HomeNews
Newscloud Computing

Cloud HSM: A Secure Way to Sign Microsoft Windows Artifacts

Thota nithya
By Thota nithya
0
179
Cloud HSM
Cloud HSM: A Secure Way to Sign Microsoft Windows Artifacts

The ability to digitally sign code and certify that the software their clients are downloading is authentic and hasn’t been maliciously altered is essential for developers to establish confidence in the software industry. For many companies, keys used to sign code are the crown jewels of cryptography, thus keeping them safe is crucial.

Security features for creating, managing, and limiting access to cryptographic keys are offered by Google Cloud‘s Cloud Key Management System (KMS). Create, store, and carry out cryptographic activities like code signing using keys in its tamper-resistant Cloud hardware security modules (Cloud HSM) with the intuitive interface provided by Cloud KMS.

Cloud HSM Google

What is Cloud HSM?

Hosting encryption keys and conducting cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs is possible with Cloud HSM, a cloud-hosted Hardware Security Module (HSM) service. Clustering, scaling, and patching are not concerns for you because Google looks after the HSM cluster. All the capabilities and advantages that Cloud KMS offers are yours to utilize because Cloud HSM leverages Cloud KMS as its front end.

Create a key ring

In a specific Google Cloud location, you add a key that you have created to a key ring. A new key ring can be made, or an old one can be used.

In a Google Cloud location that is compatible with Cloud HSM, create a key chain.

  • Navigate to the Key Management section within the Google Cloud dashboard.
  • Press the Generate key ring button.
  • Enter your key ring’s name in the “Key ring name” field.
  • Choose an address such as “us-east1” for the Key Ring location.
  • Click “Create.”

Create a key

For the designated key ring and location, follow these steps to produce a Cloud HSM key.

  • Navigate to the Key Management section within the Google Cloud dashboard.
  • In order to create a key, click the name of the key ring.
  • To create a key, click Create.
  • Select Generated key under the What kind of key do you want to create? field.
  • Name your key by entering its name in the Key name field.
  • To select HSM, click the dropdown menu for Protection level.
  • Choose “Symmetric encrypt/decrypt” from the drop-down menu.
  • Take the Rotation period and Starting on as given by default.
  • Click “Create.”

Bare Metal Rack HSM

Additional HSM features, such single-tenancy, are available through Google Cloud. Customers can host their own HSMs in the space given by Google with the help of Bare Metal Rack HSM. If you need further details, ask your account representative.

Provider for Microsoft Cryptography API: Next Generation (CNG)

An application programming interface called Microsoft Cryptography API: Next Generation (CNG) enables programmers to include encryption, encoding, and authentication into Windows-based applications. With CNG providers installed on the system, you may also use tools like Windows signtool to conduct crypto operations. To work with current apps that make use of the CNG API, Cloud KMS provides a provider that complies with this standard.

The provider is licensed under the Apache 2.0 license and is run as an open source project on GitHub. The Google Cloud Terms of Service apply to release binaries obtained from the GitHub releases page, and Cloud Customer Care offers support.

For Microsoft’s Cryptography API: Next Generation (CNG) provider, Google Cloud just released support for Cloud KMS signing. This feature allows you to secure your keys using Cloud HSM and SignTool to sign code on Microsoft assets.

As to the Cyber Safety Review Board of the U.S. government, hardware security modules are regarded as an optimal approach for cloud security since they keep keys in isolated and segmented systems. Threat actors have been observed to compromise and use legitimate signing keys to access data and systems inside the key’s domain when HSMs and other recommended practices are not followed.

In Cloud HSM, the servers housing the HSM hardware are shielded from illegal operations, the signature keys are designated as non-extractable, and the hardware is not directly connected to any network. It is more difficult to unintentionally reveal or steal the signing keys thanks to these security hardening methods.

In the past, you had to lock the keys to your Windows artifacts using hardware that wasn’t hosted by Google Cloud. With FIPS 140-2 Level 3 guarantees, cloud HSM safeguards your signature keys. Additionally, by only charging for the keys you use, it can lower your infrastructure and operating expenses. To suit your workload needs, Cloud HSM is offered in many locations.

You may distribute your software to your clients more quickly by using Google Cloud KMS CNG provider to expedite the signing procedure and save significant time.

Starting a Cloud KMS CNG provider: A Guide

Its cloud-based KMS CNG provider has four primary purposes. Apply it as necessary:

  • Verify firmware using a private key secured by a FIPS 140-2 Level 3 HSM.
  • Use the standard SignTool executable on Windows to sign Microsoft Windows artifacts.
  • transfer the burden of managing keys, which includes access control, rotation, and creation;
  • Use logging and auditing capabilities to gain visibility and attribution.

These crucial results can be attained by following these steps:

  • Install the CNG provider
  • Create your signing key
  • Get your certificate
  • Sign your artifact

Install the CNG provider 

In the Google Cloud GitHub repository, it has uploaded the CNG provider’s released binaries. The.msi installer that is given can be used to install these on your Windows PC. Once that’s done, setup your provider according to the user manual.

Use Cloud HSM to generate your signing key

Make a signature key that is Cloud HSM hardware protected when you’ve finished making your key ring. Depending on your security needs, choose the asymmetric signature algorithm.

Install your signing certificate

Access Cloud HSM by importing your signing certificate. This provides robust hardware-based protection for your signing key.

Create a signature key that is encrypted using Cloud HSM and generate a certificate signing request (CSR) if you don’t already have one. Next, give the certificate authority the CSR to obtain a fresh code signing certificate.

Sign your artifacts

SignTool can be used to cryptographically sign your artifact once you have installed your CNG provider, generated a key in Cloud HSM, and obtained your certificate. Ascertain that the appropriate flags are provided, such as the key URI from Cloud HSM and the provider name Google Cloud KMS Provider.

Previous article
Google Cloud Parallelstore Powering AI And HPC Workloads
Next article
Google Cloud KMS: Protecting Data With Encryption Keys
Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Page Content

Recent Posts

Load more

About Us

Govindhtech is the most popular location for people interested in technology of all experience levels. We are experts in covering a wide variety of issues, such as recent developments in cloud computing, news on artificial intelligence, computer processors, computer graphics cards, solid-state drives, random access memory, and monitors news.


Sitemap

About Us

Contact Us

Disclaimer

Privacy Policy

POPULAR CATEGORY

Contact us: agarapuramesh@govindhtech.com

©Govindhtech, All Rights Reserved

Index