Using SmartKey with Google Cloud EKM

Overview

SmartKey provides secure key management and crypto as a service, simplifying provisioning and control of encryption keys. With Google cloud services such as Big Query or ComputeCompute refers to the resources or assets necessary to run a device in the ENE platform. In most ways, the ENE platform is an infrastructure as a service platform underneath, but we typically do not ask customers to get involved in that aspect of the platform. To run efficiently, each device and/or service requires some pre-determined amount of compute. Equinix has thoroughly tested each device and service with the vendor before offering it to the public. This testing ensures that the amount of compute selected on the user's behalf is already optimized to run smoothly with the vendor's recommendations. Customers do not need to customize or tweak the compute in most cases. Engine, SmartKey can act as an External Key Manager (EKM) to secure your data on the Google Cloud Platform. This gives you the benefit of centralized key management with complete control over location, distribution and access to your keys while you process and store your data in the cloud.

In this document, we lay out the steps required to setup SmartKey as an External Key Manager with Google Cloud Platform, namely:

  1. Enabling the Cloud Key Management Service (KMS) API in the Google Cloud project
  2. Obtaining Google Cloud Service Account email address
  3. Generating or Importing an Advanced Encryption Standard (AES) Key in SmartKey
  4. Completing the Google Cloud setup to use SmartKey as an external HSM

Terminology

SmartKey: Key Management and Crypto-as-a-Service

SmartKey is a Key management and Crypto-as-a-service for data on-premises as well as in the cloud. It provides a unified HSM/KMS, where data and keys are kept separate to eliminate the risk of key compromise. It offers flexible deployment and scalable design for fast, easy integrations. With SmartKey, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

GCP: Google Cloud Platform

Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators and other enterprise IT professionals over the public internet or through a dedicated network connection.

Google KMS: Google Key Management Service

Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google Cloud services that enterprises can use to implement cryptographic functions. For more information, see Google Cloud Key Management Service.

Cloud EKM: Cloud External Key Manager

Cloud EKM Cloud EKM lets you protect data at rest in BigQuery and Compute Engine using encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. See https://cloud.google.com/kms/docs/ekm

AES: Advanced Encryption Standard

Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:

  • Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).
  • AES is often included as part of customer compliance requirements.

For more information please see Advanced Encryption Standard

SGX: Software Guard Extensions

Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is susceptible to attacks. This is done by partitioning your applications into enclaves where critical aspects of the application functionality have more security protection in memory. This helps keep the selected code and data more confidential and less accessible from unauthorized access or use. For more information, please see Intel Software Guard Extensions.

FIPS: Federal Information Processing Standards

FIPS are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. For more information, please see Current FIPS.

SmartKey Georedundancy

SmartKey service (https://www.smartkey.io/) is available globally in multiple regions: United States (AMER), United Kingdom (UK), European Union (EU), Asia Pacific (APAC) and Australia (AU).

Geographic Load Balancing

SmartKey portal users can go to www.smartkey.io and will be re-directed to the appropriate regional endpoint. For apps, they should use the closest regional endpoint.

As part of service reliability, within each geographic region, SmartKey is deployed across multiple cities with automatic key replication across metros within the region for redundancy and high availability. To use SmartKey, customers simply need to point their applications to the closest SmartKey region and SmartKey services the requests from the closest city automatically.

Each site is geographically located in a different metro and at each site, the service has redundant hardware at every level for high availability and resiliency. In case, a metro suffers an outage, SmartKey will still be able to redirect requests to the other metros. Requests are automatically redirected to the next closest metro service endpoint.

Disaster Recovery

Security keys are replicated automatically across all metros. This automatic key replication is also used in the event of disaster recovery. Since all other metro servers within a region have a copy of the same security keys, server or metro outage does not affect your keys or operations. If your business requires you to keep a copy of the keys outside SmartKey, you can achieve this by exporting wrapped version of those keys.

Steps to use SmartKey with Google Cloud Platform Service

Overview

With Google Cloud Platform (GCP) External Key Manager, administrators use SmartKey to store cryptographic keys for the purpose of encrypting/decrypting GCP workloads including BigQuery and Google Compute Engine (GCE).

Prerequisites

  • SmartKey
  • Google Cloud Platform Services
  • Google Cloud Project
  • AES Key

NOTE: The AES key can either be imported or created in SmartKey.

Access your GCP Project

  1. If you do not have a GCP account you can sign up for a free trial at https://cloud.google.com/ (this will require you to provide credit card information)
  2. Ensure you have access to the GCP Project where you are processing your business data. If you are not the Project Admin, contact your Project Admin to provide you access to the Project.

Activate Service Account

Refer to https://cloud.google.com/kms/docs/reference/libraries#setting_up_authentication.

A JSON file that contains your key will be created. Download it onto your computer. This JSON file will act as your credentials.

Step 1: Enable KMS API in your Google Cloud project

In your Google Cloud project, search for “KMS API” in the search box. The following screen will be displayed. Click on the Enable button to enable Google’s Cloud Key Management Service (KMS) API.

The following is the confirmation page when the KMS API is enabled.

You can also refer to Google documentation.

Step 2: Obtain your Google Service Account Email Address

SmartKey would need to know the identity of the Google Cloud Service Account in your Google Cloud project. This is usually an email address of the form:

SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

You can get your Service Account email address from the Google Cloud Service Account page. In the following example, we use smartkey-equinix@bustling-theme-267901.iam.gserviceaccount.com.

For more information, please see Google Service Accounts.

Step 3: Setup SmartKey

If you are an existing SmartKey user, you can login at www.smartkey.io.

If you are new to SmartKey, you will need to create a new account. See Getting Started for more information.

