AWS Key Management in Verify Privilege Vault Cloud

Managing your own encryption key or using a third-party provider, such as AWS KMS, has very serious ramifications if not carefully handled—you can lose access to your Verify Privilege Vault data. When using AWS KMS, Verify Privilege Vault requires access to the AWS KMS key for the website to be accessible and secrets to be available. If the AWS KMS key is deleted, Verify Privilege Vault becomes permanently unable to decrypt any data—all access to secrets is lost. If the credentials that Verify Privilege Vault uses to access the AWS KMS key are blocked or disabled, the Verify Privilege Vault website becomes inaccessible until the prior credentials are restored by the customer.

Introduction

Overview

Verify Privilege Vault protects your secrets using a master encryption key, as well as an additional intermediate encryption key that is unique for each secret. These effectively act as internal passwords that Verify Privilege Vault itself needs to unlock your data, for example any time you view or update a secret.

Key Management in Verify Privilege Vault Cloud (SSC) allows you to add an additional layer of encryption using a third-party provider to protect these encryption keys for added protection and control. To do this, you must first set up your own encryption key with a third party that you fully control, and then provide Verify Privilege Vault limited access to it. This external encryption key is used to protect the Verify Privilege Vault encryption keys. You can revoke Verify Privilege Vault's access at any time if the need arises, rendering Secrets unusable.

Once enabled, beware that if you delete your external third-party encryption key, or the credentials you gave Verify Privilege Vault no longer work. You will not be able to access your existing Secrets, and even IBM Security will not be able to help!

You can change your key management configuration through Verify Privilege Vault's Web interface or by using the REST API. If key management has already been enabled, you can switch to a new configuration or disable key management completely. To make any change, your existing key management configuration must still be valid, so your secrets and the master encryption keys can be converted to the new configuration. Your new settings are validated before they can be saved.

Verify Privilege Vault Cloud currently supports Amazon's Key Management Service.

Amazon Key Management Service

Key Management Service (KMS) is a managed service provided by AWS that allows you to create, manage and use encryption keys for your applications and services. With KMS, you can create symmetric keys or asymmetric keys to encrypt and decrypt data. These keys can be used to protect sensitive data such as passwords, credit card numbers, or personally identifiable information (PII).

A KMS (Key Management Service) key is a cryptographic key used to encrypt and decrypt data stored in AWS (Amazon Web Services) services such as S3, EBS, or RDS. KMS keys are stored securely in the AWS Cloud, and you can control access to them by using IAM (Identity and Access Management) policies. You can also use KMS to audit key usage and generate key usage reports.

Configuring Key Management

Overview

To enable key management, you will first create an encryption key with your third-party provider, then an API account that Verify Privilege Vault will use in order to access the key. After the external encryption key is setup, you will update Verify Privilege Vault with the details.

Changing your key management settings will trigger "maintenance mode" and a secret key rotation that will re-encrypt all your secret keys. No one will be able to access secrets until the rotation finishes, and it must finish successfully before further key management changes can be made.

Navigate to Verify Privilege Vault's key management page by clicking Admin > All > Key Management.

Here you can change your key management settings, as well as view the audit history showing all key management updates.

Key Management Providers

SSC currently supports one provider, AWS Key Management Service. More providers may be added over time. Azure's KeyVault service is not a viable provider at this time due to slow speed limits when using strong encryption keys (such as 4096-bit RSA with HSM).

AWS Key Management Services Pricing

Please see AWS Key Management Service Pricing.

SSC requires one AWS Key ("CMK"), and the number of requests per month will vary depending on how often secrets are accessed.

Procedure

Changing your key management settings triggers SSC maintenance mode and a secret key rotation that re-encrypts (or de-encrypts) all your secret keys! No one can access secrets until the rotation finishes, and it must finish successfully before further key management changes can be made.

Task 1: Setting up the Encryption Key and IAM User in AWS

  1. Log into the AWS Console website at https://console.aws.amazon.com/.

  2. Under Services, search for IAM (Identity and Access Management). This is where you will configure both your encryption key and an IAM user for Verify Privilege Vault to use to access the encryption key.

