This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee and Cloud KMS for FIPS 140-2 compliant cryptography

on ‎09-17-2020 08:28 AM

strebel
Staff
5 1 1,276

Apigee Edge has supported encrypted key value maps (KVMs) for a long time. As documented in the Apigee docs values, are encrypted using a symmetric AES-128 cipher key that is controlled by Apigee. Creating encrypted KVMs in Apigee is very simple and a proven solution in many production scenarios.

Some customers, face additional requirements, which might include the need for one or more of the following:

  • FIPS 140-2 compliant cryptography standards (Up to Level 3)
  • Centralized key management
  • Periodic key rotations
  • HSM backed key management
  • External key management using specialized infrastructure

Any of the points above can be addressed by adding Cloud KMS as an external key management solution. Cloud KMS is a Key Management Service in Google Cloud that allows customers to create, import, and manage cryptographic keys and provides SDKs for multiple programming languages and APIs to perform cryptographic operations. More information about Cloud KMS can be found in the official documentation.

Practical Example of Apigee with Cloud KMS

Cloud KMS can be leveraged from Apigee for multiple cryptographic operations. These include encrypting and decrypting values for transmission or storage or handling encrypted or signed JWT tokens. For the purpose of this short demonstration we will focus on a use case where we have encrypted data in a KVM and want to govern the decryption using Cloud KMS. Following the envelope encryption pattern, the data is encrypted using a data encryption key (DEK) and stored together with the encrypted DEK in a standard Apigee KVM. The DEK is encrypted using Cloud KMS and can only be used in a decrypted form. In addition to the encrypted data, Apigee also holds a valid GCP service account key that authorizes it to perform the necessary cryptographic operations (decrypt) via the Cloud KMS API.

In the first step, Apigee fetches the encrypted data and the encrypted DEK from the Apigee KVM. Since the DEK is encrypted the data cannot yet be read.

Apigee needs to use the Google authentication extension or call the respective GCP API to exchange the service account key for an access token.

Once the access token is available a service callout can be used to call the Cloud KMS API to decrypt the encrypted DEK.

The last remaining step is to use the DEK to decrypt the encrypted data.

Summary

Using Cloud KMS to manage cryptography within Apigee provides the following key benefits:

  • FIPS 140-2 compliant (Depending on protection level: Level 1 for Software, Level 3 for HSM)
  • Centralized key management
  • Possibility to perform key rotations
  • Control over key ownership
Topic Labels
Comments
dchiesa1
Staff
‎09-17-2020 09:40 AM

Whoo! Daniel, this is great stuff.

I've often used the Service Account credentials JSON to populate a request to get an access_token. That works great.

Delegating signatures and encryption to the KMS seems like it will be an attractive idea for some companies. The Service Account Key becomes the root of the trust, then.

Version history
Last update:
‎09-17-2020 08:28 AM
Updated by: