How does AWS XKS with Fortanix DSM work?

How does AWS XKS with Fortanix DSM work?

As shown in the following diagram, XKS allows AWS KMS to use external, customer-managed Root Keys, which increases the customer’s control of their key management and data protection initiatives.

The customer’s Root Keys are generated, protected, and used wholly within Fortanix DSM. AWS KMS calls DSM to unwrap Data Encryption Keys (DEKs) for use by the AWS services it supports. DSM enforces granular access control and key usage policies. DEKs protected by an XKS are doubly enveloped (encrypted): once by KMS, and once by DSM.

Every time the key is used by a KMS client, KMS requests Fortanix DSM to open the blue envelope and we send the gray envelope back to them to decrypt. This way, Fortanix never sees the customer’s keys.