Creating Keys
This section describes steps to create an encryption key using the CTE API.
Overview
Keys in a CTE policy must fulfill the following conditions. The keys should:
-
Have the CTE Clients group permissions
-
Be exportable
-
Be non-versioned/versioned
-
Be of the type "CBC" / "CBC_CS1" or "XTS"
Note
The XTS keys are required for creating GuardPoints with In-place Data Transformation (IDT) policies.
-
Have metadata with the following details:
{ "cte": { "is_used": <true/false>, "cte_versioned": <true/false>, "encryption_mode": <"CBC"/"CBC_CS1"/"XTS">, "persistent_on_client": <true/false> }, "ownerId": "string", "permissions": { "ReadKey": [ "CTE Clients" ], "ExportKey": [ "CTE Clients" ] } }
CTE supports standard, LDT, COS, and IDT policies. Click the following tabs for policy-specific key requirements.
Keys for Standard Policies
-
Standard policies support only non-versioned keys.
-
Keys should have the CTE Clients group access.
-
CTE Clients group should have the Read Key and Export Key permissions.
-
Standard policies support "CBC" / "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "Standard_pol_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Keys for LDT Policies
-
LDT policies support only "CBC" and "CBC_CS1" keys.
-
Keys should have the CTE Clients group access.
-
CTE Clients group should have the Read Key and Export Key permissions.
-
LDT policies support only non-versioned keys in the "current_key" field.
-
LDT policies support only versioned keys in the "transformation_key" field.
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "LDT_Current_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": false
}
},
"xts": false
}
Sample for the Transformation Key
{
"name": "LDT_transformation_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC",
"cte_versioned": true
}
},
"xts": false
}
Keys for COS Policies
-
Keys should have the CTE Clients group access.
-
CTE Clients group should have the Read Key and Export Key permissions.
-
COS policies support only non-versioned keys.
-
COS policies support only "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "COS_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC_CS1",
"cte_versioned": false
}
},
"xts": true
}
Keys for IDT Policies
-
Keys should have the CTE Clients group access.
-
CTE Clients group should have the Read Key and Export Key permissions.
-
IDT policies support only the "XTS" encryption mode.
-
IDT policies support only non-versioned keys in the "current_key" and "transformation_key" fields.
-
IDT policies are used for IDT-capable devices.
API
/v1/vault/keys2/
Sample
Click the tabs to view the samples for the current key and transformation key.
Sample for the Current Key
{
"name": "IDT_Policy_Current_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "694bf52e-d0c2-4416-b615-feab9ce27940"
}
Sample for the Transformation Key
{
"name": "IDT_Policy_Transformation_Key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "XTS",
"cte_versioned": false
}
},
"xts": true,
"id": "d32d1b65-5a09-403e-921d-8d1c8db39a75"
}
Deleting CTE Keys
-
A CTE key cannot be deleted if it is being used in a policy.
-
The CTE Admins and Key Admins group permissions are required to delete a CTE key.
API
/v1/vault/keys2/{id} [DELETE]
