Release date: 6 May 2020
Import/Export of security objects by Components
SmartKey has added the ability to split a security object into separate components. This allows multiple different users to act as key custodians. No single user has the full security object, it will require all key custodians to combine their separate components to access the security object.
- Only AES, DES and DES3 security object types can be exported via components.
- To export a security object by components, the security object must belong to a group with a quorum policy.
- Permissions for exporting the security object must be enabled.
Exporting a security object into components
This operation will functionally split a security object into two or more components. The components can be held by different key custodians and re-combined in order to use them. To export the security object, go to the security object and click on “Export Key Components”. This button can be found at bottom of the security object details page.
Select the users that will receive the components. These users must be part of the quorum approval policy. Click on “Submit Export Request”.
Importing a security object from components
To combine the components into a useable security object, you will need to import security objects.
- Click on Add New Security Object, provide a name and group and then select the Import option.
Tick “Import Key from Component”.
You will need to list the key custodians. They will be contacted to provide the components of the security object.
Fill in details of the security object (type, size, KCV, permitted operations, audit log).
Key custodians will receive a notification to submit their key components.
Once the correct components and KCVs are entered by the key custodians, the resulting security object will be created in SmartKey.
Enhancements to existing functions
Automatic Key Rotation Policy
SmartKey has added the ability to define an automatic key rotation policy for security objects. To set up the key rotation policy, go to the security object and select the Key Rotation tab, click Add Policy and enter the number of days where this key will be regularly rotated.
New Icons added for Groups
In the Groups listing page, you will see new icons to indicate whether a group is linked to an external HSM, whether it has Quorum Approval policies or Crypto policies enabled. You can mouse over the icons to find out what they mean.
Quality of Life improvements
- Added support for rotating virtual keys. Virtual Keys are security objects created from linking to external Hardware Security Modules (HSMs).
- HSTS (HTTP Strict-Transport-Security) policy has been added. HTST lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
- Content Security Policy has been added. Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, like Cross Site Scripting and data injection attacks.
- SmartKey now supports opaque security object types in KMIP servers.
- Transient key operation counts are now logged in the Dashboard.
- Crypto policy related improvements and fixes
- If no security object types are selected, you will not be able to save the crypto policy.
- Added option to select AES key size.
- Account-level and group-level crypto policies will not conflict. Group-level crypto policies will take precedence over account-level.
- Added a missing icon for certificate in Crypto Policy.