IRIS can use a KMS (Key Managment Service) as of release 2023.3. Intersystems documentation is a good resource on KMS implementation but does not go into details of the KMS set up on the system, nor provide an easily followable example of how one might set this up for basic testing.
The purpose of this article is to supplement the docs with a brief explanation of KMS, an example of its use in IRIS, and notes for setup of a testing system on AWS EC2 RedHat Linux system using the AWS KMS. It is assumed in this document that the reader/implementor already has access/knowledge to set up an AWS EC2 Linux system running IRIS (2023.3 or later), and that they have proper authority to access the AWS KMS and AWS IAM (for creating roles and polices), or that they will be able to get this access either on their own or via their organizations Security contact in charge of their AWS access.
What is KMS and what does it do for IRIS?:
KMS means Key Management Service. Briefly, it provides an external secure method of encrypting and decrypting IRIS encryption keys through a trusted service, the KMS.
In prior implementation, when using unattended startup, IRIS would never store unencrypted encryption keys; IRIS would encrypt a key with an encrypted copy of the key encryption key in that key itself. It would then store a user ID and password in IRIS to unencrypt the encrypted key encryption key. This leaves an unencrypted copy of the user ID and password stored in an IRIS database, which leaves extra burden on IRIS managers of securing that. The key encryption key is encrypted/decrypted by a symmetric key that is based on a key admin’s password using PBKDF2 (Password-Based Key Derivation Function 2). So the key that encrypts the key encryption key is never stored anywhere – it’s derived on the fly when a key admin supplies their password. Since there can be multiple admins for keys in a given key file we store in the key file one encrypted copy of the key encryption key (per admin) and then a single encrypted copy of each database/data element encryption key (encrypted with the key encryption key).
With KMS we do not store the id and password in IRIS. When we create the encryption key with KMS we get an encrypted encryption key, and the KMS keeps the key encryption key for us. We reach out to the kms server with the encrypted encryption key. the kms server decrypts the encryption key. The decrypted key is sent back to us and stored in memory. The communications are secured using TLS.
We don't ever have access to the raw key encryption key. We use it as a service via kms. The key encryption key stays on the kms server. This helps with key management and key security.
Current implementation (as of 1/22/2024) of KMS is Cloud Vendor Specific
In AWS you must specify creation of a symmetric key.
In Azure you must specify creation of an RSA key
Future implementation my include google KMS.
---
Example of workflow setting up new encryption key in IRIS using KMS:
The following assumes you have set up an IRIS system to access an AWS KMS server and your instance has been authorized to access the keys there and you have set up a key for use. (See Setup Notes following this example for an example of setting up KMS on AWS to connect with an AWS EC2 RedHat Linux instance.)
1.%SYS>D ^EncryptionKey
2.Create New Key
3.Name the key
4.Use KMS: yes
Here you specify properties of the key. Choose backup if you want a regular encryption key made to backup this KMS key. This is the only place you can do this. Treat this backup as you would a normal Encryption key.
5. Select AWS for the kms server
6. Get the key ID and the region from your AWS Key Managed Service console
7. Env Key ; you should not need to specify anything here if your system is set up correctly (per this article). See AWS docs for further details if necessary for your needs. Leave blank for the purpose of simplifying this for testing example.
8. You should receive a message like:
Encryption key file created: iriskmstest1
Encryption key created via KMS: 87A85627-9F8C-11EE-8839-0608ECAD1BAF
This key is NOT activated.
Key Activation and use are then usual encryption key setup steps.
If there are issues with the activation at startup it will error and go into interactive mode
For interactive startup if you pass in a kms key it will not prompt for username or password
If you put in the backup key (generated in step 14 above) then it will ask for the username and password you created at key creation time (just like normal key)
If there are issues you will see errors in your startup, or logged in messages.log if silent startup.
In general, your IRIS system does not need to be on AWS or other cloud system, it accesses the KMS for the key over TLS.
IRIS uses credentials of current user when accessing the KMS server, so you need to make sure that user has access to KMS
the AWS key policy defines who can use the key on AWS. See following setup notes for an example.
