Google Cloud EKM UDE APIs
Caution
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Create an EKM UDE Endpoint
Use POST for /v1/cckm/ekm-e2e/endpoints to create a new EKM UDE endpoint. Specify a unique name for the EKM UDE Endpoint.
A KEK for wrapping and unwrapping operation will be created.
Syntax
curl -k 'https://<ciphertrust-fqdn>/api/v1/cckm/ekm-e2e/endpoints' -H 'Authorization: Bearer AUTHTOKEN -H 'Content-Type: application/json' --data-binary $'{\n "name": "<endpoint_name>",\n "keyURIHostname": "<ciphertrust_fqdn>",\n "meta": {\n "<key>": "<value>" \n},\n "coCoRequiredForEncrypt": <boolean>,\n "coCoRequiredForDecrypt": <boolean>\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
| name | string | Unique name for EKM UDE Endpoint. |
| keyURIHostname | string | Base url hostname for KeyURI. |
| coCoRequiredForEncrypt | boolean | Is a confidential VM (and valid attestation) required for encryption |
| coCoRequiredForDecrypt | boolean | Is a confidential VM (and valid attestation) required for decryption |
| meta | JSON | Optional. Additional information associated with this Endpoint. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIzNDliNDBkYy1hY2ZjLTRjZTMtYjQ3OC1lY2YwNDE2NWQzYTAiLCJzdWIiOiJsb2NhbHw3MDVhY2UzNS1jNDYwLTQ3ZTAtYTNhOC1mODdiNzM2N2I0NzkiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOGY0NTY4OTQtYTYxYy00OWI1LTliNzctZDJkNGE3YWQ5MjQ2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImRhOWYwY2QzLThiZWYtNDgxMy1hYzcwLTY5NDQ4NTJkOGE3YSIsImlhdCI6MTYzNzAxMjQ3OCwiZXhwIjoxNjM3MDEyNzc4fQ.BeV8xfyP4QvXbaOce4LHoiFzXeai-oBcfd1abSqUSDU' -H 'Content-Type: application/json' --data-binary $'{\n "name": "ekmudeendpoint_1",\n "keyURIHostname": "ciphertrust.mycompany.com",\n "meta": {\n "color": "blue",\n "size": "big"\n },\n "coCoRequiredForEncrypt": true,\n "coCoRequiredForDecrypt": true\n}' --compressed
Example Response
{
"application/json": {
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.mycompany.com",
"keyURI": "https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmudeendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "blue"
},
"enabled": true,
"kekVersion": "0"
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
List All EKM UDE Endpoints
Use GET for /v1/cckm/ekm-e2e/endpoints to return a list of EKM UDE Endpoints. The results can be filtered using the query parameters.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints?<query_parameters>' -H ' AUTHTOKEN' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | Filter the result based on EKM UDE endpoint ID. |
| name | string | Filter the result based on EKM UDE Endpoint name. |
| skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
| limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIzNDliNDBkYy1hY2ZjLTRjZTMtYjQ3OC1lY2YwNDE2NWQzYTAiLCJzdWIiOiJsb2NhbHw3MDVhY2UzNS1jNDYwLTQ3ZTAtYTNhOC1mODdiNzM2N2I0NzkiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOGY0NTY4OTQtYTYxYy00OWI1LTliNzctZDJkNGE3YWQ5MjQ2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImRhOWYwY2QzLThiZWYtNDgxMy1hYzcwLTY5NDQ4NTJkOGE3YSIsImlhdCI6MTYzNzAxMjQ3OCwiZXhwIjoxNjM3MDEyNzc4fQ.BeV8xfyP4QvXbaOce4LHoiFzXeai-oBcfd1abSqUSDU' --compressed
Example Response
{
"application/json": {
"skip": "0,",
"limit": "10,",
"total": "1,",
"resources": [
{
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.mycompany.com",
"keyURI": "https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmeudendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "blue"
},
"enabled": true,
"kekVersion": "0"
}
]
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details for an EKM UDE Endpoint
Use GET for /v1/cckm/ekm-e2e/endpoints/{id} to return the details of the given EKM UDE endpoint.
Syntax
curl -k 'https://<ciphertrust_hostname>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>' -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test-ude' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYjQ5NDY5ZjgtMDJhNi00ZTgxLTliMDEtNGU1MTk2MjA0NzIwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijc2ZTc1N2JiLWJiYTgtNDJiNy04OTI1LWMwYWFmZTQ0NzNiMSIsImlhdCI6MTYyNjExODk4OCwiZXhwIjoxNjI2MTE5Mjg4fQ.gwvR6t2-E5DFLatL6CdGdJnphDlkHp1Rog9xUlz_DWs' --compressed
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Update An EKM UDE Endpoint
Use PATCH with /v1/cckm/ekm-e2e/endpoints/{id} to update the endpoint's base hostname or meta data.
