cloud_integration_tool

cloud_integration_tool creates a key in a Security World. This key is first wrapped by a wrapping key and only then exported for use outside of the Security World.

cloud_integration_tool requires at least three parameters to be specified:

provider

The name of the provider.

keyName

The name of the Security World key. An existing key can be specified. This must have first been created by cloud_integration_tool.

wrapKey

The name of the cloud service provider’s wrapping key.

For AWS, Google Cloud Key Management (Google KMS), Google Compute Engine and Salesforce, the following parameter must also be specified:

wrapAlg

The wrapping algorithm.

For Microsoft Azure, the following parameter must also be specified:

—azure-kek

The key identifier of the Microsoft Key Exchange Key.

If multiple HSMs exist in the Security World you can, optionally, specify a specific HSM to be used.

For AWS, Google Compute Engine and Salesforce, the generated key is a 256-bit AES key. For Microsoft Azure and Google Cloud Key Management (Google KMS), you can choose from a list of available key types using a command line argument.

Run cloud_integration_tool

To run cloud_integration_tool on Windows:

"%NFAST_HOME%\python\python.exe" -m cloud_integration_tool

To run cloud_integration_tool on Linux:

/opt/nfast/python/bin/python -m cloud_integration_tool

Usage and options

usage: cloud_integration_tool.py [-h] [--version] [-m MODULE] [-O CARDSET | -S SOFTCARD | -M] [-a AZUREKEK] [-k KEYTYPE] provider keyName wrapKey [wrapAlg]

Help

Export a key from a Security World to be used outside, by a provider.

If the key does not exist, a new one is generated. By default, the key is module protected.

positional arguments:

provider    The provider for which to export the key.
            One of ['aws', 'google-compute-engine',
            'google-cloud-key-management', 'microsoft-azure', 'salesforce']
keyName     The name of the key to export/generate
wrapKey     The filename of the key to use for wrapping (DER encoded)
wrapAlg     The wrapping algorithm (required for aws, google-compute-engine,
            google-cloud-key-management or salesforce).
            For aws, google-compute-engine, or salesforce :
            One of ['RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1', 'RSAES_PKCS1_V1_5']
            For google-cloud-key-management :
            One of ['RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1']
optional arguments:

-h, --help                  show this help message and exit
--version                   show program's version number and exit
-m MODULE, --module         MODULE
                            Specify a module to use
-O CARDSET, --ocs           CARDSET
                            Select OCS protection
-S SOFTCARD, --softcard     SOFTCARD
                            Select softcard protection
 -M, --module-protection    Select module protection (default)
Microsoft Azure:

-a AZUREKEK, --azure-kek AZUREKEK   The full URL key identifier of the Microsoft Azure wrapping key.
                                    The format should be: https://<container-name>.<container-type>.azure.net/keys/<key-name>/<key-version> where <container-type> is either 'vault' or 'managedhsm'
                                    For example, https://myvault.vault.azure.net/keys/my-key/version
Microsoft Azure and Google KMS:

-k KEYTYPE, --key-type KEYTYPE      The type of the target key.
                                    One of ['AES-256', 'EC-NISTP256', 'EC-NISTP384', 'EC-NISTP521', EC-SECP256K1', 'RSA-2048', 'RSA-3072', 'RSA-4096'] Will default to RSA-2048 if not supplied

The key type option represents the possible key types for both Microsoft Azure and Google KMS as there are common types. An error message will be printed if the type is not supported by the specified provider.

Microsoft Azure supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', EC-NISTP384', 'EC-NISTP521', 'EC-SECP256K1'

Google Cloud Key Management supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', 'EC-NISTP384', 'AES-256'

The wrapAlg argument represents all the possible wrapping algorithms for AWS, Google Compute Engine, Salesforce, and Google KMS as there are common types. An error message will be printed if the algorithm is not supported by the specified provider.

AWS, Google Compute Engine, and Salesforce support: 'RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1', 'RSAES_PKCS1_V1_5'

Google Cloud Key Management supports: 'RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1'