Creating Keys
This section describes steps to create an encryption key using the CTE API.
Overview
Keys in a CTE policy must fulfill the following conditions. The keys should:
- Have the CTE Clients group permissions
Be exportable
Be non-versioned/versioned
Be of the type "CBC_CS1"
- Have metadata with the following details:
{ "cte": { "is_used": <true/false>, "cte_versioned": <true/false>, "encryption_mode": <"CBC_CS1">, "persistent_on_client": <true/false> }, "ownerId": "string", "permissions": { "ReadKey": [ "CTE Clients" ], "ExportKey": [ "CTE Clients" ] } }
CTE supports standard policies.
Keys for Standard Policies
- Standard policies support only non-versioned keys.
- CTE Clients group should have the Read Key and Export Key permissions.
- Standard policies support "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "Standard_pol_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC_CS1",
"cte_versioned": false
}
},
"xts": false
}
Deleting CTE Keys
A CTE key cannot be deleted if it is being used in a policy.
The CTE Admins and Key Admins group permissions are required to delete a CTE key.
API
/v1/vault/keys2/{id} [DELETE]