Syntax
curl -k 'https://<ciphertrust-fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm-ude-endpoint-id>' -X PATCH -H 'Authorization: AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "keyURIHostname": "<new_URL>"\n, "meta": {<key>:<value>}\n}' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
| keyURIHostname | string | Base url hostname for KeyURI. |
| meta | JSON | Optional. Additional information associated with this endpoint. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA5MjViMzktYzQ0OS00YWYzLWI0Y2UtOTJlYzkxODc1YTk2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjhjYzAyNzhjLTIxODItNGRkZC1iNGZmLTYwYWMyNTgzYjVmZiIsImlhdCI6MTYyNjEyNDAzMiwiZXhwIjoxNjI2MTI0MzMyfQ.mPf1683qErNbtipKLPUKKShdmLwtx0XRD5rj2ft6UMI' -H 'Content-Type: application/json' --data-binary $'{\n "keyURIHostname": "ciphertrust.newcompany.com"\n}' --compressed
Example Response
{
"application/json": {
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.newcompany.com",
"keyURI": "https://ciphertrust.newcompany.com/api/v1/cckm/ekm-e2e/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmudeendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "yellow"
},
"enabled": true,
"kekVersion": "0"
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Delete An EKM UDE Endpoint
To permanantly delete an EKM UDE Endpoint, and therefore the Key Encryption Key (KEK) associated with it, send a DELETE request to /v1/cckm/ekm-e2e/endpoints/{id}
Syntax
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>' -X DELETE -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA5MjViMzktYzQ0OS00YWYzLWI0Y2UtOTJlYzkxODc1YTk2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjhjYzAyNzhjLTIxODItNGRkZC1iNGZmLTYwYWMyNTgzYjVmZiIsImlhdCI6MTYyNjEyNDAzMiwiZXhwIjoxNjI2MTI0MzMyfQ.mPf1683qErNbtipKLPUKKShdmLwtx0XRD5rj2ft6UMI' --compressed
Example Response
{
"status": 204
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
List EKM UDE Policies
Use GET with /v1/cckm/ekm-e2e/endpoints/{id}/policies to list the active policies for an endpoint. The policy language and model are derived from the Open Policy Agent (OPA) policy engine.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>/policies' -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test/policies' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA5MjViMzktYzQ0OS00YWYzLWI0Y2UtOTJlYzkxODc1YTk2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIwNmVlMWVjLTY2MjMtNGZhNC05MjJiLWYwZGI3ZWFlMDRiOCIsImlhdCI6MTYyNjEyNTU1MywiZXhwIjoxNjI2MTI1ODUzfQ.bTQwMEQ3ivt20QluBKeA-KJBlEQ-n67kATeLMQbHlTs' --compressed
Example Response
{
"text/plain": "package example default allow = false allow {\n input.clients == {\"abc@yahoo.com\", \"abc@google.com\", \"abc@msn.com\"}[_]\n input.justificationReason == {\"REASON_UNSPECIFIED\",\"CUSTOMER_INITIATED_SUPPORT\",\"GOOGLE_INITIATED_SERVICE\",\"THIRD_PARTY_DATA_REQUEST\",\n\"GOOGLE_INITIATED_REVIEW\",\"CUSTOMER_INITIATED_ACCESS\",\"GOOGLE_INITIATED_SYSTEM_OPERATION\",\"REASON_NOT_EXPECTED\",\"MODIFIED_CUSTOMER_INITIATED_ACCESS\"}[_] }\n"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Update EKM UDE Policies
Use PATCH with /v1/cckm/ekm-e2e/endpoints/{id}/policies to edit the active policies for an endpoint. The policy language and model are derived from the Open Policy Agent (OPA) policy engine.
