Uploading Keys to AWS KMS
Use the post /v1/cckm/aws/upload-key
API to upload a key created on the CipherTrust Manager to the AWS KMS.
Syntax
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
kms | string | Name or ID of the KMS where the key will be uploaded. |
region | string | Name of the region. |
source_key_tier | string | Tier of the source. Possible options are: • local for CipherTrust Manager (default)• dsm for Data Security Manager• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)• external-cm for external CipherTrust Manager |
source_key_identifier | string | Name or ID of the key to be uploaded. • If source_key_tier is local , this is the ID of the CipherTrust Manager key to be uploaded.• If source_key_tier is dsm , this parameter is the ID of the DSM key to be uploaded (only AES keys are supported).• If source_key_tier is hsm-luna , this parameter is the ID of the Luna HSM key to be uploaded.• If source_key_tier is external-cm , this parameter is the ID of the external CipherTrust Manager key to be uploaded. |
aws_param | JSON | AWS key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id ) to the key. Do not modify or delete this tag on the AWS cloud. |
key_expiration (optional) | boolean | Whether to enable key expiration. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_admins_roles
, key_users
, key_users_roles
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias of the key. |
BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
CustomerMasterKeySpec | string | Type of the key. Whether the KMS key contains a symmetric key or an asymmetric key pair. Refer to Supported Key Types. Depending on the selected key type, you might need to specify KeyUsage . |
KeyUsage | string | Intended use of the key. Specify the cryptographic operations to be performed by the key. Suported operations are: • ENCRYPT_DECRYPT • SIGN_VERIFY • GENERATE_VERIFY_MAC Refer to Key Usage for more information. |
Description | string | Description of the key. |
MultiRegion | boolean | Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions. |
Policy | string | Key policy to attach to the CMK. |
Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
ValidTo | string | Key expiration time, must be formatted as per RFC3339. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Supported Key Types
Note
CipherTrust Manager as a local or external key source supports AES (SYMMETRIC_DEFAULT), RSA, EC, and HMAC keys.
Luna HSM supports only AES, RSA, and EC keys.
DSM as a key source supports only AES keys.
Expand to view supported key types
CipherTrust Manager (Local or External)
SYMMETRIC_DEFAULT (Default)
RSA_2048 (Asymmetric)
RSA_3072 (Asymmetric)
RSA_4096 (Asymmetric)
ECC_NIST_P256 (secp256r1) (Asymmetric)
ECC_NIST_P384 (secp384r1) (Asymmetric)
ECC_NIST_P521 (secp521r1) (Asymmetric)
ECC_SECG_P256K1 (secp256k1) (Asymmetric)
HMAC_224
HMAC_256
HMAC_384
HMAC_512
Luna HSM
SYMMETRIC_DEFAULT (Default)
RSA_2048 (Asymmetric)
RSA_3072 (Asymmetric)
RSA_4096 (Asymmetric)
ECC_NIST_P256 (secp256r1) (Asymmetric)
ECC_NIST_P384 (secp384r1) (Asymmetric)
ECC_NIST_P521 (secp521r1) (Asymmetric)
ECC_SECG_P256K1 (secp256k1) (Asymmetric)
Data Security Manager (DSM)
- SYMMETRIC_DEFAULT (Default)
Key Usage
For the SYMMETRIC_DEFAULT and HMAC key types, you don't need to specify the usage explicitly. The default usage for SYMMETRIC_DEFAULT is ENCRYPT_DECRYPT, and for HMAC, the default usage is GENERATE_VERIFY_MAC.
Asymmetric RSA keys support SIGN_VERIFY and ENCRYPT_DECRYPT key usages. You need to specify a usage explicitly.
For asymmetric ECC keys, you don't need to specify the usage explicitly. The default key usage for ECC keys is SIGN_VERIFY.
Example Request
Example Response
The sample output shows that a key (with alias test-upload-key-1
) is uploaded to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL
. A unique ID (02c40491-f5bd-4204-93f3-5f9077740116
) for the uploaded key is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.