Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

API Examples

Creating Keys

search

Please Note:

Creating Keys

This section describes steps to create an encryption key using the CTE API.

Overview

Keys in a CTE policy must fulfill the following conditions. The keys should:

  • Have the CTE Clients group permissions

  • Have the Key Users group permissions (for ESG GuardPoints only)

  • Be exportable

  • Be non-versioned/versioned

  • Be of the type "CBC" / "CBC_CS1" or "XTS".

    The XTS keys are required for creating ESG GuardPoints with STANDARD and In-place Data Transformation (IDT) policies.

  • Have metadata with the following details:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    {
        "cte": {
            "is_used": <true/false>,
            "cte_versioned": <true/false>,
            "encryption_mode": <"CBC"/"CBC_CS1"/"XTS">,
            "persistent_on_client": <true/false>
        },
        "ownerId": "string",
        "permissions": {
            "ReadKey": [
                "CTE Clients"
            ],
            "ExportKey": [
                "CTE Clients"
            ]
        }
    }
    

CTE supports standard, LDT, COS, and IDT policies. Click the following tabs for policy-specific key requirements.

Keys for Standard Policies

  • Standard policies support only non-versioned keys.

  • Keys should have the CTE Clients group access and Key Users group access (for ESG GuardPoints).

  • CTE Clients group should have the Read Key and Export Key permissions.

  • Key Users group should have the Read Key and Export Key permissions (for ESG GuardPoints only).

  • Standard policies support "CBC" / "CBC_CS1" and "XTS" keys. (XTS keys are supported for ESG GuardPoints only.)

API

1
/v1/vault/keys2/

Sample

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{
  "name": "Standard_pol_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": false
    }
  },
  "xts": false
}

Keys for LDT Policies

  • LDT policies support only "CBC" and "CBC_CS1" keys.

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • LDT policies support only non-versioned keys in the "current_key" field.

  • LDT policies support only versioned keys in the "transformation_key" field.

API

1
/v1/vault/keys2/

Sample

Click the tabs to view the samples for the current key and transformation key.

Sample for the Current Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{
  "name": "LDT_Current_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": false
    }
  },
  "xts": false
}

Sample for the Transformation Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{
  "name": "LDT_transformation_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": true
    }
  },
  "xts": false
}

Keys for COS Policies

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • COS policies support only non-versioned keys.

  • COS policies support only "CBC_CS1" keys.

API

1
/v1/vault/keys2/

Sample

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{
  "name": "COS_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC_CS1",
      "cte_versioned": false
    }
  },
  "xts": true
}

Keys for IDT Policies

  • Keys should have the CTE Clients group access and Key Users group access (for ESG GuardPoints).

  • CTE Clients group and Key Users group should have the Read Key and Export Key permissions.

  • IDT policies support only the "XTS" encryption mode.

  • IDT policies support only non-versioned keys in the "current_key" and "transformation_key" fields.

  • IDT policies are used for Efficient Storage array devices and IDT-capable devices.

  • ESG GuardPoints can be applied using IDT policies and Standard policies (using KMIP keys).

API

1
/v1/vault/keys2/

Sample

Click the tabs to view the samples for the current key and transformation key.

Sample for the Current Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
  "name": "IDT_Policy_Current_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients",
        "Key Users"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients",
        "Key Users"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "XTS",
      "cte_versioned": false
    }
  },
  "xts": true,
  "id": "694bf52e-d0c2-4416-b615-feab9ce27940",
  "uuid": "694bf52e-d0c2-4416-b615-feab9ce27940"
}

Sample for the Transformation Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
  "name": "IDT_Policy_Transformation_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients",
        "Key Users"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients",
        "Key Users"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "XTS",
      "cte_versioned": false
    }
  },
  "xts": true,
  "id": "d32d1b65-5a09-403e-921d-8d1c8db39a75",
  "uuid": "d32d1b65-5a09-403e-921d-8d1c8db39a75"
}

Deleting CTE Keys

  • A CTE key cannot be deleted if it is being used in a policy.

  • The CTE Admins and Key Admins group permissions are required to delete a CTE key.

API

1
/v1/vault/keys2/{id} [DELETE]