Note
The API playground might show an error while entering EKM Policy, but a correct policy code works.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm-ude-endpoint-id>/policies' -X PATCH -H 'AUTHTOKEN' -H 'Content-Type: text/plain' --data-binary '{ "clients" : <allowed_clients>", "justificationReason" : "<allowed_justification_reasons>" }' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
| clients | string | Clients permitted to access the endpoint. |
| justificationReason | string | Justification reasons required in the request to wrap or unwrap with the endpoint. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test/policies' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' -H 'Content-Type: text/plain' --data-binary '{ "clients" : "abc@yahoo.com", "justificationReason" : "REASON_UNSPECIFIED" }' --compressed
Example Response
{
"text/plain": "package example default allow = false allow {\n input.clients == {\"abc@yahoo.com\"}[_]\n input.justificationReason == {\"REASON_UNSPECIFIED\"}[_] }\n"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Rotate An EKM UDE Endpoint
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}/rotate to add a new key version with new key material to the endpoint's KEK. The Key URI remains the same.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>/rotate' -X POST -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test/rotate' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' --compressed
Example Response
{
"application/json": {
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.mycompany.com",
"keyURI": "https://ciphertrust.mycompany.com/api/v1/cckm/ekm/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmudeendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "blue"
},
"enabled": true,
"kekVersion": "1"
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Enable an EKM UDE Endpoint
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}/enable to allow wrap or unwrap operation using the EKM UDE endpoint.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>/enable' -X POST -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test/enable' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' --compressed
Example Response
{
"application/json": {
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.mycompany.com",
"keyURI": "https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmudeendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "blue"
},
"enabled": true,
"kekVersion": "0"
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Disable an EKM UDE Endpoint
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}/disable to disallow wrap or unwrap operation using the EKM UDE endpoint. This is a way to temporarily suspend client operations with an endpoint without deleting it and its associated KEK.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>/disable' -X POST -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test/disable' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' --compressed
Example Response
{
"application/json": {
"id": "04f63144-940c-4c4f-8426-1917b54e0c33",
"uri": "kylo:kylo:cckm:kacls-ekm:ekmudeendpoint-1",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-10T00:19:40.321138Z",
"name": "ekmudeendpoint_1",
"updatedAt": "2021-02-10T00:20:25.036189Z",
"keyURIHostname": "ciphertrust.mycompany.com",
"keyURI": "https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"kekName": "ekmudeendpoint_1",
"kekID": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"meta": {
"size": "big",
"color": "blue"
},
"enabled": false,
"kekVersion": "0"
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
EKM UDE Session
The EKM UDE API contains a set of Session endpoints, which allow the establishment of a secure TLS 1.3 session between the Google-provided integration component and CipherTrust Manager, with Google acting as client and CipherTrust Manager acting as server.
Note
As this sequence is a TLS exchange most appropriate for TLS clients, we do not provide curl example requests and responses.
The sequence for the session endpoints is: session/begin session; session/handshake; session/negotiate attestation; session/finalize and session/end session.
Begin an EKM UDE Session
Use POST with /v1/cckm/ekm-e2e/session/beginsession to initiate an encapsulated TLS (1.3) session. A server session is created in CipherTrust Manager and the encapsulated first TLS message is handled from the client. A unique session ID is created and returned - this accompanies all further uses of this session.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| tlsRecords | string | Serialized message to begin a TLS handshake. |
Response Elements
| Element | Type | Description |
|---|---|---|
| sessionContext | string | Information associated with the session including session ID. |
| tlsRecords | string | Serialized response. |
Complete the EKM UDE Session Handshake
Use POST with /v1/cckm/ekm-e2e/session/handshake to complete the encapsulated TLS handshake. All subsequent messages using the established session are encrypted.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| tlsRecords | string | Result from /v1/cckm/ekm-e2e/session/beginsession |
| sessionContext | string | Result from /v1/cckm/ekm-e2e/session/beginsession |
Response Elements
Empty JSON object.
Negotiate Attestation for an EKM UDE Session
Use POST with /v1/cckm/ekm-e2e/session/negotiateattestation to perform EKM UDE attestation negotiation. The client presents the set of attestation options it is willing or capable of providing (NONE, TPM, TCG_LOG) and the server determines acceptability. The server responds with the subset of attestation options which must be provided for this session, or an error if no acceptable combination is possible.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| sessionContext | string | Result from /v1/cckm/ekm-e2e/session/beginsession |
| offeredEvidenceTypeRecords | string | Set of attestation options the client can provide. |
Response Elements
| Element | Type | Description |
|---|---|---|
| requiredEvidenceTypeRecords | string | Set of attestation options the server requires. |
Finalize an EKM UDE Session
Use POST with /v1/cckm/ekm-e2e/session/finalize to finalize an EKM UDE session. Attestation evidence (if any) is presented for this session. This is evaluated and also compared with the attestation(s) required in /negotiateattestation. If acceptable, the session is associated with the attributes conveyed by these attestations.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| sessionContext | string | Information associated with the session including session ID. |
| attestationEvidenceRecords | string | Attestion evidence if present. |
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
End an EKM UDE Session
Use POST with /v1/cckm/ekm-e2e/session/endsession to destroy an EKM UDE session.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| sessionContext | string | Information associated with the session including session ID. |
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Perform a Confidential Wrap
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}:confidentialwrap to perform a confidential wrap. A confidential wrap is an EKM wrap requiring the use of a secure session and involving a policy enforcement check against the requirements for the endpoint (i.e. the level of attestation required).