----
Setup Notes: Getting an AWS EC2 Linux system running IRIS to work with an AWS KMS:
(The following assumes you already have an AWS EC2 RedHat Linux system running an IRIS version that supports KMS)
To set up the AWS EC2 system to use the AWS KMS server:
Follow Setup instructions in following link to install the AWS CLI on your EC2 system: Install or update the latest version of the AWS CLI - AWS Command Line Interface (amazon.com)
There are instructions for different OS types. For the purpose of this instruction set I used an AWS RedHat Linux system. It was fairly strait forward to follow that doc to install the AWS CLI on the system.
I also had to use 'sudo yum install unzip' to install unzip on the system in order to follow the instructions which had me use unzip on the AWS client download zip file.
Here are the steps to create a key that could be used by an IRIS instance for encryption key encryption:
1. In AWS Mgmnt Console go to Key Management Service.
2. Click on Customer Managed Keys
3. Click on Create Key
5. Accept the Defaults
6. Enter an Alias; this is the name for the key
7.Key Admin Options: default policy
8. Click Finish
The IRIS instance will also need to be authorization to use the KMS key. This is done either by running the instance as a user who has authenticated to AWS and is authorized to use the key, specifying a credentials file with the AWS_SHARED_CREDENTIALS_FILE environment variable or by assigning to the EC2 itself an IAM role that either has a policy attached to it that allows key usage or that has an explicit allowance specified in the key policy itself.
For the purpose of this instruction set we are following the 3rd as ISC Development has suggested this would be the most commonly used by customers in AWS. In the following we will create an IAM role that can be assigned to the EC2 instance itself. The role can have a policy attached to it that gives it very targeted privileges to access a given key in the KMS (or even just allow specific operations with the key). We are only exploring the most simple process to give us something to use for testing...
Here are the steps for Authorizing an Instance of IRIS on an AWS EC2 system to use the key on the KMS server:
1.In AWS Managment Console go to Key Management Service
2. Under "Customer managed keys" click on the Key ID of the key you want to use.
3. In the "General configuration" section click the "Copy" icon next to the ARN to copy the ARN to the clipboard. Paste this value somewhere to use later in the policy configuration.
4. In AWS Mgmnt Console go to IAM.
5. Under "Access Management">"Policies" click "Create policy".
6. Under "Select a service" choose KMS from the drop-down list. Click "Next".
7. Under "Actions allowed" click on the "Write" access level expander. Check the "Decrypt" and "Encrypt" checkboxes.
8. Under "Resources" click on the "Add ARNs" link.
9. Paste the entire ARN from Step 3 above into the "Resource ARN" text field. Click "Add ARNs". Click "Next".
10. Under "Policy details" provide a policy name and, if desired, a policy description. Click "Create policy".
11. In IAM under "Access Management">"Roles" click "Create role".
12. Under "Trusted entity type" click "AWS service". Under "Use case" select EC2 from the drop-down list. Click "Next".
13. Under "Permissions policies" start typing the policy name from Step 10 until it appears in the list. Click the checkbox next to it. Click "Next".
14. Under "Role details" provide a role name. Click "Create role".
15. In AWS Mgmnt Console go to EC2. Navigate to "Instances">"Instances".
16. If EC2 instance already exists:
a. Click checkbox next to instance name.
b. Click "Actions">"Security">"Modify IAM role".
c. Choose the role from Step 15 from the drop-down list.
d. Click "Update IAM role".
16. If launching new EC2 instance:
a. Click "Launch instances".
b. Under "Advanced details" choose role from Step 15 in "IAM instance profile" drop-down list.
17.You can now use the kms key in ^EncryptionKey
Notes:
After creating policy/role you might need to refresh the Mgmt Console for these new resources to show up.
---
Supplemental:
Classes methods of interest:
%SYSTEM.Encryption.KMSCreatEncryptionKey()
%SYSTEM.Encryption.ActivateEncryptionKey() ;just supply the kms key, no need for username or password
do ReadFile^EncryptionKey(<key>,.data) zw data ;it will be obvious if the key is kms type from the data returned.
Doc link:
Key Management Tasks | InterSystems IRIS for Health 2023.3
.png)