Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

BYOK REST APIs

BYOK for AWS

search

Please Note:

BYOK for AWS

The following URL is used to create key (AES-256) on Key Manager and upload the wrapped key to AWS:

<http/https>://<host-name>:<Port>/sfbyok/aws/keys

When using it for the first time, the POST method is used.

The following body parameters are passed for the request:

  • accessKey – (Mandatory) AWS Identity and Access Management (IAM) access Key ID used to access the Amazon services/resources.

  • secretKey – (Mandatory) AWS IAM secret access key used to access the Amazon services/resources. The access key ID and access secret key are created by the root user of IAM. The root user creates the access key ID and access secret key to grant access to other users to buckets. For more information on IAM access keys, refer to http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html.

  • cmkAlias – (Mandatory) Alias name to be created for the Customer Managed Key (CMK) on AWS.

  • wrappingAlgo – (Optional) Wrapping algorithm used to wrap the AES-256 key. SHA1, SHA256, or PKCS1.5 can be used. Default value is SHA256.

validity – (Optional) The time period in days for which the key is valid. The default value is 1.

Sample Request


{
"accessKey": "xxxxxx",
"secretKey": "kkkk",
"cmkAlias": "test1641",
"wrappingAlgo": "SHA1",
"validity":10
}

How POST method works

The following activities/processes happen when the POST method is used.

  1. The AES-256 key is created on Key Manager.

  2. The alias is created in AWS.

  3. The following custom attributes are added to the AES-256 key:

    • CreationDate

    • KeyArn (ARN is created in AWS during the creation of alias by AWS)

    • Alias

  4. The AWS public key based on the wrapping algorithm is downloaded from AWS.

  5. The AES-256 is wrapped using the AWS public key (downloaded in the previous step) and uploaded to AWS.

    The Key manager Authentication Details (Key Manager username and password) are provided as basic authentication of the REST request The key and alias created have one-to-one mapping.

How PUT method works

The same URL is used in PUT method when the key gets expired in AWS or the existing validity needs to be modified.

<http/https>://<host-name>:<Port>/sfbyok/aws/keys

Pass the same body parameters as explained in the POST method.

  1. The AES-256 key is located on Key Manager using the Alias or KeyARN as attribute.

  2. The AWS public key based on the wrapping algorithm is downloaded from AWS.

  3. The AES-256 is wrapped using the AWS public key downloaded in the previous step) and uploaded to AWS against the cmkAlias provided in the request.

Using Existing Keys from Key Manager

When a user intends to upload any existing AES-256 key from Key Manager to AWS, add the following custom attributes to the key and use the PUT method to upload the key to AWS:

  • KeyArn - Provide the ARN from AWS as value.

  • Alias - Provide the alias name as value (as created by user in AWS).

On this page