By Yanhui Zhao and Li Shen from Alibaba Cloud, and Anand Kashyap and Ambuj Kumar from Fortanix Inc.
Published in joint collaboration between Alibaba Cloud and Fortanix Inc.
Cryptographic keys are the most sensitive assets for an enterprise. As enterprises migrate their data and applications to the public cloud, they are increasingly concerned about securing their keys, even from the cloud service provider. Alibaba Cloud is excited to partner with Fortanix to announce the availability of Self-Defending Key Management Service™ (SDKMS) on Alibaba Cloud ECS Bare Metal instance with Intel® SGX to address this concern. With SDKMS, our customers can bring their most sensitive data to Alibaba Cloud with the knowledge that their data is encrypted with keys managed by themselves, and are not accessible to either Fortanix, or Alibaba Cloud.
SDKMS allows customers to get all the benefits of hardware security modules on a click of button on Alibaba Cloud ECS Bare Metal instance with Intel® SGX. SDKMS offers encryption, key generation, tokenization, KMIP, and supports most modern cryptography such as AES, RSA, ECC, and blockchain curves. Since the entire SDKMS application runs inside Intel® SGX, all the keys and logs of the customers are inaccessible from Alibaba Cloud, system administrators, Fortanix, and are protected from any rogue software.
Fortanix has built Runtime Encryption®, a new technology which uses Intel® SGX to secure the data in use by an application. This technology allows data to be encrypted when in use and uses remote attestation to establish the integrity of the application. Runtime Encryption® allows Alibaba Cloud ECS Bare Metal instance with Intel® SGX, one of the few Intel® SGX-enabled public cloud service providers to provide secure services in the cloud without being in the trust boundary of their customers. Customers can run any of their Linux applications securely using Runtime Encryption®.
SDKMS is a key management and encryption solution, which provides hardware security module (HSM) grade security with software like flexibility. SDKMS is designed to securely generate, store, and use cryptographic keys, certificates as we as any generic secrets. Fortanix SDKMS has three key features: Secure, Simple, and Scalable; making it an essential member within the Alibaba Cloud ecosystem.
Installing SDKMS on Alibaba Cloud is an easy 3-step process as shown in the following video:
- Order ECS Bare Metal instance with Intel® SGX from Alibaba Cloud. Currently, these servers are available in several regions in China. When selecting the servers, look for Intel® Xeon E3–1240 v6 (Skylake) processors. Select Ubuntu 16.04 as the OS installed on these servers. A minimum of 3 nodes is recommended by Fortanix for an SDKMS cluster.
- Get Fortanix SDKMS installer package from Fortanix and install it on all 3 servers. Run the “sdkms cluster create” command on one of the nodes to initialize the SKDMS cluster, and then ask other nodes to run the command “sdkms cluster join” to join the cluster.
- Once the cluster setup is complete, the certificate signing requests for the service are generated which needs to be signed by the customer’s own PKI system or by a CA which is widely accepted. Once the certificate for the deployment is installed, SDKMS is ready to use.
Use Cases for SDKMS
Through encryption, customers can protect their sensitive, personally identifiable data such as credit card information. In addition, SDKMS can also protect the certificates signing keys and encrypt database, VMware vSAN, and data lakes.
Customers upload data assets to cloud every day, and they rely on cloud service provider to store, backup, and migrate the data at all time. During the data handling process, the data must be encrypted with a secret key to prevent unauthorized access from cloud service provider and other malicious attackers. In this case, encrypted data can be stored safely on the cloud with no one but the data owner who has the assess key to it. The encryption key is also stored on the cloud inside SDKMS and protected by Intel® SGX, which only grant access of the secure key to designated applications approved by the data owner.
Besides protecting data at rest, distributed SDKMS can also protect the data during transit with low latency and high throughput. SDKMS customer can add trusted applications to SDKMS group. Approved web server and other applications can then use SDKMS to generate private key and certificate to establish secure communication channel with other web servers and applications to exchange secrets. Generated key and certificates again are protected inside SDMKS by Intel® SGX which is accessible only to authorized users.
In addition to the examples above, customers can find more usage cases by running Fortanix KMS on Alibaba ECS Bare Metal instance with Intel® SGX, such as blockchain key management, and virtualization protection.
With Fortanix providing hardware-secured SDKMS service to Alibaba Cloud, Alibaba Cloud can better serve our customers with a more secure cloud community.
How to Learn More About SDKMS
You can learn about the technical details of SDKMS in the SDKMS whitepaper, and you can find more information on Intel® SGX here. Fortanix also has a full list of SDKMS APIs accessible here. You can join a public Slack forum or contact our support team should you have any more questions.
About Alibaba Cloud
Established in 2009, Alibaba Cloud (www.alibabacloud.com), the cloud computing arm of Alibaba Group, is among the world’s top three IaaS providers according to Gartner, and the largest provider of public cloud services in China according to IDC. Alibaba Cloud provides a comprehensive suite of cloud computing services to businesses worldwide, including merchants doing business on Alibaba Group marketplaces, start-ups, corporations and government organizations. Alibaba Cloud is the official Cloud Services Partner of the International Olympic Committee.
Fortanix is the world’s only company to provide security that cannot be compromised by hackers even when they have physical access and root credentials! This allows customers to operate the most sensitive applications without worrying about cloud-compromise, blind government subpoena, malwares, and cross-VM attacks. Fortanix provides this deterministic security by encrypting application data everywhere — at rest, in motion, and in use with Runtime Encryption® securely built upon Intel® SGX. Fortanix is a Gartner Cool Vendor and also was the runner up in RSA Innovation Sandbox 2018 among 500+ security companies where judges called it the “holy grail of security”. Fortanix has more than ten patents pending for its innovation.