Encrypting Your Data Using AWS KMS Custom Key Store with CloudHSM

Click on the custom key store, rubrik_cloudout_keystore, we just created and click on the Connect custom key store option under the Key store actions menu.Under the hood, AWS KMS connects to our CloudHSM cluster, logs in as the kmsuser and rotates the kmsuser password.After a few minutes, the console will report the key store as being CONNECTED.Creating a Customer Master Key Using a Custom Key StoreNow we are ready to create a new Customer Master Key (CMK)..Navigate to the Customer managed keys page in the KMS console and click on the Create key button.In the Add alias and description dialog box, we provide an alias and a description..Expand the Advanced options section, select Custom key store (CloudHSM), and click on Next.Select the custom key store, rubrik_cloudout_keystore, we created and connected to earlier and click on Next.Click on Next again to skip creating Tags..Now we need grant an IAM user administrative permission to the CMK we are creating and click on Next.We select the IAM user and/or role that will be using this CMK to encrypt data keys and click on NEXT..For this post, we will be assigning the CMK to a user named rubrik-cloudout that will be uploading files to an S3 bucket as part of the Rubrik CloudOut solution.Review and edit the key policy that will be granted to our IAM users..We will leave the policy as is and click on Finish.After the CMK is created, we will see that a Key ID has been assigned to the new key.We can drill down into our new CMK to get more details.Our new CMK is used and managed the same way as any other CMK..Under the covers, however, the key material is not generated and stored in KMS, which is a multi-tenant solution..Instead all key material for the customer key store-backed CMK is stored in CloudHSM.Configuring Rubrik CloudOut to use KMSTo show you an example of how the integration would work with an application, we will quickly walk though configuring Rubrik to use our new custom key store-backed CMK for client-side encryption of data.We log into a Rubrik cluster and navigate to the Archival Locations page.We then create new Rubrik Archival Location using Amazon S3..The bucket, relevant bucket policy, and IAM user have been previously created and configured.For Encryption Type, we will be choosing KMS Master Key ID..We then copy and paste in the key ID for the custom key store-backed CMK we created earlier and click on Add..The KMS Master Key ID is a representation of the underlying CMK and allows us rotate the CMK without having to edit the Master Key ID each time.Rubrik will confirm access to the S3 bucket and correct permissions to the CMK prior to creating the new Archival Location.From this point, all data that is designated for our rubrik-tme-or bucket will be encrypted client-side by Rubrik using our newly created CMK to encrypt the data keys..Behind the scenes, KMS will leverage CloudHSM via our custom key store connection.Hopefully this blog post will help you to get started with using custom key stores to integrate AWS KMS with CloudHSM.. More details

Leave a Reply