Introduction
phoenixNAP’s Encryption Management Platform (EMP) is a centralized system that provides data security across multiple cloud providers and multi-cloud infrastructures. With integrated security for all data protection needs, it safeguards encryption keys, secrets, and tokens.
In this article, you will learn how to provision security objects and secure all your secrets.
Note: Follow the link to learn how to encrypt a Bare Metal Cloud drive with EMP.
Getting Started With Security Objects
To start working with security objects, log in to the phoenixNAP Encryption Management Platform and navigate to the Security Objects section from the sidebar on the left.
You can create/import a new security object (A) or manage existing ones (B).
Add a New Security Object
To add a new security object, click on the plus sign and type in the following information:
- A name for the security object.
- A short description.
- Assign it to an existing group or create a new group to which the object will belong.
- Choose whether you want to import or generate a security object.
Option 1: Import Security Objects
To import an existing security object, follow the steps outlined below.
- Select IMPORT when adding a new SO.
Note: phoenixNAP EMP allows you to import a security object from Components. To do so, you must set a Key Custodian Group Policy to enable importing keys from Components. This feature applies to key types AES, DES, and DES3.
2. Specify the type of key you want to import.
3. If you are importing an AES, DES, DES3, DSA, or HMAC key type from a file, it is likely the key is already encrypted. If so, check the box: The key has been encrypted. Then, select the key encryption key used for that specific instance.
- Choose the format of the file (Raw, Base64, or Hex) you want to import.
- Upload file to EMP.
- Select the key operations you want to permit. Due to cryptographic policy, some operations will be disabled based on the key type specified in step 2.
- By default, EMP enables audit logging to keep a complete audit log for this object. If you want to increase performance, uncheck the box to disable logging.
- Finally, click IMPORT to import the new security key.
Option 2: Generate Security Objects
To generate a SO using phoenixNAP EMP:
- Select GENERATE when adding a new security object.
- Choose the type of key you want to generate.
Note: If you opt for Tokenization, jump to the steps for setting up a security object token.
3. Next, define the key size. The permitted values depend on the key type.
- Choose which key operations you want to permit. Some of the operations will be disabled based on the key type specified in step 2.
- By default, EMP enables audit logging to keep a full audit log for this object. To increase performance, uncheck the box to disable logging.
- Finally, click GENERATE to import the new security key.
Tokenization
Generate a key using the EMP tokenization feature for credit card information, ID numbers, and other sensitive information. Tokens replace classified data with randomly generated alphanumeric IDs. By doing so, they eliminate any connection with the owner of the information.
- To create a token, start by selecting Tokenization when choosing the key type you want to generate.
- Select one of the four categories the security object token belongs to:
- General
- Identification numbers (USA)
- Military Service Numbers (USA)
- Custom
Note: Learn more about different types of tokens in the Types of Security Object Tokens section.
- The next step is to choose permitted key operations. By default, tokenization, detokenization, and app management are enabled, while other operations are disabled due to cryptographic policy.
- EMP enables audit logging by default to keep a full audit log for this object. If you prefer not to do so, uncheck the box to disable logging.
- Lastly, click GENERATE to create a new security object token with the specified configuration.
Types of Security Object Tokens
The type of tokens you can generate include:
- General
- Credit card
- IMSI
- IMEI
- IP Address (v4)
- Phone number (USA)
- Fax Number (USA)
- Email Address
- Identification numbers (USA)
- SSN
- Passport Number (USA)
- Driver’s license
- Individual Taxpayer Identification Number (USA)
- Military Service Numbers (USA)
- Army and Air Force Service Number (USA)
- Navy Service Number (USA)
- Coast Guard Service Number (USA)
- Marine Corps Service Number (USA)
- Military Office Service Number (USA)
- Custom
- Numbers only
- Hexadecimals
- Alphanumeric
Once you select the token, you need to specify what kind of tokenization you want it to have. There are four main tokenization types:
- Full token – masking the entire token.
- Token + last 4 digits – masking the entire token except the last four digits.
- First 6 digits + token – masking the entire token except the first six digits.
- First 6 digits + token + last four digits – masking the entire token except the first six digits and the last four digits.
For additional security, you can enable the Add masking pattern option to replaces the selected digits of the token with asterisks (*).
Working with Security Objects
New secrets and keys appear on the list on the main page, as in the image below.
The list shows:
- The name of the security object
- Its KCV
- The enabled key operations
- The group to which it belongs to
- The user who created the group
- How long ago it was created
- The type of SO
- The size of the SO
- When the SO expires
Click on the row to see more details about each object from the list. Doing so takes you to a new page with a detailed description of the SO configuration.
Security Object Attributes/Tags
Each SO has attributes/tags, which you can see by switching to the ATTRIBUTES/TAGS tab located next to INFO. They include:
PKCS #11 and CNG – standard attributes assigned based on the SO specifications.
Custom attributes – attributes that the user can define and add to the SO’s metadata. You can easily add custom attributes when needed by clicking the blue button.
Key Rotation
phoenixNAP EMP includes the Key Rotation feature for security objects which allows you to replace an old encryption key with a new cryptographic key.
You will find the key rotation option in the detailed view of the security object.
Once you click ROTATE KEY, a new window opens. If you want to deactivate the original key after the rotation, check the box before confirming with the ROTATE KEY button.
Note: For more information on the Key Rotation feature, refer to the official Fortanix User’s Guide.
Security Object Status
The SO status shows whether users can utilize the SO for cryptographic operations. A security object can be:
- pre-active (has an activation date in the future and is not operational before the specified date)
- active (can be used for cryptographic operations)
- deactivated/disabled (cannot be used for cryptographic operations)
- destroyed (the key is deactivated, the key material is lost, and it can no longer be used)
The current status is indicated with a green underline.
A key becomes deactivated if it is manually disabled by a user or it reaches its expiration date. When creating a new security object, the default configuration is never to expire.
You can edit this setting in the detailed SO view and add a date when you want the key to transition to deactivated state.
Note: By default, new security objects are created in the activated state. If you want to create one in the pre-activated state, use the Fortanix REST API.
Enable/Disable Security Objects
You can easily enable or disable security objects by activating or deactivating the Enabled field in the key detailed view. When a SO is disabled, it cannot perform any cryptographic operations. However, the key material and data are saved and can be easily activated at any time.
How to Delete/Destroy Security Objects
There are two ways to remove a key in EMP:
- Delete. To delete a SO means to remove the key material and its metadata permanently. The action cannot be undone, and the object cannot be restored once deleted.
- Destroy. To destroy a key means to put it in an irreversible disabled state and delete the key material. While the SO can no longer be used, its metadata is preserved.
Conclusion
After reading this article, you should know how to import and generate security objects on your EMP account. To learn more about working in EMP, refer to phoenixNAP EMP Account Provisioning and Overview.
原创文章,作者:506227337,如若转载,请注明出处:https://blog.ytso.com/225904.html