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>:confidentialunwrap' -X POST -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test:confidentialwrap' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' --compressed
Example Response
{
"status": 204
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Perform a Confidential Unwrap
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}:confidentialunwrap to perform a confidential wrap. A confidential wrap is an EKM unwrap requiring the use of a secure session and involving a policy enforcement check against the requirements for the endpoint (i.e. the level of attestation required).
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>:confidentialunwrap' -X POST -H 'AUTHTOKEN' --compressed
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test:confidentialunwrap' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' --compressed
Example Response
{
"status": 204
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Wrap with an EKM UDE Endpoint
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}:wrap to perform a wrap operation with the EKM UDE endpoint. This operation is used only for health checks.
Specify the following details:
A JWT asserting that unwrap operation is done by legitimate user
The base64 blob that needs to be wrapped.
Additional Context containing Key Access Justification details.
Syntax
curl --location --request POST 'https://<ciphertrust-fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm-ude-endpoint-id>:wrap' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <GOOGLE_TOKEN>' \
--data-raw '{
"plaintext": "SGVsbG8gISBob3cgYXJlIHlvdSA/",
"additionalContext":
{
"accessReasonContext":
{
"reason":" CUSTOMER_INITIATED_ACCESS"
},
"RelativeResourceName": "projects/demo-proj/locations/us/keyRings/demo-key-ring/cryptoKeys/demo-1/cryptoKeyVersions/16"
}
}'
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| GOOGLE_TOKEN | string | Authorization Token |
| plaintext | string | Required. The data to be wrapped (base64 encoded). Must be no larger than 64KiB. |
| additionalAuthenticatedData | string | Optional data that, if specified, must also be provided during unwrap. The AAD must be no larger than 64KiB. |
| additionalContext | JSON | More context provided during Wrap operation. Required if Key Access Justification is enabled for GCP project. See Wrap additionalContext Parameters for allowed values. |
Wrap additionalContext parameters
| Parameter | Type | Description |
|---|---|---|
| accessReasonContext | JSON | Optional. Request that has an empty AccessReasonContext is a valid request. |
| reason | string | Key Access Justification reason. Required if Key Access Justification is enabled for GCP project. |
| fullResourceName | string | The full resource name for the GCP resource being directly wrapped by the KEK. This is also known as the Cloud KMS CryptoKey resource. See |
| isKeyHealthCheck | boolean | Optional. Whether the request is a key health check that contains a canonical plaintext or its encryption instead of customer data. |
| relativeResourceName | string | Optional. The relative resource name for the GCP resource being directly wrapped by the KEK. This is also known as the Cloud KMS CryptoKey resource. See |
Example Request
curl --location --request POST 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test:wrap' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' \
--data-raw '{
"plaintext": "SGVsbG8gISBob3cgYXJlIHlvdSA/",
"additionalContext":
{
"accessReasonContext":
{
"reason":" CUSTOMER_INITIATED_ACCESS"
},
"RelativeResourceName": "projects/demo-proj/locations/us/keyRings/demo-key-ring/cryptoKeys/demo-1/cryptoKeyVersions/16"
}
}'
Example Response
{
"application/json": {
"wrappedBlob": "ZXlKM2NtRndjR1ZrWDJKc2IySWlPaUpCZW5Cc1RIQXlPRTh2WkdWd1QzZE1ZVk5zY1hwS1pWWlFTR3R4YVcxMlJXYzVTWFFyY0ZOTlMzWjROaUlzSW10bGExOXBaQ0k2SWpNNVkyWmhaR1EyTnpWa05EUmhPV1k0T0Raa09XSTBNalV3TjJSaU1UUXlZekZrWmpjeU5tTmhPR0ZrTkRGaVltSXhPRGs0T1RJek1UY3pNMlZsTmpnaWZRPT0="
}
}
Unwrap with an EKM UDE Endpoint
Use POST with /v1/cckm/ekm-e2e/endpoints/{id}:unwrap to perform an unwrap operation with the EKM UDE endpoint. This operation is used only for health checks.
Specify the following details:
A JWT asserting that unwrap operation is done by legitimate User.
The base64 blob that needs to be unwrapped.
Additional Context containing Key Access Justification details.