Step 4: Create or Import an AES Key in SmartKey

In your SmartKey account:

  1. Click the Security Objects tab.
  2. Click to create a new Security Object.

    In the Add New Security Object form, you can create or import your own AES key.

To import your AES key

  1. Type a name for the Security Object (Key).
  2. Click Import to set the option to import an AES key.
  3. Click AES for the type of key to import.
  4. Select an option for the key value format.
  5. Click UPLOAD A FILE to upload your AES key.

To generate a new AES

  1. Type a name for the Security Object (Key).
  2. Click Generate to set the option to generate an AES key.
  3. Click AES for the type of key to import.
  4. Type a value for the key size, in the Key size field.
  5. Select the permitted key operations for this key.
  6. Assign a group for the key.
  7. Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object. it is an optional field.
  8. Click Generate to generate the AES key.

Note:

  • Make sure the new key has “encrypt” and “decrypt” key operations allowed.
  • When using the SmartKey CLI to upload the key material, you will need to convert your key to hex format. For example,

    xxd -plain mykey.txt > mykey.hex

    smartkey-cli import-key --in mykey.hex --obj-type SECRET --name Imported-Secret-Key --exportable 9381234a-bc31-1234-1febf9c8652a

    Result:

Note the UUID

Take note of the UUID of the AES key. This will be used to enable Google Cloud Service to access SmartKey as an external key manager.

Step 5: Create an Application in SmartKey

  1. In the SmartKey account, click the Apps tab.
  2. Create a new SmartKey app using the button.

  3. In the Adding new app form:

    a. In the App name field, type the name of the Service Account email you acquired before.

    b. In the Authentication method, click Google Service Account.

    NOTE: Ensure that the new application has access to the AES key.

    c. Select the access justification reason for wrapping or unwrapping the key.

    The user can allow access to wrap/unwarp keys for the following types of access justifications options:

    NOTE: Selecting the allowed key justification reasons below defines an access policy for the app.

    • Accept All: Select Accept All to allow access for all the justification reasons provided below. You can also customize your selection and select specific justification criteria for access.
      • Customer-initiated support – Support initiated from customer, for example, Case Number: ####.
      • Customer-initiated access – Customer or a third-party authorized by customer's IAM policy perform any access to the customer's data.
      • Google-initiated service – Google-initiated access, for example, to perform system management and troubleshooting which includes:
        • Backup and recovery from outages and system failures
        • Investigation to confirm that the customer is not affected by suspected service issues
        • Remediation of technical issues, such as storage failure or data corruption
      • Google-initiated review – Google-initiated access for security, fraud, abuse, or compliance purposes including:
        • Ensuring the safety and security of customer accounts and content
        • Confirming whether content is affected by an event that may impact account security (for example, malware infections)
        • Confirming whether customer is using Google services in compliance with Google Terms of Service
        • Investigating complaints by other users and customers, or other signals of abusive activity
        • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
      • Google-initiated system operation – Google-initiated access for security, fraud, abuse, or compliance purposes.
      • Third-party data request – Customer-initiated access by Google to respond to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs in this case may not be available if Google cannot legally inform the customer of such a request or process.
      • Unspecified reason – Indicates the actor accessing the data provided no access reason for the request. This may have been due to a transient error, a bug, or some other unexpected circumstance.
    • Allow missing justification: Select this option to allow access even if a justification reason is not provided.

    d. Assign the new application to a group or create a new group if there are no existing groups already.

    e. Click Save to create the new application.

Step 6: Enable the Google Cloud Service to access the AES Key in SmartKey

Google Cloud services would need to know a URL that allows the service to access a key stored in SmartKey. This is known as the external_key_uri.

  1. Select the Security Objects tab in SmartKey, and then click the AES key which you created/imported.
  2. In the AES key detailed view, copy the URI of the AES Key using the Copy icon.

  3. The URI is used as external_key_uri. The UUID is the unique identifier for the security object.

    • The format of the URI is https://<region>.smartkey.io/v0/gcp/key/<Key_id>
    • UUID will be inserted into <Key_id> to form the URI.

    For example:

    UUID is 10da6733-2452-442d-b245-809f25a339f7

    URI is https://www.sit.smartkey.io/v0/gcp/key/10da6733-2452-442d-b245-809f25a339f7

  4. In Google Cloud Services, create a Key Ring. Take note that the Key Ring should be created with specific region instead of global. (global does not support external KMS.)

  5. Use the external_key_uri obtained above to complete the steps in GCP.

Support

If you have issues with signing up for SmartKey, please email smartkey@equinix.com.

For SmartKey documentation including API reference, refer to https://support.smartkey.io/.

For SmartKey support, contact Equinix at support@equinix.com.

The following table lists error responses that you might see due to problems from your inputs, Google Cloud EKM, SmartKey, communications between them, or other factors. Depending on the error, you may need to contact Google or Equinix support.

Error scenario HTTP status To resolve the issue...
When service account credential verification fails. 401 Contact Google support
When service account credential is valid but service account identity is not authorized in SmartKey. 403

Make sure you have created an app (in the format below) with Google Service Account credentials and name matching the Google Service Account of your Google Cloud project.

service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com

Also make sure the app has access to the Key (i.e. the app shares a group with the security object and has enough permissions).

When resource requested does not exist 404

Make sure the key_id specified in external_key_uri exists and is enabled in SmartKey

https://<region>.smartkey.io/v0/gcp/key/<Key_id>

When request is invalid due to decryption failures (invalid ciphertext, invalid AAD) 400 Contact Google support
When request is invalid otherwise 400 Contact Google support
When request cannot be served due to rate throttling 429 Contact Equinix support
When SmartKey service is currently unavailable due to a transient condition and the client should retry 503 Contact Equinix support
When there is a SmartKey internal error 500 Contact Equinix support