Gemalto CSEK Скачать руководство пользователя страница 7 | Manualshive

Страница: 7 / 25

background image

1

– Introduction

Google Cloud Platform Integration Guide

7

1

Introduction

Overview

This integration guide describes how to store the Customer Supplied Encryption Key (CSEK) on a SafeNet Luna
HSM partition. By default, Google Compute Engine uses encryption keys stored in the cloud to encrypt all data
at rest and manages this encryption for you without any additional actions on your part. Keeping the encryption
keys in the cloud, however, may not be in compliance with security standards. To avoid this issue, you can
control and manage this encryption yourself, by providing your own encryption keys.

If you provide your own encryption keys, Compute Engine uses your key to encrypt, and therefore protect the
Google-generated keys used to encrypt and decrypt your data. Only users who can provide the correct
encryption key can use resources protected by a customer-supplied encryption key.

Google does not store your encryption keys on their servers and cannot access your protected data unless you
provide the key. If you forget or lose your encryption key, there is no way for Google to recover the key or to
recover any data encrypted with the lost key. In this guide, we will cover the installation and configuration of
Google Cloud Platform on Windows Server 2012 R2 using SafeNet Luna HSM.

The benefits of using SafeNet Luna HSM with the Google Cloud Platform are:



Secure storage of the CSEK Keys



FIPS 140-2 level 3 validated hardware



Full life cycle management of the keys

Understanding the Customer Supplied Encryption Key

Server-side encryption refers to encryption that occurs after Cloud Storage receives your data, but before the
data is written to disk and stored.

As an alternative to a Google-managed server-side encryption key, you can choose to provide your own AES-
256 key, encoded in standard Base64. This key is known as a customer-supplied encryption key (CSEK). If you
provide a CSEK, Cloud Storage does not permanently store your key on Google's servers or otherwise manage
your key. Instead, you provide your key for each Cloud Storage operation, and your key is purged from Google's
servers after the operation is complete. Cloud Storage stores only a cryptographic hash of the key so that future
requests can be validated against the hash. Your key cannot be recovered from this hash, and the hash cannot
be used to decrypt your data.

Customer-supplied encryption keys can apply to operations on an object that read or write data. Operations
such as deleting or listing objects can be performed without providing the encryption key.

«
...
5
6
7
8
9
...
»

Содержание CSEK

Страница 1: ...Google Cloud Platform Customer Supplied Encryption Key CSEK Beta Integration Guide ...

Страница 2: ...l implied warranties of merchantability fitness for a particular purpose title and non infringement In no event shall Gemalto be liable whether in contract tort or otherwise for any indirect special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use data profits revenues or customers arising out of or in connection with the use or per...

Страница 3: ...mer Supplied Encryption Key 7 3rd Party Application Details 8 Supported Platforms 8 Library and Driver Support 8 Google Cloud Platform Setup 8 Prerequisites 9 SafeNet Luna Network HSM Setup 9 2 Integrating Google Cloud Platform with SafeNet Luna HSM 10 Setting up SafeNet Luna HSM with Google Cloud 10 Before You Begin 10 Generating the CSEK for Google Cloud 10 Creating the Encrypted VM using CSEK 1...

Страница 4: ...eNet Luna HSM NOTE CSEK feature provided by google cloud is in Beta and this feature is subject to change so customers should proceed with caution when implementing CSEK in production Document Conventions This section provides information on the conventions used in this template Notes Notes are used to alert you to important or helpful information These elements use the following format NOTE Take ...

Страница 5: ...following Command line commands and options Type dir p Button names Click Save As Check box and radio button names Select the Print Duplex check box Window titles On the Protect Document window click Yes Field names User Name Enter the name of the user Menu names On the File menu click Save Click Menu Go To Folders User input In the Date box type April 1 italic The italic attribute is used for emp...

Страница 6: ...ennium Drive Belcamp Maryland 21017 USA Phone US 1 800 545 6608 International 1 410 931 7520 Technical Support Customer Portal https supportportal gemalto com Existing customers with a Technical Support Customer Portal account can log in to manage incidents get the latest software upgrades and access the Gemalto Knowledge Base ...

