How to migrate asymmetric keys from CloudHSM to AWS KMS

[ad_1]

In June 2023, Amazon Net Companies (AWS) launched a brand new functionality to AWS Key Administration Service (AWS KMS): now you can import uneven key supplies resembling RSA or elliptic-curve cryptography (ECC) personal keys on your signing workflow into AWS KMS. This implies that you may transfer your uneven keys which are managed outdoors of AWS KMS—resembling a hybrid (on-premises) surroundings, multi-cloud surroundings, and even AWS CloudHSM—and make them out there by means of AWS KMS. Mixed with the announcement on AWS KMS HSMs reaching FIPS 140-2 Safety Stage 3, you’ll be able to make it possible for your keys are secured and utilized in a way that aligns to the cryptographic requirements laid out by the U.S. Nationwide Institute of Requirements and Know-how (NIST).

On this put up, we are going to present you the way to migrate your uneven keys from CloudHSM to AWS KMS. This can assist you simplify your key administration technique and reap the benefits of the strong authorization management of AWS KMS key insurance policies.

Advantages of importing key supplies into AWS KMS

Basically, we suggest that you just use a local KMS key as a result of it supplies the perfect safety, sturdiness, and availability in comparison with different key retailer choices. AWS KMS FIPS-validated {hardware} safety modules (HSMs) generate the important thing supplies for KMS keys, and these key supplies by no means depart the HSMs unencrypted. Operations that require use of your KMS key (for instance, decryption of a knowledge key or digital signature signing) should happen throughout the HSM.

Nevertheless, relying in your group’s necessities, you may have to carry your individual key (BYOK) from outdoors. Importing your individual key offers you direct management over the era, lifecycle administration, and sturdiness of your keys. As well as, you will have full management over the supply of your imported keys as a result of you’ll be able to set an expiration interval or delete and reimport the keys at any time. You’ve got larger management over the sturdiness of your imported keys as a result of you’ll be able to keep the unique model of the keys elsewhere. If you must generate and retailer copies of keys outdoors of AWS, these further controls can assist you meet your compliance necessities.

Answer overview

At a excessive stage, our answer entails downloading the wrapping key from AWS KMS, utilizing the CloudHSM Command Line Interface (CLI) to import a wrapping key to CloudHSM, wrapping the personal key through the use of the wrapping key in CloudHSM, and importing the wrapped personal key to AWS KMS through the use of an import token. You’ll be able to carry out the identical procedures through the use of different supported libraries, such because the PKCS #11 library or a JCE supplier.

Figure 1: Overall architecture of the solution

Determine 1: General structure of the answer

As proven in Determine 1, the answer entails the next steps:

Create a KMS key with out key materials in AWS KMS
Obtain the wrapping public key and import token from AWS KMS
Import the wrapping key supplied by AWS KMS into CloudHSM
Wrap the personal key inside CloudHSM with the imported wrapping public key from AWS KMS
Import the wrapped personal key to AWS KMS

For the walkthrough on this put up, you’ll import into AWS KMS an ECC 256-bit personal key (NIST P-256) that’s used for signing goal from a CloudHSM cluster. If you import an uneven key into AWS KMS, you solely have to import a personal key. You don’t have to import a public key as a result of AWS KMS can generate and retrieve a public key from the personal key after the personal secret’s imported.

Conditions

To comply with together with this walkthrough, just be sure you have the next conditions in place:

An energetic CloudHSM cluster with not less than one energetic HSM and a legitimate crypto person credential.
An Amazon Elastic Compute Cloud (Amazon EC2) occasion with the CloudHSM Shopper SDK 5 put in and configured to connect with the CloudHSM cluster. For directions on the way to configure and join the consumer occasion, see Getting began with AWS CloudHSM.
OpenSSL put in in your EC2 occasion (we suggest model 3.0.0 or newer).

Step 1: Create a KMS key with out key materials in AWS KMS

Step one is to create a brand new KMS key. You are able to do this by means of the AWS KMS console or the AWS CLI, or by operating the CreateKey API operation.

