Key Operations
The NAE Server allows you to perform key operations such as creating, deleting, importing, and exporting keys. When creating keys you must specify the following attributes:
Name of the Key
Key Length, if not specified, default key size is used
Whether the key is exportable or deletable
Owner of the key
Permissions on the key
Versioned Keys
A versioned key maintains the same key metadata (key name, owner, algorithm, key size, etc), but has a unique set of bytes for each version. Thus, each version is different enough for encryption purposes, but similar enough to allow for easy management. Each key version has its own key bytes, default IV, state, and creation date. The state determines which operations are available for a key version. Possible states are: active, restricted, wiped, and retired.
Active: all operations are allowed. These operations depend on the algorithm and can include encryption and decryption, signing and signature verification, or MACing and MAC verification.
Restricted: only key information, decryption, signature verification, and MAC verification operations are allowed.
Retired: no operations or access to key management are allowed.
Wiped: version is deleted.
The state, combined with the key type and group permissions determine how the key version can be used. Ultimately, a key version can only be used when: the key’s group permissions permit the operation, the key version’s state permits the operation, and the request comes from a member of the permitted group.
Note
To wipe a versioned key, the key must be retired first. The Wiped state is not available for an active or restricted versioned key.
A key can have a maximum of 4000 versions. Wiped versions display in strikeout type.
You can perform the following operations with the keys:
