Creating Keys
This section describes steps to create an encryption key using the CTE API.
Overview
Keys in a CTE policy must fulfill the following conditions. The keys should:
Have the CTE Clients group permissions
Be exportable
Be non-versioned/versioned
Be of the type "CBC" / "CBC_CS1" or "XTS"
Note
The XTS keys are required for creating GuardPoints with In-place Data Transformation (IDT) policies.
Have metadata with the following details:
{ "cte": { "is_used": <true/false>, "cte_versioned": <true/false>, "encryption_mode": <"CBC"/"CBC_CS1"/"XTS">, "persistent_on_client": <true/false> }, "ownerId": "string", "permissions": { "ReadKey": [ "CTE Clients" ], "ExportKey": [ "CTE Clients" ] } }
CTE supports standard, LDT, COS, and IDT policies. Click the following tabs for policy-specific key requirements.
Keys for Standard Policies
Standard policies support only non-versioned keys.
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
Standard policies support "CBC" / "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "Standard_pol_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Keys for LDT Policies
LDT policies support only "CBC" and "CBC_CS1" keys.
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
LDT policies support only non-versioned keys in the "current_key" field.
LDT policies support only versioned keys in the "transformation_key" field.
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "LDT_Current_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Sample for the Transformation Key
{
"name": "LDT_transformation_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": true
}
},
"xts": false
}
Keys for COS Policies
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
COS policies support only non-versioned keys.
COS policies support only "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "COS_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC_CS1",
"cte_versioned": false
}
},
"xts": true
}
Keys for IDT Policies
Keys should have the CTE Clients group access.
CTE Clients group should have the Read Key and Export Key permissions.
IDT policies support only the "XTS" encryption mode.
IDT policies support only non-versioned keys in the "current_key" and "transformation_key" fields.
IDT policies are used for IDT-capable devices.
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "IDT_Policy_Current_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "694bf52e-d0c2-4416-b615-feab9ce27940"
}
Sample for the Transformation Key
{
"name": "IDT_Policy_Transformation_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "d32d1b65-5a09-403e-921d-8d1c8db39a75"
}
Deleting CTE Keys
A CTE key cannot be deleted if it is being used in a policy.
The CTE Admins and Key Admins group permissions are required to delete a CTE key.
API
/v1/vault/keys2/{id} [DELETE]