Related Manuals for Gemalto CSEK
Summary of Contents for Gemalto CSEK
- Page 1 Google Cloud Platform Customer Supplied Encryption Key (CSEK) Beta Integration Guide...
- Page 2 Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.
-
Page 3: Table Of Contents
2 Integrating Google Cloud Platform with SafeNet Luna HSM .......... 10 Setting up SafeNet Luna HSM with Google Cloud ..................10 Before You Begin ........................... 10 Generating the CSEK for Google Cloud ....................10 Creating the Encrypted VM using CSEK ....................14 3 Appendix ........................21... -
Page 4: Preface
This guide provides instructions for setting up a small test lab with Google Cloud Platform running with SafeNet Luna HSM for securing the CSEK keys. It provides information on how to install and configure software that is required for setting up Google Cloud Platform while storing CSEK keys on SafeNet Luna HSM. -
Page 5: Command Syntax And Typeface Conventions
Preface WARNING: Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. Command Syntax and Typeface Conventions Convention Description bold The bold attribute is used to indicate the following: ... -
Page 6: Support Contacts
Phone 1-800-545-6608 International 1-410-931-7520 Technical Support https://supportportal.gemalto.com Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the Gemalto Knowledge Base. Google Cloud Platform Integration Guide... -
Page 7: Introduction
As an alternative to a Google-managed server-side encryption key, you can choose to provide your own AES- 256 key, encoded in standard Base64. This key is known as a customer-supplied encryption key (CSEK). If you provide a CSEK, Cloud Storage does not permanently store your key on Google's servers or otherwise manage your key. -
Page 8: 3Rd Party Application Details
For more detailed information refer the Google Cloud Online documentation at https://cloud.google.com/docs/. NOTE: Before proceeding ensure that CSEK feature support is available for your country, if your country is not supported then this feature will not work. List of supported countries for CSEK is available in google cloud online documentation. -
Page 9: Prerequisites
1 – Introduction Prerequisites SafeNet Luna Network HSM Setup Refer to the SafeNet Luna Network HSM documentation for installation steps and details regarding configuration and setup of the SafeNet Luna Network HSM on Windows/Unix systems. Before you get started ensure that you have a performed the following tasks to prepare the SafeNet Luna Network HSM for use with Google Cloud: ... -
Page 10: Integrating Google Cloud Platform With Safenet Luna Hsm
After creating the NTLS connection with HSM partition download and import the Google Public Key on the HSM partition which will be use to wrap the generated AES256 key. To use the CSEK for Google Cloud with SafeNet Luna HSM follow the steps below. 1. Download the public certificate maintained by Google Compute Engine from: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem... - Page 11 2 – Integrating Google Cloud Platform with SafeNet Luna HSM Please enter password for token in slot 0: ******** Provide the partition password when prompted. 5. Run the cmu list command to ensure the key is imported successfully. # cmu list Please enter password for token in slot 0: ******** handle=718 label=google public key...
- Page 12 2 – Integrating Google Cloud Platform with SafeNet Luna HSM 8. Now create an AES256 key on HSM partition that will be used to encrypt the contents on cloud. To generate the key run the ckdemo utility provided with Luna Client. # ckdemo It will show you the available options and prompt for your choice, below are choices (Numeric Values) to generate an AES256 key...
- Page 13 2 – Integrating Google Cloud Platform with SafeNet Luna HSM Generated AES Key: 715 (0x000002cb) Where 715 is handle of generated AES Key 9. Wrap your key using the public key provided in a certificate that Compute Engine manages. Please ensure to wrap your key using OAEP padding.
-
Page 14: Creating The Encrypted Vm Using Csek
2 – Integrating Google Cloud Platform with SafeNet Luna HSM Creating the Encrypted VM using CSEK Creating an encrypted disk or VM is pretty easy. This guide demonstrated creation of encrypted VM using console and gcloud tool provided by google. - Page 15 2 – Integrating Google Cloud Platform with SafeNet Luna HSM 3. Enter the Name, Description, select Zone and Disk Type as Standard persistent disk. Select Source type, Source Image (OS that need to be installed) and Size (GB). Select Encryption as Customer Supplied and enter the key in text box provided.
- Page 16 5. Enter the Name and select Zone, Machine type. In the Boot disk section, click Change and then click Existing disk. It displays the disk created in the previous steps using CSEK Encryption. When disk is selected, it prompts to enter the key. Provide the same key which you have used to encrypt the disk and select the Wrapped key checkbox.
- Page 17 Gcloud is the part of google cloud SDK and it provides various commands to perform operations on google cloud. You can use this tool to create encrypted disk or VM using CSEK and start/stop the VM when needed as well as other operations like creating snapshots from encrypted disk.
- Page 18 Where example-disk is the name of disk to be created. Replace “zinc-window-164420” and “us-central1-c” with your project and zone respectively. 2. Create an encrypted disk using CSEK supplied by JSON file. # gcloud beta compute disks create example-disk --size=30GB --image-family centos-6 --image- project centos-cloud --csek-key-file example-file.json...
- Page 19 3. Create a VM instance using the encrypted disk. # gcloud beta compute instances create example-instance --disk name=example-disk,boot=yes -- csek-key-file example-file.json VM instance is created using encrypted disk now you can connect your VM using SSH using the methods provided in Appendix.
- Page 20 Stopping/deleting does not require the CSEK but other operations (read/write) like starting encrypted VM, snapshot of the encrypted disk etc. require the CSEK used to encrypt the disk. For details regarding other operations on encrypted disk refer to the google cloud documentation.
-
Page 21: Appendix
3 – Appendix Appendix To connect with the VM instances created on google cloud refer the google cloud documentation, however below is the method to connect Linux instance using SSH is provided for your reference. 1. To connect the instances using the gcloud open the Google Cloud SDK Shell and run the gcloud compute command as follows: # gcloud compute --project "zinc-window-164420"... - Page 22 3 – Appendix When you connect to an instance through the gcloud tool, your keys will be generated and applied to your project and available at the following locations: Public key: C:\Users\[USER_NAME]\.ssh\google_compute_engine.pub Private key: C:\Users\[USER_NAME]\.ssh\google_compute_engine 2. To generate a new SSH key-pair on Windows workstations, download putty and puttygen.exe from the following URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Download 64 bit Windows Installer.
- Page 23 3 – Appendix 10. Copy the entire public key value from the PuTTYgen tool and paste that value as a new item in the list of SSH keys on the Metadata page. The public key value is available at the top of the PuTTYgen screen: 11.
- Page 24 3 – Appendix 12. Run putty.exe. In the PuTTY tool, specify your Google username and the external IP address for the instance that you want to connect in the Host Name field. Your username is the Google username that you use to access your project.
- Page 25 3 – Appendix 15. Click Open to connect with your instance. If the connection is successful, you can use the terminal to run commands on your instance. Google Cloud Platform Integration Guide...
Need help?
Do you have a question about the CSEK and is the answer not in the manual?
Questions and answers