line interface to work with SmartKey.
    • It can be downloaded from here under the CLI section.
    • This is an AWS tool to manage and work with AWS services.
    • For details and installation instructions please look at this link.


Use the following script to automate BYOK in AWS:


# Install aws cli, smartkey-cli before running this script

# Setup environment variable and temporary files for storing key material
export FORTANIX_API_ENDPOINT=https://amer.smartkey.io

# run aws configure and enter your access key, secret key, region, and default output format (text) 
aws configure

# Create external key in AWS 
aws_kid=$(aws kms create-key --origin EXTERNAL | awk '{print $6}') 

# Get description of key
aws kms describe-key --key-id $aws_kid

# Get import parameters for external key created in AWS
params=$(aws kms get-parameters-for-import --key-id $aws_kid --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048)
echo $params | awk '{print $4}' | base64 -D > $wrappingkey_file
echo $params | awk '{print $1}' | base64 -D > $import_token_file 

# Log in to SmartKey
smartkey-cli app-login
# Generate Key in SmartKey
key_name="AWS Key"$RANDOM
kid=$(sdkms-cli create-key --name "$key_name" --obj-type AES --key-size 256 --exportable -f)
# Import public key to SmartKey
wrapping_key_name="AWS wrapping key"$RANDOM
wrapping_kid=$(sdkms-cli import-key --in $wrappingkey_file --der --name "$wrapping_key_name" --obj-type RSA)
# Wrap SmartKey key with wrapping key obtained from SmartKey 
smartkey-cli wrap-key --wrapping-kid $wrapping_kid --kid $kid --alg RSA --mode OAEP_MGF1_SHA256 --out $wrapped_blob
# Log out from SmartKey
smartkey-cli app-logout

# Import key to AWS 
aws kms import-key-material --key-id $aws_kid --encrypted-key-material fileb://$wrapped_blob --import-token fileb://$import_token_file --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

# Get description of key 
aws kms describe-key --key-id $aws_kid

# Cleanup 
rm $wrappingkey_file $import_token_file $wrapped_blob

AWS BYOK Automation Using Plugin

  1. Go to the SmartKey home page and click the Plugins tab.

  2. In the Plugins page, click the PLUGIN LIBRARY tab. Then, select AWS BYOK from the list of available plugins.

  3. Click GET PLUGIN to install the plugin.

  4. Review the plugin name and assign it to a group, and then click Save.

  5. To test the plugin, go to Plugins > Library Plugins > select the plugin. In the Code tab, you can view/edit the plugin, add test inputs and run tests on the plugin.

    For more details on the plugin, you can refer to the plugin library for latest updates.