cloud_integration_tool

cloud_integration_tool creates a key in a Security World. This key is first wrapped by a wrapping key and only then exported for use outside of the Security World.

Run cloud_integration_tool

To run cloud_integration_tool on Windows:

"%NFAST_HOME%\python3\python.exe" -m cloud_integration_tool

or directly from its script:

"%NFAST_HOME%\python3\Scripts\cloud_integration_tool.exe"

To run cloud_integration_tool on Linux:

/opt/nfast/python3/bin/python3 -m cloud_integration_tool

or directly from its script:

/opt/nfast/python3/bin/cloud_integration_tool

Usage and options

usage: cloud_integration_tool [-h] [--version] [-m MODULE] [-O CARDSET | -S SOFTCARD | -M] [-a AZUREKEK] [-k KEYTYPE] [-w WRAPALG] PROVIDER KEYNAME WRAPKEY

cloud_integration_tool requires at least three parameters to be specified:

PROVIDER

The name of the provider.
KEYNAME

The name of the Security World key.

An existing key can be specified. This must be an existing key with appname simple and ident KEYNAME. If no key with that name can be found, it will be created by cloud_integration_tool.
WRAPKEY

The path to the cloud service provider’s wrapping key file.

The following optional arguments can also be specified:

--module NUM

Module number of HSM which will do the wrapping (default 1).
--module-protection

Use module protection when generating a new key (default).
--softcard NAME

Name of softcard to use when generating a new key.
--cardset NAME

Name of OCS to use when generating a new key.
--wrap-alg NAME

The wrapping algorithm to be used.
--key-type NAME

The target key type.
--azure-kek URL

The full URL key identifier of the Microsoft Key Exchange Key.

Wrapping algorithm

Each provider supports one or more wrapping algorithms. The supported values and defaults are listed in the table below. An error message will be printed if the algorithm is not supported by the specified provider or incompatible with the specified key type.

Provider name Supported wrapping algorithms

AWS

RSA_AES_KEY_WRAP_SHA_256

RSA_AES_KEY_WRAP_SHA_1

RSAES_OAEP_SHA_256 (default)

RSAES_OAEP_SHA_1

Google Cloud Key Management

RSAES_OAEP_SHA_256 (default)

RSAES_OAEP_SHA_1

Google Compute Engine

RSAES_OAEP_SHA_256 (default)

RSAES_OAEP_SHA_1

Microsoft Azure

RSAES_OAEP_SHA_1 (default)

--wrap-alg must be omitted for this provider

Salesforce

RSAES_OAEP_SHA_256 (default)

RSAES_OAEP_SHA_1

RSAES_PKCS1_V1_5

Key type

Each provider supports one or more key types. The supported values and defaults are listed in the table below. An error message will be printed if the type is not supported by the specified provider or incompatible with the specified wrapping algorithm.

Provider name Supported key types

AWS

AES-256 (default)

RSA-2048

RSA-3072

RSA-4096

EC-NISTP256

EC-NISTP384

EC-NISTP521

EC-SECP256K1

Google Cloud Key Management

RSA-2048 (default)

RSA-3072

RSA-4096

EC-NISTP256

EC-NISTP384

AES-256

Google Compute Engine

AES-256 (default)

--key-type must be omitted for this provider

Microsoft Azure

RSA-2048 (default)

RSA-3072

RSA-4096

EC-NISTP256

EC-NISTP384

EC-NISTP521

EC-SECP256K1

Salesforce

AES-256 (default)

--key-type must be omitted for this provider

Microsoft Key Exchange Key

For Microsoft Azure, the full URL key identifier of the wrapping key must be specified. The format should be: https://<container-name>.<container-type>.azure.net/keys/<key-name>/<key-version> where <container-type> is either vault or managedhsm. For example, https://myvault.vault.azure.net/keys/my-key/version.