Страница 7: ...ll cover the installation and configuration of Google Cloud Platform on Windows Server 2012 R2 using SafeNet Luna HSM The benefits of using SafeNet Luna HSM with the Google Cloud Platform are Secure storage of the CSEK Keys FIPS 140 2 level 3 validated hardware Full life cycle management of the keys Understanding the Customer Supplied Encryption Key Server side encryption refers to encryption that...

Страница 8: ...loud SDK on the system you are working on The Google Cloud SDK provides a set of tools for Cloud Platform It contains gcloud gsutil and bq which you can use to access Google Compute Engine Google Cloud Storage Google BigQuery and other products and services you can access from the command line You can run these tools interactively or in your automated scripts The URL for downloading and setting up...

Страница 9: ...password A hostname suitable for your network Network parameters set to work with your network Initialize the HSM on the SafeNet Luna Network HSM appliance to create an HSM SO cloning domain and label Create a partition on the HSM and remember the partition password as it will be used by Client to access the partition Use VTL to create exchange and register certificates between the SafeNet Luna Ne...

Страница 10: ...ing the CSEK for Google Cloud After creating the NTLS connection with HSM partition download and import the Google Public Key on the HSM partition which will be use to wrap the generated AES256 key To use the CSEK for Google Cloud with SafeNet Luna HSM follow the steps below 1 Download the public certificate maintained by Google Compute Engine from https cloud certs storage googleapis com google c...

Страница 11: ...a60e0ea3bca01019809738546459b6ef92bdf7d4ea363be08808bfa52cc0252e973b7b1adf8eb36588d9a63e 25e0e3f94f6c6598f5e817f8a06c23bd8c0796f98f0dd5567a2d1bcf43e9dd3f6d99c8bfe488915cd63515ac19bd22dcd319 23b8e19e00efbb8381ad5e01690883ff629a9fad634aa6966867447c28424643535734f122c0e29e8857736cb20c0a68df0a c0ce77283c70ea40e8d0835f4be62630d67ca0783c149e50dc4c51e787c3d7f5859e03927b1a7336d1af64631aa029c848cb a6128f27...

Страница 12: ...45 Select type of key to generate 1 DES 2 DES2 3 DES3 5 CAST3 6 Generic 7 RSA 8 DSA 9 DH 10 CAST5 11 RC2 12 RC4 13 RC5 14 SSL3 15 ECDSA 16 AES 17 SEED 18 KCDSA 1024 19 KCDSA 2048 20 DSA Domain Param 21 KCDSA Domain Param 22 RSA X9 31 23 DH X9 42 24 ARIA 25 DH PKCS Domain Param 26 RSA 186 3 Aux Primes 27 RSA 186 3 Primes 28 DH X9 42 Domain Param 29 ECDSA with Extra Bits 16 Enter Key Length in bytes...

Страница 13: ...ta 0 for none 0 Enter handle of wrapping key 0 to list available objects 718 Enter handle of key to wrap 0 to list available objects 715 Wrapped key was saved in file wrapped key Where 718 and 715 is the handle of Google Public Key and AES256 key respectively NOTE wrapped key is the output file that contains the wrapped AES key 10 Exit from ckdemo session now by providing the choice as 0 Enter you...

Страница 14: ...SEK Creating an encrypted disk or VM is pretty easy This guide demonstrated creation of encrypted VM using console and gcloud tool provided by google Using Google Console 1 Log on to the Google Cloud Console using the below URL by providing your Google credentials https console cloud google com 2 Click Compute Engine Disks Create disk ...

Страница 15: ...ype Source Image OS that need to be installed and Size GB Select Encryption as Customer Supplied and enter the key in text box provided Copy the contents of rsawrapencodedkey txt and paste it Select the Wrapped key and after providing all the details click Create It creates the disk encrypted by customer supplied key and it can be used to create the VM instance on cloud 4 Click VM Instances Create...

Страница 16: ...on click Change and then click Existing disk It displays the disk created in the previous steps using CSEK Encryption When disk is selected it prompts to enter the key Provide the same key which you have used to encrypt the disk and select the Wrapped key checkbox Click Select 6 Select Allow HTTP traffic and Allow HTTPS traffic in the Firewall section and click Create ...

