Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Key Operations

Encryption, Decryption, and MAC Operations Using Versioned Key

search

Please Note:

print

Encryption, Decryption, and MAC Operations Using Versioned Key

copy link to clipboardEncrypt, Sign, MAC Operations using versioned key

To encrypt, sign, and generate MACs, your code must create an instance of a key. When using a versioned key, you can create an instance of the default version, a specific version, or all versions. The code is similar for each operation.

Note

  • Encryption/decryption is done using symmetric keys.

  • Sign and MAC operations are done using asymmetric keys.

To access the default version of a versioned key, call the method the same way you access a non-versioned key. The Key Manager will return the latest active version.

// for encryption and MAC
NAEKey defaultVersion = NAEKey.getSecretKey(symkey, session);
// for sign
NAEPrivateKey defaultVersion = NAEKey.getPrivateKey(RSAkey, session);

To create an instance of a specific key version you must append a # plus the version number. These statements will return version two of the key:

// for encryption and MAC
NAEKey secondVersion = NAEKey.getSecretKey(symkey+"#2", session);
// for sign
NAEPrivateKey secondVersion = NAEKey.getPrivateKey(RSAkey+"#2", session);

To create an instance of the key that contains all key versions:

// for encryption and MAC
NAEKey allVersions = NAEKey.getSecretKey(symkey+"#all", session);
// for sign
NAEPrivateKey allVersions = NAEKey.getPrivateKey(RSAkey+"#all", session);

copy link to clipboardDecrypt, SignV, MACV Operations using versioned key

When data is encrypted, signed, or MACed using a versioned key, the resulting ciphertext contains information in its header indicating which version of the key was used. This header is 3 bytes long. During decryption or verification, the Key Manager parses this information and applies the correct key version. There is no need to specify the key version.

If the data requires a retired key version, you will get an exception.

On this page