Key Management System (PyKMIP)

Key Management System (PyKMIP)

Summary
Setting up a Key Management System on 2 Linux Ubuntu virtual machines using the open source PyKMIP Library to preform key creation, destruction, and data encrypting, and decrypting.
Tech
Encryption
PyKMIP
VM
Linux
Created
May 2, 2023 09:40 PM

Key Management System on Beagle Bone AI Using PyKMIP

Introduction

Our group project focused on a Key Management System (KMS) – a system built around the concept of managing cryptographic keys used to sign files for security purposes. For our project, we used an open source Python implementation called PyKMIP. We chose to work on this project as we wanted to apply and implement the material that was directly taught to us in the course while expanding our knowledge.
Our original intent was to set up the PyKMIP server on a BeagleBone AI board and set up a sensor to flush the keys in reaction to any movement/tampering, imitating real-world industrial examples of Key Management Systems. However, due to technical difficulties, this avenue could not be pursued further. Instead, we went through an alternative method of using Virtual Machines (VMs) as a proof of concept.
Though the process was not without its challenges, we learned a lot from this experience, including knowledge obtained from trial and error, research, and insight into the use of KMS and its applications in practical settings.
 

Demonstration:

Video preview

Discussion

We used the PyKMIP library by OpenKMIP, which provides a framework for setting up a KMS server and client. We applied this library to two VMs – one acting as a server and the other as a client. Both VMs were running Ubuntu and were set to share a network.
Here are the steps we took to set up the KMS server and client:

Setting up the KMS server on the server VM:

  1. Create necessary directories and change permissions appropriately
  1. Install SQLite library used by Pykmip to store keys and certificates.
  1. Install OpenSSL library to create self-signed certificates that will be used by the server to verify the client and vice versa.
  1. Clone the OpenKMIP/PyKMIP repo from GitHub
  1. Run the 'setup.py' file
  1. Set up the 'server.conf' file, which will provide the Pykmip server with the configuration to run
  1. Finally, run 'python3 /usr/local/PyKMIP/bin/run_server.py &' to start the server.

Setting up the KMS client on the client VM:

  1. Similarly to the server, install the PyKMIP library
  1. Install the dependencies and create necessary directories
  1. Create the OpenSSL self-signed certificate
  1. Create the client.conf file appropriately
  1. Ensure the server and client VM are running
  1. Use the client to perform KMS operations
Please refer to the tutorial file that lays out the exact commands and steps we took to make a KMS system using PyKMIP. You can also refer to the video file to see a demo of using the KMS from the client side to perform the following operations: create key, encrypt file, decrypt file.

Challenges

VM Challenges

Although the KMS server and client worked on the VM, we faced a few issues along the way:
  1. Self-signed certificate issue: We put the wrong common name when it's supposed to be the server or client VM's IP.
  1. When doing a self-signed certificate, the handshake fails if you don't add the certificates of the server to the client's trust store and vice versa.
  1. The connection got refused multiple times because of mismatching SSL versions, cipher suites, and protocols.
We resolved these Issues, and the KMS worked very well on the 2 Ubuntu VMs!
 

BEAGLEBONE CHALLENGES

When we set up a KMS server on the BeagleBone AI MCU using PyKMIP and KMIP, we encountered several challenges. Here are the challenges we faced:
  1. Ensuring access to the internet: We were unfamiliar with the BeagleBone AI board and struggled to supply internet to the board. We tried to install packages without the internet, but we ran into roadblocks.
  1. Dependency issues: We ran into dependency issues because the board was not updated and could not update without the internet.
  1. Long installation times: When we finally got the internet working, packages took hours to install.
  1. Missing Python dependencies: When the packages were installed, we still were missing Python dependencies.
To overcome these challenges, we needed to take the following steps: Ensuring access to the internet: We connected the BeagleBone AI MCU to the internet using a wired or wireless connection.
Dependency issues: We updated the BeagleBone AI MCU using the "sudo apt-get update" command in the terminal before attempting to install any software packages. Long installation times: We installed software packages in batches and waited for each batch to finish installing before installing the next one. Additionally, we ensured that we had a fast and stable internet connection to minimise installation times.
Missing Python dependencies: We installed the required Python dependencies before attempting to install PyKMIP or KMIP. However, this was a time-consuming process on the BeagleBone AI MCU. In some cases, the board took too long to install these dependencies, causing us to be unable to install the KMS server.

Conclusion

In conclusion, setting up a KMS server on the BeagleBone AI MCU using PyKMIP and KMIP presented several challenges, including difficulties in accessing the internet, dependency issues, long installation times, and missing Python dependencies. Despite our best efforts, we were unable to install the server on the BeagleBone AI MCU due to the time it took to install the necessary Python dependencies.
However, we were able to set up the server and client on virtual machines, which allowed us to test and verify the functionality of the KMS server. While the virtual machines provided a solution, we recognize that they are not a suitable long-term solution. Therefore, in the future, we will need to consider upgrading the BeagleBone AI MCU's hardware or using a different platform that can handle the required software packages more efficiently. Overall, the experience highlighted the importance of carefully selecting the appropriate hardware platform for specific use cases and being prepared to troubleshoot potential challenges that may arise. We learned valuable lessons from this experience, which will guide us in future endeavours to set up secure and reliable KMS servers