Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Secure Data with vSRX 3.0 Using GCP KMS (HSM)

This topic describes the integration of vSRX 3.0 with GCP (Google Cloud Platform) Key management Service (KMS) for securing confidential information such as private keys that must be stored within a FIPS boundary. GCP provides support for KMS that is used by applications such as vSRX 3.0 to safeguard and to manage cryptographic keys.

Overview

A wrapper library is available in Junos to enable VPN and other applications (such as mgd) to integrate and communicate with cloud-based KMS. This wrapper library provides interface to Key Management Service (KMS) using PKCS#11 APIs. Junos applications use this wrapper library with updated support for GCP to communicate with KMS. To support PKCS#11 APIs, GCP team provides Juniper a library which acts as an intermediary between Junos applications and Cloud KMS service. This library is added as part of vSRX 3.0 Junos package. There is no action needed from you to enable the libraries.

After enabling the KMS service, you need to specify the Master Encryption Key (MEK) using the request security hsm master-encryption-password set plain-text-password command. vSRX 3.0 then creates RSA 2048 key pair Master binding Key (MBK) in KMS and encrypts MEK using MBK in KMS. MEK is then used as a key for encrypting data at rest such as hash of configuration, private key pair files and master-password file.

vSRX with GCP KMS has the following limitations:

  • vSRX uses management interface to access KMS service. If management interface is not enabled or configured, KMS service cannot be used from vSRX.

  • SSL Proxy, Sky-ATP, IDP Signature download or any other module using certificate-based connections will not work when HSM is enabled.

  • RSA Key Pair with a Key ID can be generated only once. It cannot be used for another Key Pair to generate or create request, for a deleted Key ID, or for another new Key request.

Figure 1 illustrates the inventory of keys in vSRX 3.0.

Figure 1: Supply of Keys in vSRX 3.0 Supply of Keys in vSRX 3.0

Support for generating Public Key Infrastructure (PKI) key-pairs in GCP cloud KMS is enabled and any request such as RSA SIGN, which needs private key of the generated key-pair is be sent to GCP cloud KMS. Specifically, the following operations have been offloaded to the KMS:

  • Private key signing during Certificate Signing Request (CSR) creation in PKI Daemon (PKID) running on the device.

  • Private key signing during verification of the certificate received from the CA server in PKID.

  • Private key signing during IKE negotiations at Key Management Daemon (KMD) which is the IKE Daemon running on the device.

All the VPN applications (PKID and KMD) will use wrapper library to communicate with the KMS service to create, manage and execute crypto operations on the RSA keys.

Figure 2 illustrates how VPN applications accessing KMS service.

Figure 2: VPN Applications Accessing KMS Service VPN Applications Accessing KMS Service

You can secure data at rest and achieve configuration integrity with vSRX 3.0 using GCP KMS. Perform the steps given in this topic to setup GCP Cloud KMS service and Key Ring for vSRX 3.0.

Key Ring is a component in KMS service where keys created by Junos applications are going to reside. A key ring organizes keys in a specific Google Cloud location and allows you to manage access control on groups of keys. A key ring's name does not need to be unique across a Google Cloud project, but must be unique within a given location. After creation, a key ring cannot be deleted. Key rings do not incur storage costs.

Integrate GCP KMS with vSRX 3.0

To enable and setup vSRX 3.0 to access KMS on GCP.

  1. Launch vSRX 3.0 instance in GCP. See Deploying vSRX Virtual Firewalls on Google Cloud Platform and Deploy vSRX in Google Cloud Platform.

  2. Setup GCP KMS for vSRX 3.0.

    Before you can enable vSRX 3.0 to communicate with the KMS service, you need to ensure vSRX 3.0 instance is authenticated and authorized to access GCP Cloud KMS service. To setup GCP environment or account do the following:

    1. Create a service account.

      A service account is a special type of Google account intended to represent a non-human user such as virtual machines(VMs), that needs to authenticate and be authorized to access data in Google APIs.

      vSRX 3.0 uses the PKCS#11 library provided by GCP to access Cloud KMS service. The library uses service accounts to authenticate using service account credentials.

      1. To create a new service account to use with vSRX 3.0 to access Cloud KMS, see

        Getting Started with Authentication. If you already have a service account then, see Authenticating as a service account.

      2. Create IAM role for the service account to enable access for vSRX 3.0 instance.

        Once you have service account setup, grant the account a role or roles with the following IAM permissions:

        • cloudkms.cryptoKeys.list on all configured KeyRings.

        • cloudkms.cryptoKeyVersions.list on all CryptoKeys in each configured KeyRing.

        • cloudkms.cryptoKeyVersions.viewPublicKey for all asymmetric keys contained within all configured KeyRings.

