The phoenixNAP Encryption Management Platform simplifies key management and ensures the highest level of data protection. Powered by Fortanix Self-Defending Key Management Service (SDKMS), it is a secure system for safeguarding encryption keys, secrets, and tokens.
Get acquainted with phoenxNAP’s EMP and learn how to create, manage, and maintain accounts and users.
phoenixNAP EMP Benefits
The main benefits of using the phoenixNAP Encryption Management Platform include:
- Centralized control in a single tool.
- Data security across multi-cloud infrastructures and multiple cloud providers.
- Main control of all keys.
- Easier app security implementation using RESTful APIs.
- Scaling dynamically and as needed.
- Lowering costs by using EMP on-demand.
- Integrated security for all data protection needs.
Account Provisioning and Overview
The platform has a centralized and intuitive web UI with role-based access control, single sign-on, and auditing integration with SIEM tools.
Create an Account
To create a new EMP account, fill out the phoenixNAP EMP Sign up form. The information provided creates the administrator user for the account.
- Provide an email address, first name, last name, and a strong password to protect the account.
- Click the SIGN UP button.
- A system administrator needs to approve the creation of a new account. Therefore, you need to submit an official request. Type in an account name and a reason for creating the account. Click SUBMIT REQUEST to complete.
Log in to Your Account
If you already have an existing phoenixNAP EMP account, navigate to the phoenixNAP EMP page.
- Type in your email address and click LOG IN.
- Provide the password for the given account and click LOG IN to move to the Fortanix dashboard.
Once you log in to your account, you will see the phoenixNAP EMP dashboard powered by Fortanix. It has an intuitive user interface easy to navigate through.
The sidebar on the left lists all the features you can manage and configure.
A group is a collection of relate security objects. Users and applications that are assigned to a specific group can create and access the security objects within it. This is managed by access policies set at group level.
Groups can have an unlimited number of users and applications. Additionally, users and applications can belong to multiple groups. The user who created the group is assigned the group administrator.
To create a new group:
- Navigate to the Groups menu option in the sidebar.
- If you don’t have any groups yet, click the CREATE NEW GROUP button. Alternatively, you can add a new group using the plus icon.
- Provide a title (which you can change later).
- Add a description for the group. This helps identify groups in your system.
- Add a LINK HSM/EXTERNAL KMS if needed and a quorum approval policy for additional security.
- SAVE to complete. The new group appears listed in the All Groups section.
To edit an existing group:
Hover over the name in the All Groups section. A light blue menu with five options appears on the right side of the row. It allows you to:
- Delete the group.
- Edit the group title.
- Add users to the group.
- Add applications to the group.
- Copy the UUID (Universally Unique Identifier).
Applications are services, daemons, and other non-human clients that use, generate, and store security objects. They interact with the EMP using REST APIs, PKCS#11 or CNG providers.
To add an application:
- Select Apps from the sidebar navigation.
- If you don’t have any apps yet, use the CREATE NEW APP button. To add a new app, click the plus sign.
- Type in the app name and choose an interface (optional).
- You can also add a description and define the application type.
- Next, select the authentication method choosing between an API key, certificate, trusted CA, Google service account, JSON web token, and external directory.
- Decide whether you want to enable OAuth. By doing so, users can authorize the app to perform actions on their behalf.
- Finally, assign the app to a group and SAVE the configuration.
- Use the API key or certificate and authenticate the application.
Security objects are keys, certificates, secretes, and any other datum stored on the EMP. Users have to be assigned to the appropriate group to have permission to see and use security objects.
To create a new security object:
- Navigate to the Security Objects (SO) section.
- Add a new SO by clicking the plus icon or on CREATE SECURITY OBJECT.
- Provide a security object name.
- Select a group to which it should belong to.
- Optionally, add a description for this instance.
- Then, choose whether you want to import or generate the security object.
- Configure the SO by defining the type, data type, key size, and other settings.
You should see the newly created security object on the main page of the section. Click on the object for more information or use the shortcut icons to:
• Copy the UUID.
• Edit state/Restrict permissions.
• Download logs.
Note: Learn how to set up BMC drive encryption using EMP to protect sensitive information. Additionally, refer to our guide How to Provision and Secure Tokens and Secrets in EMP for more information on security objects.
Users can be members of one or more accounts and belong to one more multiple groups. Each user is associated with an email address.
Depending on the privileges it has, a user can add or modify the users/groups, create, and change properties of security objects, review cryptographic activity and logs of key management.
To add a new user to an account:
- Open the Users section from the sidebar navigation.
- The account administrator will already be listed in the user list.
- Click the plus icon.
- Provide the email address of the new user you want to add. Alternatively, search the LDAP directory (The Lightweight Directory Access Protocol). For this, you need to have LDAP integrations configured.
- Choose the type of account the user will have – member, administrator, or auditor. Click Next to continue.
- Then, assign the new user to one or multiple groups.
- Finally, select whether the user will have an Auditor or Administrator role in the group. The administrator role gives full access to the group, while auditors have read-only access.
- The new user receives an email with an invitation to join the account on Fortanix Self-Defending KMS. To complete adding the user to an account, he/she needs to accept the invitation.
A plugin allows users to run sensitive business logic securely. Plugins are powerful systems used for imposing access control policies on keys, managing which certificates can be signed, implementing cryptographic operations, and many other tasks.
To add a new plugin to an account:
- Navigate to the Plugins section.
- Click the NEW PLUGIN button.
- Create/import a new plugin by uploading a file with plugin code or typing the code inline. Alternatively, browse the plugin library to add a preloaded, tested, and rated plugin to the account.
The Plugin Library consists of the most frequently used plugins. The library is regularly updated with new plugins you can add to the account. If there is a group of plugins you intend to use, the platform allows you to create local copies in a separate library.
The Tasks section shows all the pending, completed, and failed tasks run on the account. It includes an Approval tab where it lists all the tasks that need to be approved, and an Import/Export tab.
The encryption management platform keeps an internal audit log of all system operations performed on the account. EMP maintains logs automatically and can pass them on to other logging systems.
To learn more about Audit Logs, check out the Fortanix User's Guide: Logging.
In the image below, you see an example of an audit log.
Note: Your cluster needs have Internet access to be able to access the Plugin Library.
After reading this article, you should know how phoenixNAP EMP account provisioning works and have a general sense of how the platform functions and which features it provides.
phoenixNAP EMP simplifies the management of all your HSM licenses, secrets, and tokens using a single interface. Start using EMP and provide the highest level of protection for your data.