Uploading Keys to Azure Key Vault
Use the post /v1/cckm/azure/upload-key
API to upload a key created on CipherTrust Manager to the Azure key vault.
Note
If the name of the uploaded key and the existing key are the same, a new version of the existing key will be created.
Syntax
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_name | string | Name of the key on Azure. Key name can only contain alphanumeric characters and dashes. |
key_vault | string | Name or ID of the key vault where the key will be uploaded. |
azure_param | JSON | Azure key parameters. Refer to Azure Parameters below for details. |
local_key_identifier | string | Name or ID of the CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is local . |
luna_key_identifier | string | Name or ID of the HSM Luna key to upload. This parameter is mandatory if source_key_tier is hsm-luna . |
dsm_key_identifier | string | Name or ID of the DSM key to upload. This parameter is mandatory if source_key_tier is dsm . |
external_cm_key_identifier | string | Name or ID of the external CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is external-cm . |
password | string | PFX password. Specify only if the PFX certificate is provided. |
pfx | string | PFX key. Specify a Base64 encoded key. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • pfx • hsm-luna (FM-enabled Luna HSM is not supported as a key source) • dsm • external-cm |
dsm_key_identifier | string | ID of the DSM key. This parameter is mandatory if source_key_tier is dsm . |
kek_kid | string | ID of the Azure key encryption key. |
exportable | boolean | Whether the private key can be exported from Azure. Set to true to allow the key export. Also, specify release_policy . Currently, the exportable parameter is valid only when the Azure vault is a premium vault or a vault stored in an Azure Managed HSM pool.The exportable parameter cannot be modified after key creation. |
release_policy | JSON | Policy rules under which the key can be exported. release_policy is mandatory when exportable is set to true . |
Azure Parameters
Parameter | Type | Description |
---|---|---|
attributes | JSON | Attributes for the key such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. • exp - Expiration date for the key in Unix Epoch time format. • enabled - Specify whether the key is enabled or disabled (true/false). |
hsm | boolean | Allow key creation in Azure HSM. Set to true to allow, false to deny. |
key_ops | array of strings | Cryptographic operations performed by the key. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey |
tags | JSON | Optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow colon (:) and percent (%) special characters in tag values.
Example Request
Example Response
The sample output shows that a key (Uploadtestkey) is created on the Azure vault (bedb82b9-582c-402d-9874-f3368722cf46
) and it uses local key material (c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3
) created on the CipherTrust Manager. As the key material is created on the Key Manager, key material's origin is cckm
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.