Uploading Keys to Azure Key Vault
Use the post /v1/cckm/azure/upload-key API to upload a key created on CipherTrust Manager to the Azure key vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "<key_name>",\n "local_key_identifier": "<local_key_id>",\n "key_vault": "<key_vault>"\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| key_name | string | Name of the key on Azure. Key name can only contain alphanumeric characters and dashes. |
| key_vault | string | Name or ID of the key vault where the key will be uploaded. |
| azure_param | JSON | Azure key parameters. Refer to Azure Parameters below for details. |
| local_key_identifier | string | Name or ID of the CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is local. |
| luna_key_identifier | string | Name or ID of the HSM Luna key to upload. This parameter is mandatory if source_key_tier is hsm-luna. |
| dsm_key_identifier | string | Name or ID of the DSM key to upload. This parameter is mandatory if source_key_tier is dsm. |
| external_cm_key_identifier | string | Name or ID of the external CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is external-cm. |
| password | string | PFX password. Specify only if the PFX certificate is provided. |
| pfx | string | PFX key. Specify a Base64 encoded key. |
| source_key_tier | string | Tier of the source. Possible options are: • local (default) • pfx • hsm-luna (FM-enabled Luna HSM is not supported as a key source) • dsm • external-cm |
| dsm_key_identifier | string | ID of the DSM key. This parameter is mandatory if source_key_tier is dsm. |
| kek_kid | string | ID of the Azure key encryption key. |
| exportable | boolean | Whether the private key can be exported from Azure. Set to true to allow the key export. Also, specify release_policy. Currently, the exportable parameter is valid only when the Azure vault is a premium vault or a vault stored in an Azure Managed HSM pool.The exportable parameter cannot be modified after key creation. |
| release_policy | JSON | Policy rules under which the key can be exported. release_policy is mandatory when exportable is set to true. |
Azure Parameters
| Parameter | Type | Description |
|---|---|---|
| attributes | JSON | Attributes for the key such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. • exp - Expiration date for the key in Unix Epoch time format. • enabled - Specify whether the key is enabled or disabled (true/false). |
| hsm | boolean | Allow key creation in Azure HSM. Set to true to allow, false to deny. |
| key_ops | array of strings | Cryptographic operations performed by the key. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey |
| tags | JSON | Optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow colon (:) and percent (%) special characters in tag values.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "Uploadtestkey",\n "local_key_identifier": "rsakey",\n "key_
vault": "bedb82b9-582c-402d-9874-f3368722cf46"\n}' --compressed
Example Response
{
"id": "b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"uri": "kylo:kylo:cckm:azure-key:b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:24:41.448099979Z",
"updatedAt": "2020-09-30T10:24:41.446020965Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:24:41.435775419Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:24:40Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "628cd445146240c3bbd226e3d7ca5c62",
"key_size": 2048,
"backup": "c95104adb1684af69b86927cb993a03e905f0462e19d42c5be40778ac993ddc2",
"key_name": "Uploadtestkey",
"local_key_id": "c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3",
"local_key_name": "rsakey",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvaultsoftkeys.
vault.azure.net/keys/Uploadtestkey/628cd445146240c3bbd226e3d7ca5c62",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "nkxK6mYxOvM_ZQfc1AM2vPxslhg5WYGqaP3CtG9K4c6WEoVsPn_Iijc8bRdU02VjlAmIkRqHMms1_xxCSmy2ZMG91PQGwdrX-TeOa6kLv5b-RCsu_IP46SkDSGOgCpD0-DyfUXnPe3zgIfNOulAvFCy-rKbGmzrTuqCkEcznRHHOLiZRP1M4MF5cHBS33aqKaH5KfKndoF5Qk5PhHrqaxJ9SKBa5NL9ZZzm_DC1J4hnu2HcLVq-5cw1xL--uReyKAKsDjYZcxh6C6A9DuDe10qux1LieWJi7xzDJKbmBNWSTqle92kVOvOSy2jfxTdi721FTQucxs_Sh-lZ2eS4rQ",
"e": "AAAAAAABAAE"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"created": 1601461480,
"updated": 1601461480
}
},
"azure_created_at": "2020-09-30T10:24:40Z",
"azure_updated_at": "2020-09-30T10:24:40Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"meta": {
"source_key_id": "rsakey"
},
"key_material_origin": "cckm",
"rotated_at": "2020-09-30T10:24:41.435777091Z",
"gone": false
}
The sample output shows that a key (Uploadtestkey) is created on the Azure vault (bedb82b9-582c-402d-9874-f3368722cf46) and it uses local key material (c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3) created on the CipherTrust Manager. As the key material is created on the Key Manager, key material's origin is cckm.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
