An Introduction to BYOK and the Futurex KMES Series 3 HSM
— Riley Dickens, consultant, Encryption Consulting
More and more organizations are moving their cyber operations onto the cloud every day due to the flexibility, scalability, and cheaper cost provided by Cloud Service Providers (CSPs). Due to this migration to the cloud, cybersecurity is an even larger component of any organization’s infrastructure. This increase in cybersecurity necessitates the creation of new methods of managing security components, such as the use of Bring Your Own Key (BYOK) solutions or Hardware Security Modules (HSMs), such as Futurex’s KMES Series 3 HSM.
Bring Your Own Key
The term BYOK refers to user-generated keys utilized in the encryption of data on the cloud. Normally, a user would allow the CSP to generate and manage keys used for encryption on the cloud, but more organizations are using a BYOK solution to ensure their data is protected with the most secure keys possible. The use of BYOK also allows users to monitor their keys and rotate them as often as desired, thus providing granular control over the keys and key material. Most organizations that use a BYOK method of security use HSMs to create keys and key material.
HSMs provide a sufficient amount of entropy when creating keys to ensure that any keys created are FIPS 140-2 Level 3 compliant. To carry out Bring Your Own Key solutions, the HSM being used connects to the CSP via APIs, which allows the HSM to securely create and send the keys to Key Management Services (KMS). The HSM first generates an empty key object and requests an import key from the KMS. Working keys are then generated — which can be asymmetric or symmetric depending on what type the CSP requires — and are wrapped by the import key. Wrapping a key involves encrypting the working key with the import key provided by the KMS and sending that key to be unwrapped by the KMS, thus securely transporting the key to the Cloud for BYOK use.
This process gives the CSP a copy of the HSM generated key, but there is an option to use a form of BYOK without giving the CSP a copy of the user-generated key. To do this, Bring Your Own Encryption (BYOE) must be implemented. BYOE involves the HSM acting as a proxy between the user and the CSP, allowing the HSM to control all cryptographic operations applied to data. The use of HSMs to create keys and do cryptographic operations provides many benefits. The ability to export user-generated keys provides strong cryptographic key portability, allows for very fine-grained key lifecycle management, and allows for in-depth reporting. HSMs also provide a powerful disaster recovery method in case of disaster or emergency. The next section details how a specific HSM, the KMES Series 3 by Futurex, operates, and protects data. The Series 3 defines automated key rotation policies to assist with the changing out of keys on the cloud. These automated key rotation policies provide strong cryptographic agility for anyone using the KMES Series 3. Cryptographic agility is the ability to switch between cryptographic algorithms without rewriting applications or deploying new hardware.
Futurex’s KMES Series 3 HSM
Futurex’s KMES Series 3 is FIPS 140-2 Level 3 compliant and imports keys to the cloud using methods and techniques unique to the Series 3. The Series 3 keeps an inventory of all the cryptographic keys it has created, whether they are on the cloud or on-premises. The cloud-hosted keys’ health and validity are also monitored by the KMES Series 3. If a key becomes invalid or expires, an alert is set well in advance to replace the key.
The KMES Series 3 has a strict role-based system to ensure users can only access the data they are authorized to within the HSM. This flexibility allows the organization to create the keys to isolate their keys based on the user, so the compromise of one key does not lead to compromising all keys. In terms of deployment of keys across an organization, all Futurex’s KMES Series 3 HSMs use an algorithm called Masterless Peering. All Series 3s in an organization are connected in a cluster to utilize Masterless Peering. When a new key is added to an HSM, the configuration of that HSM is copied in every other HSM through Futurex’s Guardian Series 3. Each HSM in the cluster now gains a copy of the newly created key, as long as the device is online and part of the cluster. The keys in the configuration are all double encrypted with a master key and sent along a secure TLS channel to ensure the security of the keys as they are transmitted to the other HSMs in the cluster.
Fear of vendor lock-in concerning CSPs is common, but luckily the most common CSPs all provide key management services. While most CSPs allow the generation of keys, exporting the keys to another cloud platform is impossible, which is where BYOK comes in. With BYOK, the client controls its keys, allowing these keys to be exported to any CSP of the organization’s choosing. The three most common CSPs, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, all have different offerings in terms of their services.
Cloud Service Provider Offerings
All three cloud services offer 2048, 3072, and 4096-bit RSA asymmetric master keys. AWS and GCP offer 256-bit symmetric master keys, while Microsoft Azure does not support any symmetric master keys. Google Cloud Platform and Amazon Web Services offer symmetric AES GCM and asymmetric RSA OAEP encryption methods. On the other hand, Microsoft Azure does not offer symmetric encryption methods but does offer two asymmetric encryption methods: RSA OAEP and RSA PKCS#1v1.5. Azure offers a plaintext size limit of 0.25KB, Amazon Web Services offers a limit of 4KB, and Google Cloud Platform offers a limit of 64KB. Each service also handles BYOK wrapping differently. Amazon Web Services takes an AES 256 key that is wrapped by RSA 2048, GCP takes an AES 256 key that is wrapped by RSA 3072, and Azure takes an RSA key that is wrapped by AES and RSA-OAEP.
Bring Your Own Key is an extremely strong cryptographic solution when used in a cross-platform environment of KMS and HSM. With the need for strong cryptographic keys, HSMs such as the Futurex KMES Series 3 are needed more often than not. The Series 3’s use of Masterless Peering, key lifecycle management, and disaster recovery all provide a secure solution to any key management issues. The three biggest CSPs, AWS, GCP, and Azure, all work well with the KMES Series 3, and each CSP has its own solution to BYOK. While all three CSPs are different, each can be utilized to ensure secure data privacy infrastructure, as long as a strong HSM is utilized with BYOK or BYOE.
To learn more, register for our webinar, What You Need to Know About Multi-Cloud Key Management, with Encryption Consulting and Futurex on Wednesday, October 28 at 11:00 a.m. CT.