Creating Keys
This section describes steps to create an encryption key using the CTE API.
Overview
Keys in a CTE policy must fulfill the following conditions. The keys should:
Have the CTE Clients group permissions
Have the Key Users group permissions (for ESG GuardPoints only)
Be exportable
Be non-versioned/versioned
Be of the type "CBC" / "CBC_CS1" or "XTS".
Note
The XTS keys are required for creating ESG GuardPoints with STANDARD and In-place Data Transformation (IDT) policies.
Have metadata with the following details:
{ "cte": { "is_used": <true/false>, "cte_versioned": <true/false>, "encryption_mode": <"CBC"/"CBC_CS1"/"XTS">, "persistent_on_client": <true/false> }, "ownerId": "string", "permissions": { "ReadKey": [ "CTE Clients" ], "ExportKey": [ "CTE Clients" ] } }
CTE supports standard, LDT, COS, and IDT policies. Click the following tabs for policy-specific key requirements.
Keys for Standard Policies
Standard policies support only non-versioned keys.
Keys should have the CTE Clients group access and Key Users group access (for ESG GuardPoints).
CTE Clients group should have the Read Key and Export Key permissions.
Key Users group should have the Read Key and Export Key permissions (for ESG GuardPoints only).
Standard policies support "CBC" / "CBC_CS1" and "XTS" keys. (XTS keys are supported for ESG GuardPoints only.)
API
/v1/vault/keys2/
Sample
{
"name": "Standard_pol_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Keys for LDT Policies
LDT policies support only "CBC" and "CBC_CS1" keys.
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
LDT policies support only non-versioned keys in the "current_key" field.
LDT policies support only versioned keys in the "transformation_key" field.
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "LDT_Current_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Sample for the Transformation Key
{
"name": "LDT_transformation_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": true
}
},
"xts": false
}
Keys for COS Policies
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
COS policies support only non-versioned keys.
COS policies support only "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "COS_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC_CS1",
"cte_versioned": false
}
},
"xts": true
}
Keys for IDT Policies
Keys should have the CTE Clients group access and Key Users group access (for ESG GuardPoints).
CTE Clients group and Key Users group should have the Read Key and Export Key permissions.
IDT policies support only the "XTS" encryption mode.
IDT policies support only non-versioned keys in the "current_key" and "transformation_key" fields.
IDT policies are used for Efficient Storage array devices and IDT-capable devices.
ESG GuardPoints can be applied using IDT policies and Standard policies (using KMIP keys).
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "IDT_Policy_Current_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients",
"Key Users"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients",
"Key Users"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "694bf52e-d0c2-4416-b615-feab9ce27940",
"uuid": "694bf52e-d0c2-4416-b615-feab9ce27940"
}
Sample for the Transformation Key
{
"name": "IDT_Policy_Transformation_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients",
"Key Users"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients",
"Key Users"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "d32d1b65-5a09-403e-921d-8d1c8db39a75",
"uuid": "d32d1b65-5a09-403e-921d-8d1c8db39a75"
}
Deleting CTE Keys
A CTE key cannot be deleted if it is being used in a policy.
The CTE Admins and Key Admins group permissions are required to delete a CTE key.
API
/v1/vault/keys2/{id} [DELETE]