        • cloudkms.cryptoKeyVersions.use to Decrypt or cloudkms.cryptoKeyVersions.use to sign for any keys to be used for decryption or signing.

        • cloudkms.cryptoKeys.create if you intend to create keys.

        • cloudkms.cryptoKeyVersions.destroy if you intend to destroy keys.

        You can also use pre-defined groups of IAM roles as listed below to grant service account the needed permissions. For more information about roles associated for each of the above groups, see Permissions and roles

      3. Attach IAM role to vSRX 3.0 instance either from GUI or using GCP CLI.

        After you have service account created and granted needed IAM roles as mentioned above, you can either create a new vSRX 3.0 instance using this service account or set an existing vSRX 3.0 instance to use the service account.

        For more information, see Creating and enabling service accounts for instances.

      4. Create Key Ring

        After granting required access for vSRX 3.0 instance to communicate with KMS, you need to create Key Ring, which is a component in KMS service where keys created by vSRX 3.0 will reside.

        Key Ring can be created using gcloud or from console. For more information, see Create a key ring

        .

        Additionally, GCP KMS does not allow creation of a key with an ID which was already used and created earlier. GCP KMS also does not allow deletion of existing key and creating another key with same name.

        Note:

        Key ring can be created in one specific region, dual-regional or multi-regional locations. Location refers to the datacenter in which your keys are going to be saved. If you use one specific region key is located in that location only. In case of dual regions, keys are replicated to other regions and same implies for multi-regional locations. For more information, see Cloud KMS locations.

        After you create Key Ring, please note down the resource ID for the key ring as it is needed for input into vSRX 3.0 using CLI. GCP PKCS#11 KMS library on vSRX 3.0 will use this resource ID to communicate with KMS. Name of Key created in Key ring can contain letters, numbers, underscores (_), and hyphens (-).

  3. Provide GCP Key Ring resource information using the request security hsm set gcp project <name_of_project> location <location_of_key_ring> key-ring <name_of_key_ring> command. For more information, see Getting a Cloud KMS resource ID

  4. After enabling the KMS service, you need to specify the Master Encryption Key (MEK) using the request security hsm master-encryption-password set plain-text-password command on vSRX 3.0.

    Once you specify the MEK, vSRX 3.0 creates the RSA 2048 key pair (MBK) in KMS and encrypts MEK using Master binding Key (MBK) in KMS. MEK is then used as a key for encrypting data at rest such as hash of configuration, private key pair files and master-password file.

  5. Change the Master Encryption Password.

    If you want to change the master encryption password then you can run the request security hsm master-encryption-password set plain-text-password command from operational mode:

    Note:

    It is recommended that no configuration changes are made while you are changing the master encryption password.

    The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.

    The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.

    The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.

    If the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.

  6. Check HSM status using the show security hsm status command to check if KMS is enabled and reachable, also displays the Resource ID of Key Ring being used, Master binding Key (MBK), and Master Encryption Key (MEK) status.

Verify the Status of the HSM

Purpose

To check connectivity with HSM.

Action

You can use the show security hsm status command to verify the status of the HSM. The following information is displayed:

  • If HSM is enabled and reachable or disabled

  • Is Master Binding Key (RSA Key pair) created in HSM

  • Is Master Encryption Key configured - master encryption password status (set or not set)

  • Cloud vendor Information

show security hsm status

Syntax

Release Information

Command introduced in Junos OS Release 19.4R1.

Description

Display the current status of the Hardware Security Module (HSM). You can use this show security hsm status command to check the status of HSM, master binding key, master encryption password, and cloud vendor details.

Options

This command has no options.

Required Privilege Level

security

Output Fields

Table 1 lists the output fields for the show security hsm status command.

Table 1: show security hsm status Output Fields

Field Name

Field Description

Enabled

Specifies whether HSM is enabled or disabled.

Master Binding Key

Displays the HSM’s Master Binding Key status whether it is created or not created in HSM. HSM generates cryptographic keys and encrypts them so that those can only be decrypted by the HSM. This process is know as binding. Each HSM has a master binding key, which is also know as storage root key.

Master Encryption Key

Displays Master Encryption configuration status whether it is set or not set. The encrypted data and the hash of the configuration is protected by vSRX using Microsoft Key Vault (HSM) service.

Cloud vendor Details

Displays the details specific to the cloud vendor.

Sample Output

show security hsm status (HSM status command output when vSRX initially boots up but GCP KMS feature is not enabled)

show security hsm status (HSM status command output after successful integration with GCP KMS)

request security hsm master-encryption-password

Syntax

Release Information

Command introduced in Junos OS Release 19.4R1.

Description

Use this command to set or replace the password (in plain text).

Options

plain-text-password

Set or replace the password (in plain text).

Required Privilege Level

maintenance

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security hsm master-encryption-password set plain-text-password