If you create your key, hold the next steerage in thoughts:

Set the important thing materials origin to Exterior in order that no key materials is created for this new key.
In line with NIST SP 800-57 steerage and cryptography finest observe, typically, you must use a single key for just one goal (for instance, in the event you use an RSA key for encryption, you shouldn’t additionally use that key for signing). Choose the important thing utilization that most accurately fits your use case.
Be sure that the important thing spec match the algorithm specification of the important thing that you’re attempting to import from CloudHSM.
If you wish to use the important thing in a number of AWS Areas (for instance, to keep away from the necessity for a cross-Area name to entry the important thing), think about using a multi-Area key.

To create a KMS key utilizing the AWS CLI

Run the next command:

aws kms create-key –origin EXTERNAL –key-spec ECC_NIST_P256 –key-usage SIGN_VERIFY

Step 2: Obtain the wrapping public key and import token from AWS KMS

After you create the important thing, obtain the wrapping key and import token.

The wrapping key spec and the wrapping algorithm that you choose rely on the important thing that you just’re attempting to import. AWS KMS helps a number of customary RSA wrapping algorithms and a two-step hybrid wrapping algorithm. CloudHSM helps each wrapping algorithms as properly.

Basically, an RSA wrapping algorithm (RSAES_OAEP_SHA_*) with a key spec of RSA_4096 ought to be ample for wrapping ECC personal keys as a result of it could actually wrap the important thing materials utterly. Nevertheless, when importing RSA personal keys, you have to to make use of the two-step hybrid wrapping algorithm (RSA_AES_KEY_WRAP_SHA_*) attributable to their giant key dimension. The general course of is similar as what’s proven right here, however the two-step hybrid wrapping algorithm requires that you just encrypt your key materials with an Superior Encryption Normal (AES) symmetric key that you just generate, after which encrypt the AES symmetric key with the RSA public wrapping key. Moreover, when you choose the wrapping algorithm, you even have a selection between the SHA-1 or SHA-256 hashing algorithm. We suggest that you just use the SHA-256 hashing algorithm at any time when doable.

Notice that every wrapping public key and import token set is legitimate for twenty-four hours. If you happen to don’t use the set to import key materials inside 24 hours of downloading it, it’s essential to obtain a brand new set.

To obtain the wrapping public key and import token from AWS KMS

Run the next command. Ensure to interchange <KMS KeyID> with the important thing ID of the KMS key that you just created within the earlier step. The important thing ID is the final a part of the important thing ARN after :key/ (for instance, arn:aws:kms:us-east-1:<AWS Account ID>:key/<Key ID>). “ImportToken.b64” represents the wrapping token, and “WrappingPublicKey.b64” represents the import token.

aws kms get-parameters-for-import
–key-id <KMS KeyID>
–wrapping-algorithm RSAES_OAEP_SHA_256
–wrapping-key-spec RSA_4096
–query “[ImportToken, PublicKey]”
–output textual content
| awk ‘{print $1 > “ImportToken.b64”; print $2 > “WrappingPublicKey.b64”}’

Decode the base64 encoding.

openssl enc -d -base64 -A -in WrappingPublicKey.b64 -out WrappingPublicKey.bin

To transform the wrapping public key from DER to PEM format

The important thing import pem command in CloudHSM CLI requires that the general public secret’s in PEM format. AWS KMS outputs public keys within the DER format, so it’s essential to convert the wrapping public key to PEM format. To transform the general public key to PEM format, run the next command:

openssl rsa -pubin -in WrappingPublicKey.bin -inform DER -outform PEM -out WrappingPublicKey.pem

Step 3: Import the wrapping key supplied by AWS KMS into CloudHSM

Now that you’ve got created the KMS key and made the mandatory preparations to import it, change to CloudHSM to import the important thing.

To import the wrapping key

Log in to your EC2 occasion that has the CloudHSM CLI put in and run the next command to make use of it in an interactive mode:

/decide/cloudhsm/bin/cloudhsm-cli interactive

Log in along with your crypto person credential. Ensure to interchange <YourUserName> with your individual info and provide your password when prompted.

