Uploading Keys to Azure Key Vault
Use the post /v1/cckm/azure/upload-key
API to upload a key created on CipherTrust Manager to the Azure key vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "<key_name>",\n "local_key_identifier": "<local_key_id>",\n "key_vault": "<key_vault>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_name | string | Name of the key on Azure. Key name can only contain alphanumeric characters and dashes. |
key_vault | string | Name or ID of the key vault where the key will be uploaded. |
azure_param | JSON | Azure key parameters. Refer to Azure Parameters below for details. |
local_key_identifier | string | Name or ID of the CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is local . |
luna_key_identifier | string | Name or ID of the HSM Luna key to upload. This parameter is mandatory if source_key_tier is hsm-luna . |
dsm_key_identifier | string | Name or ID of the DSM key to upload. This parameter is mandatory if source_key_tier is dsm . |
external_cm_key_identifier | string | Name or ID of the external CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is external-cm . |
password | string | PFX password. Specify only if the PFX certificate is provided. |
pfx | string | PFX key. Specify a Base64 encoded key. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • pfx • hsm-luna (FM-enabled Luna HSM is not supported as a key source) • dsm • external-cm |
dsm_key_identifier | string | ID of the DSM key. This parameter is mandatory if source_key_tier is dsm . |
kek_kid | string | ID of the Azure key encryption key. |
exportable | boolean | Whether the private key can be exported from Azure. Set to true to allow the key export. Also, specify release_policy . Currently, the exportable parameter is valid only when the Azure vault is a premium vault or a vault stored in an Azure Managed HSM pool.The exportable parameter cannot be modified after key creation. |
release_policy | JSON | Policy rules under which the key can be exported. release_policy is mandatory when exportable is set to true . |
Azure Parameters
Parameter | Type | Description |
---|---|---|
attributes | JSON | Attributes for the key such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. • exp - Expiration date for the key in Unix Epoch time format. • enabled - Specify whether the key is enabled or disabled (true/false). |
hsm | boolean | Allow key creation in Azure HSM. Set to true to allow, false to deny. |
key_ops | array of strings | Cryptographic operations performed by the key. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey |
tags | JSON | Optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow colon (:) and percent (%) special characters in tag values.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "Uploadtestkey",\n "local_key_identifier": "rsakey",\n "key_
vault": "bedb82b9-582c-402d-9874-f3368722cf46"\n}' --compressed
Example Response
{
"id": "b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"uri": "kylo:kylo:cckm:azure-key:b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:24:41.448099979Z",
"updatedAt": "2020-09-30T10:24:41.446020965Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:24:41.435775419Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:24:40Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "628cd445146240c3bbd226e3d7ca5c62",
"key_size": 2048,
"backup": "c95104adb1684af69b86927cb993a03e905f0462e19d42c5be40778ac993ddc2",
"key_name": "Uploadtestkey",
"local_key_id": "c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3",
"local_key_name": "rsakey",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvaultsoftkeys.
vault.azure.net/keys/Uploadtestkey/628cd445146240c3bbd226e3d7ca5c62",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "nkxK6mYxOvM_ZQfc1AM2vPxslhg5WYGqaP3CtG9K4c6WEoVsPn_Iijc8bRdU02VjlAmIkRqHMms1_xxCSmy2ZMG91PQGwdrX-TeOa6kLv5b-RCsu_IP46SkDSGOgCpD0-DyfUXnPe3zgIfNOulAvFCy-rKbGmzrTuqCkEcznRHHOLiZRP1M4MF5cHBS33aqKaH5KfKndoF5Qk5PhHrqaxJ9SKBa5NL9ZZzm_DC1J4hnu2HcLVq-5cw1xL--uReyKAKsDjYZcxh6C6A9DuDe10qux1LieWJi7xzDJKbmBNWSTqle92kVOvOSy2jfxTdi721FTQucxs_Sh-lZ2eS4rQ",
"e": "AAAAAAABAAE"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"created": 1601461480,
"updated": 1601461480
}
},
"azure_created_at": "2020-09-30T10:24:40Z",
"azure_updated_at": "2020-09-30T10:24:40Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"meta": {
"source_key_id": "rsakey"
},
"key_material_origin": "cckm",
"rotated_at": "2020-09-30T10:24:41.435777091Z",
"gone": false
}
The sample output shows that a key (Uploadtestkey) is created on the Azure vault (bedb82b9-582c-402d-9874-f3368722cf46
) and it uses local key material (c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3
) created on the CipherTrust Manager. As the key material is created on the Key Manager, key material's origin is cckm
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.