Страница 17: ... Line Tool Gcloud is the part of google cloud SDK and it provides various commands to perform operations on google cloud You can use this tool to create encrypted disk or VM using CSEK and start stop the VM when needed as well as other operations like creating snapshots from encrypted disk 1 When you use the gcloud compute command line tool to set your keys you provide encoded keys using a key fil...

Страница 18: ...p0nOBdteJtTX7XzEI1OGv ORv4AGqxEPQGgRHqQB8J k1afmbGKpw8L1lel0YmkeX5cdjer 5qS2lXdTc0BjdkDF2UsLQYNJS2H3 lIv7 Uk5zH3waKd3YzuQhRt7hEwOM2QS9oE 8LiW1v0iaM8Yq2e XA8MivGNTdra ZA 29QIVUJ0WZXyNGK8YyxYV5oYNWR shVQ key type rsa encrypted Where example disk is the name of disk to be created Replace zinc window 164420 and us central1 c with your project and zone respectively 2 Create an encrypted disk using CSEK...

Страница 19: ...sk gcloud beta compute instances create example instance disk name example disk boot yes csek key file example file json VM instance is created using encrypted disk now you can connect your VM using SSH using the methods provided in Appendix 4 You can stop the VM instance using the command below gcloud beta compute instances stop example instance ...

Страница 20: ...loud documentation This completes the demonstration of generating the AES256 key on HSM and encrypting the disk using that key on Google Cloud Each time any read write operation is performed on encrypted disk it prompts for the encryption key and you need to provide the base64 encoded wrapped key Google keep the supplied CSEK till operation completed for example VM is restarted or snapshot of the ...

Страница 21: ...ocumentation however below is the method to connect Linux instance using SSH is provided for your reference 1 To connect the instances using the gcloud open the Google Cloud SDK Shell and run the gcloud compute command as follows gcloud compute project zinc window 164420 ssh zone us central1 b instance 1 It connects you to the instance using SSH ...

Страница 22: ...le that you downloaded A window opens where you can configure your key generation settings 4 Select the default parameters and click Generate to generate a new key pair When the key generation process is complete the tool displays your public key value 5 In the Key comment section enter your Google username The key should have the following structure ssh rsa KEY_VALUE USERNAME Where KEY_VALUE is t...

Страница 23: ...public key value from the PuTTYgen tool and paste that value as a new item in the list of SSH keys on the Metadata page The public key value is available at the top of the PuTTYgen screen 11 At the bottom of the SSH Keys page click Save to save your new project wide SSH key ...

Страница 24: ... instance that you want to connect in the Host Name field Your username is the Google username that you use to access your project 13 On the left side of the PuTTY window navigate to Connection SSH Auth 14 Set the Private key file for authentication field with the path to your private key file For this example specify the path to the my ssh key ppk file ...

Страница 25: ...3 Appendix Google Cloud Platform Integration Guide 25 15 Click Open to connect with your instance If the connection is successful you can use the terminal to run commands on your instance ...

Отзывы:

Нет отзывов

Похожие инструкции для CSEK

Freedom SW 2000

Бренд: Xantrex Страницы: 36

CrossPower C4L5200-ETH

Бренд: C4Line Страницы: 26

QuattroPlus 1400557

Бренд: Mobeli Страницы: 4

Бренд: NEC Страницы: 7

Бренд: Oakton Страницы: 9

Бренд: Renkforce Страницы: 7

Бренд: Edimax Страницы: 14

Бренд: CC&C Страницы: 30

Бренд: LSI Страницы: 46

Бренд: Ovislink Страницы: 13

Бренд: YOKOGAWA Страницы: 2

Dual Port 25 Gb

Бренд: Oracle Страницы: 88

Бренд: Digital Equipment Страницы: 74

Бренд: Goobay Страницы: 10

Бренд: NETGEAR Страницы: 2

Бренд: Hama Страницы: 7

PCIe to ExpressCard Adapter

Бренд: SIIG Страницы: 8

Бренд: Mitsubishi Electric Страницы: 3

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды