Migrating an external key service to another

If you have an external third-party key service (also known as a KACLS) and you want to replace it with the KACLS, follow the Google migration procedure. During this procedure, you will be able to retrieve all your old encrypted data and re-encrypt it to the KACLS.

Before launching the migration, you must choose a backup key service to which old data will also be encrypted. Google will launch two parallel migrations: encrypted data will be migrated to the KACLS and to the backup key service.

The KACLS must be configured before migration is enabled in the Google Admin interface.

  1. Generate a pair of RSA keys without password in PEM format with the tool of your choice. For example with OpenSSL and the following commands:

    openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

    openssl rsa -pubout -in private_key.pem -out public_key.pem

  2. Encode the generated private key in base64 with the following command:
    openssl base64 -A -in private_key.pem -out private_key_base64.txt

  3. Fill in the "migration" section in the config.json file:

    • In the "format" field, specify the PEM key format,

    • In the "key" field, enter the private key generated in base64,

    • In the "kacls_urls" field, add all the key services with which the Stormshield KMaaS must communicate, including the backup key service.

      Copy 
      "migration": {
          "enabled": true,
          "kaclstokacls_token": {
              "kid": "key_identifier",
              "format": "pem",
              "key": "a_private_key",
              "duration": 3600
          },
          "acls": {
              "kacls_urls": ["https://kacls_1", "https://kacls_2"]
          }
         }

      For more information, refer to Configuring the KACLS, in particular the section on Migration.

  4. In the config.json file, fill in the authorization section with information on the migration, as shown in authorization parameters.

  1. In the Google Workspace administration console, add the KACLS as a new key service
  2. Select an operational backup key service as well, to which old data will also be encrypted. This backup key service can be the one that you wish to replace.

For more information, refer to the Google documentation.

  1. In the Google Workspace administration console, select the KACLS key service.

  2. Enable key service migration.
    Google will launch the migration. Refer to the corresponding logs in the KACLS. See sections rewrap action and privilegedunwrap action in the Log Guide.

For more information, refer to the Google documentation.

The diagram below shows the various stages of the migration to the KACLS and to the backup key service. In this diagram, the term 'KACLS' refers to a key service.

 

Key service migration diagram

NOTE
The tokens generated by the KACLS and provided to another KACLS in the Privileged Unwrap request are signed using the RS256 algorithm.

The backup key service guarantees access to content if an issue arises with the main key service. It is mandatory in a migration, but you can also use it to test a new key service, for example. In this case, encrypting data to the backup key service is still considered a migration, and you must configure the KACLS accordingly:

  • Fill in the "migration" section in the config.json file. In the "kacls_urls" field, add the backup key service.

Copy 

"migration": {
    "enabled": true,
    "kaclstokacls_token": {
        "kid": "key_identifier",
        "format": "pem",
        "key": "a_private_key",
        "duration": 3600
    },
    "acls": {
        "kacls_urls": ["https://backup_kacls"]
    }
   }