Syntax
curl --location --request POST 'https://<ciphertrust-fqdn>/api/v1/cckm/ekm-e2e/endpoints/<ekm_ude_endpoint_id>:unwrap' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <GOOGLE_TOKEN>' \
--data-raw '{
"wrappedBlob":"ZXlKM2NtRndjR1ZrWDJKc2IySWlPaUpGZVdKVmFYRnZSbGxIV0RsSGIwRXJXRUpuY214alR6WlZkRlpOTkcxemIwY3JWRkp0UW5WcVpWQnJaeUlzSW10bGExOXBaQ0k2SWpBeU5HRTRZV1ppTldSa01qUTFaakU1TlRabU1UTTBNemcwTm1Wa05XSTVZakUwWW1Wak9UTTBabU0yTkdWaE9Ea3pPVE5pWkdJMll6aGxZek16T0RraUxDSnJaV3RmZG1WeWMybHZiaUk2SWpBaUxDSmhaR1JwZEdsdmJtRnNYMkYxZEdobGJuUnBZMkYwWldSZlpHRjBZU0k2Ym5Wc2JDd2lZV0ZrWDJWdVptOXlZMlZrSWpwMGNuVmxmUT09",
"additionalContext":
{
"accessReasonContext":
{
"reason":" CUSTOMER_INITIATED_ACCESS"
},
"RelativeResourceName": "projects/demo-proj/locations/us/keyRings/demo-key-ring/cryptoKeys/demo-1/cryptoKeyVersions/16"
}
}'
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the EKM UDE Endpoint |
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| GOOGLE_TOKEN | string | Authorization Token |
| additionalAuthenticatedData | string | Must match the data originally supplied in the wrap request. |
| additionalContext | JSON | More context provided during the unwrap operation. Required if Key Access Justification is enabled for GCP project. See Unwrap additionalContext Parameters for allowed values. |
| wrappedBlob | string | Required. The wrapped data to be unwrapped, originally returned in the wrap request. |
Unwrap additionalContext Parameters
| Parameter | Type | Description |
|---|---|---|
| accessReasonContext | JSON | Optional. Request that has an empty AccessReasonContext is a valid request. |
| reason | string | Key Access Justification reason. Required if Key Access Justification is enabled for GCP project. |
| fullResourceName | string | Optional. The full resource name for the GCP resource being directly wrapped by the KEK. This is also known as the Cloud KMS CryptoKey resource. See |
| isKeyHealthCheck | boolean | Optional. Whether the request is a key health check that contains a canonical plaintext or its encryption instead of customer data. |
| relativeResourceName | string | Optional. The relative resource name for the GCP resource being directly wrapped by the KEK. This is also known as the Cloud KMS CryptoKey resource. See |
Example Request
curl --location --request POST 'https://ciphertrust.mycompany.com/api/v1/cckm/ekm-e2e/endpoints/ekm-test:unwrap' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MzU4Y2QyMi1lODE5LTRmYjUtODg1Ni02YTI5NTUyYTJhMGMiLCJzdWIiOiJsb2NhbHwwYmIyZWY0ZC1kMGViLTQzNDktOGNkYS1kNDZlZWIyN2Y3NWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODA1NzZkODgtMjFhNy00ZmY4LThmZWYtN2IyY2JlZWRkYjE4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0M2I0Njc0LWJlZWQtNDFjNS04YjgxLWUyNzBhYzI1ZTU3ZiIsImlhdCI6MTYyNjE4MTEwNywiZXhwIjoxNjI2MTgxNDA3fQ.3nG8PoPEWOagovTpM8LVk90BxU-jgiVqaqMo0d1OcXA' \
--data-raw '{
"wrappedBlob":"ZXlKM2NtRndjR1ZrWDJKc2IySWlPaUpGZVdKVmFYRnZSbGxIV0RsSGIwRXJXRUpuY214alR6WlZkRlpOTkcxemIwY3JWRkp0UW5WcVpWQnJaeUlzSW10bGExOXBaQ0k2SWpBeU5HRTRZV1ppTldSa01qUTFaakU1TlRabU1UTTBNemcwTm1Wa05XSTVZakUwWW1Wak9UTTBabU0yTkdWaE9Ea3pPVE5pWkdJMll6aGxZek16T0RraUxDSnJaV3RmZG1WeWMybHZiaUk2SWpBaUxDSmhaR1JwZEdsdmJtRnNYMkYxZEdobGJuUnBZMkYwWldSZlpHRjBZU0k2Ym5Wc2JDd2lZV0ZrWDJWdVptOXlZMlZrSWpwMGNuVmxmUT09",
"additionalContext":
{
"accessReasonContext":
{
"reason":" CUSTOMER_INITIATED_ACCESS"
},
"RelativeResourceName": "projects/demo-proj/locations/us/keyRings/demo-key-ring/cryptoKeys/demo-1/cryptoKeyVersions/16"
}
}'