Import the wrapping key and set the attribute permitting this key for use for wrapping different keys.

key import pem –path ./WrappingPublicKey.pem –label <kms-wrapping-key> –key-type-class rsa-public –attributes wrap=true

It’s best to see an output just like the next:

{
“error_code”: 0,
“knowledge”: {
“key”: {
“key-reference”: “0x00000000002800c2”,
“key-info”: {
“key-owners”: [
{
“username”: “<YourUserName>“,
“key-coverage”: “full”
}
],
“shared-users”: [],
“cluster-coverage”: “full”
},
“attributes”: {
“key-type”: “rsa”,
“label”: “<kms-wrapping-key>“,
“id”: “0x”,
“check-value”: “0x5efd07”,
“class”: “public-key”,
“encrypt”: false,
“decrypt”: false,
“token”: true,
“always-sensitive”: false,
“derive”: false,
“destroyable”: true,
“extractable”: true,
“native”: false,
“modifiable”: true,
“never-extractable”: false,
“personal”: true,
“delicate”: false,
“signal”: false,
“trusted”: false,
“unwrap”: false,
“confirm”: false,
“wrap”: true,
“wrap-with-trusted”: false,
“key-length-bytes”: 1024,
“public-exponent”: “0x010001”,
“modulus”: “0xd7683010 … b6fc9df07”,
“modulus-size-bits”: 4096
}
},
“message”: “Efficiently imported key”
}
}

From the output, observe the worth for the important thing label (<kms-wrapping-key> on this instance) as a result of you have to it for the following step.

Step 4: Wrap the personal key inside CloudHSM with the imported wrapping public key from AWS KMS

Now that you’ve got imported the wrapping key into CloudHSM, you’ll be able to wrap the personal key that you just need to import to AWS KMS through the use of the wrapping key.

Vital: Solely the proprietor of a key—the crypto person who created the important thing—can wrap the important thing. As well as, the important thing that you just need to wrap should have the extractable attribute set to true.

To wrap the personal key

Use the important thing wrap command within the CloudHSM CLI to wrap the personal key that’s saved in CloudHSM. Ensure to interchange the next placeholder values with your individual info:

rsa-oaep specifies the wrapping algorithm.
–payload-filter is used to outline the important thing that you just need to wrap out of the HSM. You should utilize the important thing reference (for instance, key-reference=0x00000000002800c2) or reference key attributes, resembling the important thing label. In our instance, we used the important thing label ec-priv-import-to-kms.
–wrapping-filter is used to outline the important thing that you’ll use to wrap out the payload key. This ought to be the wrapping key that you just imported beforehand from AWS KMS, which was labeled kms-wrapping-key in Step 3.3.
–hash-function defines the hash operate used as a part of the OAEP encryption. This could match the wrapping algorithm that you just specified while you received the import parameters from AWS KMS. In our instance, it ought to be SHA-256 as a result of we chosen RSAES_OAEP_SHA_256 because the wrapping algorithm beforehand.
–mgf defines the masks era operate used as a part of the OAEP encryption. The masks hash operate should match the signing mechanism hash operate, which is SHA-256 on this instance.
–path defines the trail to the binary file the place the wrapped key knowledge shall be saved. On this instance, we title the file EncryptedECC_P256KeyMaterial.bin however you’ll be able to specify a distinct title.

key wrap rsa-oaep –payload-filter attr.label=ec-priv-import-to-kms –wrapping-filter attr.label=kms-wrapping-key –hash-function sha256 –mgf mgf1-sha256 –path EncryptedECC_P256KeyMaterial.bin

(Non-obligatory) To export the general public key

It’s also possible to use the CloudHSM CLI to export the general public key of your personal key. You’ll use this key for testing later. Ensure to interchange the placeholder values <ec-priv-import-to-kms> and <KeyName.pem> with your individual info.

key generate-file –encoding pem –path <KeyName.pem> –filter attr.label=<ec-priv-import-to-kms>

Step 5: Import the wrapped personal key to AWS KMS

Now that you just’ve wrapped the personal key from CloudHSM, you’ll be able to import it into AWS KMS.