  3. Click the Users button on the left menu.

  4. Click Add User button.

  5. Type a name (such as SecretServerCloud) in the User Name text box.

  6. Click to select the Programmatic Access check box in the Access Type section.

  7. Click the Next: Permissions button (on the Permissions page, no special permissions are needed). The Permissions page appears.

  8. Click the Next: Tags button. The Tags page appears.

  9. Click the Next: Review button (on the Permissions page, no special permissions are needed). The Review page appears.

  10. Click the Create User button. A Success page appears confirming the user was created. Both the access key ID and the secret access key appear (click the Show link).

  11. Click the Download .csv button to save the credentials

    Important: Be sure to save both the access key ID and the secret access key! If you lose them, you can never view the secret access key again. Even after you enter them in SSC, you cannot retrieve the secret access key.

  12. Once the download completes, click the Close button.

  13. Under Services, search for Key Management Service.

  14. Click the Customer managed keys link in the left menu.

  15. Click the Create Key button. The Configure Key page, the first page of the Create Key wizard, appears:

    kms1

  16. Ensure the Key type selection button is set to Symmetric.

  17. Ensure the Key usage selection button is set to Encrypt and decrypt.

  18. Click the Next button. The Add Labels page appears:

    kms2

  19. Type SecretServerCloud in the Alias text box.

  20. (Optional) Type a description in the Description text box.

  21. (Optional) Click the Add tab button to add KMS tags. Click the Learn More link for more about tags.

  22. Click the Next button. The Define Key Administrative Permissions page appears:

    kms3

    Leave the page as is.

  23. Click the Next button. The Define Key Usage Permissions page appears:

    kms4

  24. Click to select the check box next to the SecretServerCloud-Key name in the table to give that user access to the key.

    Important: Do not give access to the user you created earlier for SSC. It is unnecessary for Verify Privilege Vault to have administrative access to the key.

  25. Click the Next button. The Review page appears:

    kms5

  26. Ensure the settings are as desired.

  27. Click the Finish button. The new key appears in your Encryption Keys list.

  28. Click to select the new key in the list. The Summary section on the key's page appears.

  29. Copy and save the contents of the read-only ARN text box. You will need it later.

AWS supports automatically rotating this key every year. You can change that setting on this page in the Key Rotation section (select the "Rotate this Key every year" check box). Once rotated, the key management settings in Verify Privilege Vault will not require further changes, and your existing secrets can still be accessed by the old encryption settings. However, only new secrets will be created under the new version of the encryption key, and you must perform a secret key rotation inside SSC if you want to update all secrets to use the new version of the AWS key.

As a security best practice, we recommend performing a secret key rotation inside of SSC on a regular basis to refresh the encryption keys on your Secrets. Go to Admin > Configuration > Security, and click Rotate Secret Keys.

Task 2: Adding Encryption Key and User Details in Verify Privilege Vault

  1. In SSC, go to Administration > Key Management. The Key Management page appears.

  2. Click the Edit button. The page becomes editable.

  3. Click the Key Management Type dropdown list to select Amazon KMS.

  4. Type your AWS key details that you saved earlier in the remaining four text boxes.

  5. Click the Save button.

Task 3: Secret Key Rotation

  1. Once you save your changes, your new settings are validated and a secret key rotation is triggered.

  2. View the progress of the rotation:

    1. Go to Admin > Configuration.
    2. Click the Security tab.
    3. Go to the Key Rotation section.

  3. Later you can repeat the process to change the AWS encryption key, or you can select None for the Key Management Type to disable it completely.

Verify Privilege Vault Key Management via the REST API

SSC has a REST API for retrieving or updating your key management configuration. For details:

  1. Log on your SSC instance.

  2. Click the question mark icon in the top right corner and select Verify Privilege Vault REST API Guide.

  3. Click on the Documentation for REST API document link for your authentication style, normal tokens or Windows Integrated Authentication.

  4. Search for KeyManagement to view that section of our API.

Important: When changed via the API, maintenance mode and a secret key rotation still occur.