Secure Data with vSRX Virtual Firewall 3.0 Using GCP KMS (HSM)

A wrapper library is available in Junos to enable VPN and other applications (such as mgd) to integrate and communicate with cloud-based KMS. This wrapper library provides interface to Key Management Service (KMS) using PKCS#11 APIs. Junos applications use this wrapper library with updated support for GCP to communicate with KMS. To support PKCS#11 APIs, GCP team provides Juniper a library which acts as an intermediary between Junos applications and Cloud KMS service. This library is added as part of vSRX Virtual Firewall 3.0 Junos package. There is no action needed from you to enable the libraries.

After enabling the KMS service, you need to specify the Master Encryption Key (MEK) using the request security hsm master-encryption-password set plain-text-password command. vSRX Virtual Firewall 3.0 then creates RSA 2048 key pair Master binding Key (MBK) in KMS and encrypts MEK using MBK in KMS. MEK is then used as a key for encrypting data at rest such as hash of configuration, private key pair files and master-password file.

vSRX Virtual Firewall with GCP KMS has the following limitations:

• vSRX Virtual Firewall uses management interface to access KMS service. If management interface is not enabled or configured, KMS service cannot be used from vSRX Virtual Firewall.

• SSL Proxy, Sky-ATP, IDP Signature download or any other module using certificate-based connections will not work when HSM is enabled.

• RSA Key Pair with a Key ID can be generated only once. It cannot be used for another Key Pair to generate or create request, for a deleted Key ID, or for another new Key request.

Figure 1 illustrates the inventory of keys in vSRX Virtual Firewall 3.0.

Support for generating Public Key Infrastructure (PKI) key-pairs in GCP cloud KMS is enabled and any request such as RSA SIGN, which needs private key of the generated key-pair is be sent to GCP cloud KMS. Specifically, the following operations have been offloaded to the KMS:

• Private key signing during Certificate Signing Request (CSR) creation in PKI Daemon (PKID) running on the device.

• Private key signing during verification of the certificate received from the CA server in PKID.

• Private key signing during IKE negotiations at Key Management Daemon (KMD) which is the IKE Daemon running on the device.

All the VPN applications (PKID and KMD) will use wrapper library to communicate with the KMS service to create, manage and execute crypto operations on the RSA keys.

Figure 2 illustrates how VPN applications accessing KMS service.

You can secure data at rest and achieve configuration integrity with vSRX Virtual Firewall 3.0 using GCP KMS. Perform the steps given in this topic to setup GCP Cloud KMS service and Key Ring for vSRX Virtual Firewall 3.0.

Key Ring is a component in KMS service where keys created by Junos applications are going to reside. A key ring organizes keys in a specific Google Cloud location and allows you to manage access control on groups of keys. A key ring's name does not need to be unique across a Google Cloud project, but must be unique within a given location. After creation, a key ring cannot be deleted. Key rings do not incur storage costs.

To enable and setup vSRX Virtual Firewall 3.0 to access KMS on GCP.

1. Launch vSRX Virtual Firewall 3.0 instance in GCP. See Deploying vSRX Virtual Firewalls on Google Cloud Platform and Deploy vSRX in Google Cloud Platform.

2. Setup GCP KMS for vSRX Virtual Firewall 3.0.

   Before you can enable vSRX Virtual Firewall 3.0 to communicate with the KMS service, you need to ensure vSRX Virtual Firewall 3.0 instance is authenticated and authorized to access GCP Cloud KMS service. To setup GCP environment or account do the following:

   1. Create a service account.

      A service account is a special type of Google account intended to represent a non-human user such as virtual machines(VMs), that needs to authenticate and be authorized to access data in Google APIs.

      vSRX Virtual Firewall 3.0 uses the PKCS#11 library provided by GCP to access Cloud KMS service. The library uses service accounts to authenticate using service account credentials.

      1. To create a new service account to use with vSRX Virtual Firewall 3.0 to access Cloud KMS, see

         Getting Started with Authentication. If you already have a service account then, see Authenticating as a service account.

      2. Create IAM role for the service account to enable access for vSRX Virtual Firewall 3.0 instance.

         Once you have service account setup, grant the account a role or roles with the following IAM permissions:

         • cloudkms.cryptoKeys.list on all configured KeyRings.

         • cloudkms.cryptoKeyVersions.list on all CryptoKeys in each configured KeyRing.

         • cloudkms.cryptoKeyVersions.viewPublicKey for all asymmetric keys contained within all configured KeyRings.

         • cloudkms.cryptoKeyVersions.use to Decrypt or cloudkms.cryptoKeyVersions.use to sign for any keys to be used for decryption or signing.

         • cloudkms.cryptoKeys.create if you intend to create keys.

         • cloudkms.cryptoKeyVersions.destroy if you intend to destroy keys.

         You can also use pre-defined groups of IAM roles as listed below to grant service account the needed permissions. For more information about roles associated for each of the above groups, see Permissions and Roles.

      3. Attach IAM role to vSRX Virtual Firewall 3.0 instance either from GUI or using GCP CLI.

         After you have service account created and granted needed IAM roles as mentioned above, you can either create a new vSRX Virtual Firewall 3.0 instance using this service account or set an existing vSRX Virtual Firewall 3.0 instance to use the service account.

         For more information, see Creating and enabling service accounts for instances.

      4. Create Key Ring

         After granting required access for vSRX Virtual Firewall 3.0 instance to communicate with KMS, you need to create Key Ring, which is a component in KMS service where keys created by vSRX Virtual Firewall 3.0 will reside.

         Key Ring can be created using gcloud or from console. For more information, see Create a Key Ring

         .

         Additionally, GCP KMS does not allow creation of a key with an ID which was already used and created earlier. GCP KMS also does not allow deletion of existing key and creating another key with same name.

         Note:

         Key ring can be created in one specific region, dual-regional or multi-regional locations. Location refers to the datacenter in which your keys are going to be saved. If you use one specific region key is located in that location only. In case of dual regions, keys are replicated to other regions and same implies for multi-regional locations. For more information, see Cloud KMS locations.

         After you create Key Ring, please note down the resource ID for the key ring as it is needed for input into vSRX Virtual Firewall 3.0 using CLI. GCP PKCS#11 KMS library on vSRX Virtual Firewall 3.0 will use this resource ID to communicate with KMS. Name of Key created in Key ring can contain letters, numbers, underscores (_), and hyphens (-).

3. Provide GCP Key Ring resource information using the request security hsm set gcp project <name_of_project> location <location_of_key_ring> key-ring <name_of_key_ring> command. For more information, see Getting a Cloud KMS resource ID

4. After enabling the KMS service, you need to specify the Master Encryption Key (MEK) using the request security hsm master-encryption-password set plain-text-password command on vSRX Virtual Firewall 3.0.

   Once you specify the MEK, vSRX Virtual Firewall 3.0 creates the RSA 2048 key pair (MBK) in KMS and encrypts MEK using Master binding Key (MBK) in KMS. MEK is then used as a key for encrypting data at rest such as hash of configuration, private key pair files and master-password file.

5. Change the Master Encryption Password.

   If you want to change the master encryption password then you can run the request security hsm master-encryption-password set plain-text-password command from operational mode:

   Note:

   It is recommended that no configuration changes are made while you are changing the master encryption password.

   The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.

   The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.

   The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.

   If the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.

6. Check HSM status using the show security hsm status command to check if KMS is enabled and reachable, also displays the Resource ID of Key Ring being used, Master binding Key (MBK), and Master Encryption Key (MEK) status.

• Purpose
• Action