Notice that you’ve got the choice to set an expiration time on your imported key. After the expiration time passes, AWS KMS deletes your imported key routinely.

To import the wrapped personal key to AWS KMS

When you have been utilizing the CLI or API, the import token is base64 encoded. It’s essential to decode the token from base64 to binary format earlier than it may be used. You should utilize OpenSSL to do that.

openssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin

Run the next command to import the wrapped personal key. Ensure to interchange <KMS KeyID> with the important thing ID of the KMS key that you just created in Step 1.

aws kms import-key-material –key-id <KMS KeyID>
–encrypted-key-material fileb://EncryptedECC_P256KeyMaterial.bin
–import-token fileb://ImportToken.bin
–expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

Take a look at whether or not your personal key was imported efficiently

The character of uneven cryptography signifies that a digital signature produced by your personal key ought to produce the identical signature on the identical message, whatever the instrument that you just used to carry out the signing operation. To confirm that your imported personal key capabilities the identical in each CloudHSM and AWS KMS, you’ll be able to carry out a signing operation and examine the signature on CloudHSM and AWS KMS to make it possible for they’re the identical.

One other approach to verify that your imported personal key capabilities are the identical in AWS KMS is to carry out a signing operation after which confirm the signature through the use of the corresponding public key that you just exported from CloudHSM in Step 4. We’ll present you the way to use this technique to verify that your personal key was imported efficiently.

To check that your personal key was imported

Create a easy message in a textual content file and encode it in base64.

echo -n ‘Testing My Imported Key!’ | openssl base64 -out msg_base64.txt

Carry out the signing operation through the use of AWS KMS. Ensure to interchange <YourImported KMS KeyID> with your individual info.

aws kms signal –key-id <YourImported KMS KeyID> –message fileb://msg_base64.txt –message-type RAW –signing-algorithm ECDSA_SHA_256

The next exhibits the output of the signing operation.

{
“KeyId”: “arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab”,
“Signature”: “EXAMPLEXsP11QVTkrSsab2CygcgtodDbSpd+j558B4qINpKIxwIhAMkKwd65mA3roo76ItuHiRsbwO9F0XMyuyKCKEXAMPLE”,
“SigningAlgorithm”: “ECDSA_SHA_256”
}

Save the signature in a separate file referred to as signature.sig and decode it from base64 to binary.

openssl enc -d -base64 -in signature.sig -out signature.bin

Confirm the signature through the use of the general public key that you just exported from CloudHSM in Step 4.

openssl dgst -sha256 -verify <KeyName.pem> -signature signature.bin msg_base64.txt

If profitable, you must see a message that claims Verified OK.

Conclusion

On this put up, you discovered the way to import an uneven key into AWS KMS from CloudHSM through the use of the CloudHSM CLI.

Though this put up centered on migrating keys from CloudHSM, you can too comply with the overall instructions to import your uneven key from elsewhere. If you import a personal key, make it possible for the imported key matches the important thing spec and the wrapping algorithm that you just select in AWS KMS.

When you have suggestions about this put up, submit feedback within the Feedback part beneath. When you have questions on this put up, contact AWS Help.

Mani Manasa Mylavarapu

Manasa is a Software program Growth Supervisor at AWS KMS. Manasa leads the event of customized key retailer options for each the CloudHSM Key Retailer and Exterior Key Retailer. Past her skilled function, Manasa enjoys enjoying board video games and exploring the scenic hikes of Seattle.

Kevin Lee

Kevin is a Senior Product Supervisor at AWS KMS. Kevin’s work pursuits embrace client-side encryption and key administration technique inside a multi-tenant surroundings. Outdoors of labor, Kevin enjoys occasional tenting and snowboarding within the Pacific Northwest and enjoying video video games.

Patrick Palmer

Patrick is a Principal Safety Specialist Options Architect. He helps clients world wide use AWS providers in a safe method, and makes a speciality of cryptography. When not working, he enjoys spending time together with his rising household and enjoying video video games.

[ad_2]

Source link