eSEALS and key vaults

Securing eIDAS eSeal private keys for advanced eSeals with key vault solutions

In the iSHARE ecosystem, ensuring the authenticity and integrity of data exchange is paramount. A crucial component of this is the use of qualified or advanced electronic seals (eSeals) to sign JSON Web Tokens (JWTs). These eSeals rely on eIDAS-compliant certificates, and the secure management of their private keys is of utmost importance. This article explains how key vault solutions can be leveraged to create, store, and utilize these private keys effectively, enhancing security and enabling controlled access for IT providers.

The Importance of Secure Private Key Management for iSHARE eSeals

The private key associated with an eIDAS eSeal certificate is the cryptographic secret that allows an organization to create legally binding electronic seals. Compromising this key would undermine the trust and validity of all signed iSHARE JWTs. Therefore, robust security measures are essential to protect it throughout its lifecycle.

While advanced eSeals don't have specific requirements for private key storage, qualified eSeals mandate that keys be stored in a QSCD (which includes USB tokens, smartcards, and certified HSMs). This article outlines how to enhance the security for private keys used in advanced eSeals.

Key Vaults: A Secure Haven for Private Keys

Key vault solutions are purpose-built services designed to securely store and manage cryptographic keys, secrets, and certificates. They provide a centralized and hardened platform with features like:

• Hardware Security Modules (HSMs): Many key vaults offer the option to store private keys within tamper-proof HSMs, providing a high level of physical and logical security.

• Access Control: Granular role-based access control (RBAC) allows organizations to define precisely who can access and perform operations on the stored keys and secrets.

• Auditing and Logging: Comprehensive audit trails track all access attempts and operations performed within the key vault, providing transparency and accountability.

• Lifecycle Management: Key vaults often offer features for managing the lifecycle of keys and certificates, including rotation, expiration, and renewal.

• Integration with Services: They are designed to integrate seamlessly with various cloud services and applications, allowing for secure key usage without exposing the actual key material.

Popular Key Vault Solutions

Several well-established key vault solutions are available, catering to different infrastructure preferences:

• HashiCorp Vault (open source): An open-source and multi-cloud secrets management tool that can be self-hosted or consumed as a managed service.

• OVHcloud Key Vault (EU): OVHcloud's secure key management solution, providing HSM-backed key storage and management within their European cloud infrastructure.

• Azure Key Vault (global): Microsoft's cloud-based key management service, offering secure storage for keys, secrets, and certificates with robust access control and integration with Azure services.

• AWS Key Management Service (KMS) and AWS Secrets Manager (global): Amazon Web Services provides KMS for managing encryption keys and Secrets Manager for securely storing and retrieving secrets, including private keys.

• Google Cloud Key Management Service (KMS) and Secret Manager (global): Google Cloud Platform offers KMS for cryptographic key management and Secret Manager for storing and managing sensitive data like private keys.

• There are other solutions available.

Utilising Key Vaults for iSHARE eSeal Private Keys: A Step-by-Step Guide

1. Private Key Generation within the Key Vault: Instead of generating the private key locally, most key vault solutions offer the capability to generate the key pair directly within the secure environment of the vault. This ensures that the private key never leaves the protected boundary. You would typically initiate a key generation process specifying the desired key algorithm (RSA) and key size.

2. Certificate Signing Request (CSR) Generation: Once the key pair is generated, the key vault can often assist in creating a Certificate Signing Request (CSR). The CSR contains the public key and identifying information about the organization. This CSR is then securely transmitted to the chosen eIDAS-compliant Certificate Authority (CA).

3. Certificate Issuance and Storage: After verifying the organisation's identity, the CA will issue the eSeal certificate. This certificate, containing the organisation's public key and signed by the CA, can then be imported and associated with the corresponding private key within the key vault. Some key vaults allow direct import of the certificate, while others might require storing it as a separate secret and establishing the association through configuration.

4. Securely Signing iSHARE JWTs: The crucial aspect is that the private key should never be exported or shared directly from the key vault. Instead, applications and services that need to sign iSHARE JWTs should be configured to interact with the key vault's signing APIs. When a signing request is made, the application sends the data to be signed to the key vault. The key vault then uses the associated private key to perform the signing operation and returns the signed JWT without ever revealing the private key itself.

Enabling IT Providers with Controlled Access

This approach offers a significant advantage when working with external IT providers who need to sign iSHARE JWTs on behalf of an organization. Instead of granting the IT provider direct access to the sensitive private key, the organization can grant the provider's applications or services limited permissions within the key vault. These permissions would typically be restricted to performing signing operations using the specific private key associated with the eSeal certificate.

This ensures that the IT provider can fulfill their function without gaining full control over the organisation's private key, significantly reducing the risk of unauthorized access or misuse. The organisation retains full control over the key and can revoke access at any time.

Benefits of Using Key Vaults for iSHARE eSeal Private Keys:

• Enhanced Security: Private keys are protected within a hardened environment, often backed by HSMs.

• Centralised Management: Provides a single point of control for managing eSeal keys and certificates.

• Reduced Risk of Key Compromise: Prevents direct access to the private key, minimising the attack surface.

• Granular Access Control: Allows precise control over who can perform specific operations.

• Improved Auditability: Provides a clear record of all key access and usage.

• Facilitates Secure Collaboration: Enables IT providers to perform signing operations without gaining full key access.

• Compliance with Regulations: Helps organisations meet the stringent security requirements of eIDAS and iSHARE.

While key vaults offer significant security advantages, they also present certain challenges:

• Expertise and Misconfigurations: Implementing and managing a key vault demands specific expertise, and misconfigurations can still lead to security vulnerabilities.

• Single Point of Failure: Dependence on a key vault creates a single point of failure; if the vault becomes unavailable, services relying on it may be disrupted.

• Cost: The cost of deploying and maintaining key vaults, especially those with HSMs, can be substantial.

• Integration and Code Modifications: Integrating existing applications with key vaults often necessitates code modifications, which can be time-consuming.

• Backup and Disaster Recovery: Organisations must ensure proper backup and disaster recovery strategies for their key vault data.

Conclusion

Leveraging key vault solutions is a best practice for securely managing the private keys of eIDAS eSeal certificates used for signing iSHARE JWTs. By generating and storing private keys within these secure environments and utilizing their signing capabilities, organizations can significantly enhance the security and integrity of their iSHARE transactions. Furthermore, this approach enables controlled access for IT providers, fostering collaboration while maintaining the crucial security of their private keys.