Configuring encryption KEKs in database mode

Requirements

To use the Stormshield KMaaS with KEKs stored in a database, you must meet the following requirements:

• A PostgreSQL database version 16.x must be available to the Stormshield KMaaS in your infrastructure, with the database schema described in appendix Creating the database schema.

• In the config.json file, the following parameters must be set:

  • The "persistence_type" parameter must be set to "database". For more information, refer to section Simple parameters,

  • the "database" parameters must be filled in according to your database configuration. Refer to section database parameter.

Generating KEKs and MKEKs

You can configure two kinds of keys in the Stormshield KMaaS:

• KEKs and Master encryption keys (i.e., MKEKs) for symmetric encryption use cases,

• KEKS for asymmetric encryption use cases with the Key Access Management.

The Stormshield KMaaS does not automatically generate keys, so you must create them beforehand. For more information on requirements and how to create keys, refer to:

• Generating KEKs and MKEKs for symmetric encryption,

• Generating asymmetric KEKs for KAS rewrap,

• Generating DKE key pairs.

Adding KEKs and MKEKs to a tenant in the database

The following procedure and SQL scripts describe how to add a key in a configuration with one tenant and only the KACLS module enabled. You must customize the procedure and scripts to match your configuration.

1. Connect to the database dedicated to key storage, and run the following SQL scripts.

2. Create the tenant:

   Copy

   # INSERT INTO tenant (tenant_id, display_name)
     VALUES ('<TENANT_ID>', '<OPTIONAL_TENANT_NAME>');

3. Associate the module to the tenant. The values are "1" for the KACLS, "2" for the KAS, and "3" for Crypto API.

   Copy

   # INSERT INTO module (tenant_id, module_id)
     VALUES ('<TENANT_ID>', 1);

4. Add an MKEK to the tenant. The <MKEK_BASE64_ENV_VARIABLE_NAME> refers to the name of the environment variable hosting the MKEK value in base 64. For more information, refer to Generating KEKs.

   Copy

   # INSERT INTO mkek (mkek_id, tenant_id, key_algorithm_id, key_status_id, key_location_id, key_value, display_name)
     VALUES ('<MKEK_ID>','<TENANT_ID>', 1, 2, 1, DECODE('<MKEK_BASE64_ENV_VARIABLE_NAME>', 'base64'), '<MKEK_NAME>');

5. Create the key using the Admin module API. The most recent key created becomes the active key for the corresponding tenant and module. For more information, see Creating keys.

   Copy

   # INSERT INTO key (key_id, tenant_id, module_id, display_name, key_status_id, key_algorithm_id, key_usage)  
     VALUES ('<KEY_ID>', '<TENANT_ID>', 1, '<KEK_NAME>', 2, 1, 1);