Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

API Examples

Creating Keys

search

Creating Keys

This section describes steps to create an encryption key using the CTE API.

Overview

Keys in a CTE policy must fulfill the following conditions. The keys should:

  • Have the CTE Clients group permissions

  • Be exportable

  • Be non-versioned/versioned

  • Be of the type "CBC" / "CBC_CS1" or "XTS"

    Note

    The XTS keys are required for creating GuardPoints with In-place Data Transformation (IDT) policies.

  • Have metadata with the following details:

    {
    "cte": {
        "is_used": <true/false>,
        "cte_versioned": <true/false>,
        "encryption_mode": <"CBC"/"CBC_CS1"/"XTS">,
        "persistent_on_client": <true/false>
    },
    "ownerId": "string",
    "permissions": {
        "ReadKey": [
            "CTE Clients"
        ],
        "ExportKey": [
            "CTE Clients"
        ]
    }
}

CTE supports standard, LDT, COS, and IDT policies. Click the following tabs for policy-specific key requirements.

Keys for Standard Policies

  • Standard policies support only non-versioned keys.

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • Standard policies support "CBC" / "CBC_CS1" keys.

API

/v1/vault/keys2/

Sample

{
  "name": "Standard_pol_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": false
    }
  },
  "xts": false
}

Keys for LDT Policies

  • LDT policies support only "CBC" and "CBC_CS1" keys.

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • LDT policies support only non-versioned keys in the "current_key" field.

  • LDT policies support only versioned keys in the "transformation_key" field.

API

/v1/vault/keys2/

Sample

Click the tabs to view the samples for the current key and transformation key.

Sample for the Current Key

{
  "name": "LDT_Current_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": false
    }
  },
  "xts": false
}

Sample for the Transformation Key

{
  "name": "LDT_transformation_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC",
      "cte_versioned": true
    }
  },
  "xts": false
}

Keys for COS Policies

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • COS policies support only non-versioned keys.

  • COS policies support only "CBC_CS1" keys.

API

/v1/vault/keys2/

Sample

{
  "name": "COS_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "CBC_CS1",
      "cte_versioned": false
    }
  },
  "xts": true
}

Keys for IDT Policies

  • Keys should have the CTE Clients group access.

  • CTE Clients group should have the Read Key and Export Key permissions.

  • IDT policies support only the "XTS" encryption mode.

  • IDT policies support only non-versioned keys in the "current_key" and "transformation_key" fields.

  • IDT policies are used for IDT-capable devices.

API

/v1/vault/keys2/

Sample

Click the tabs to view the samples for the current key and transformation key.

Sample for the Current Key

{
  "name": "IDT_Policy_Current_key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "XTS",
      "cte_versioned": false
    }
  },
  "xts": true,
  "id": "694bf52e-d0c2-4416-b615-feab9ce27940"
}

Sample for the Transformation Key

{
  "name": "IDT_Policy_Transformation_Key",
  "algorithm": "aes",
  "size": 256,
  "undeletable": true,
  "unexportable": false,
  "meta": {
    "ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
    "permissions": {
      "DecryptWithKey": [
        "CTE Clients"
      ],
      "EncryptWithKey": [
        "CTE Clients"
      ],
      "ExportKey": [
        "CTE Clients"
      ],
      "MACVerifyWithKey": [
        "CTE Clients"
      ],
      "MACWithKey": [
        "CTE Clients"
      ],
      "ReadKey": [
        "CTE Clients"
      ],
      "SignVerifyWithKey": [
        "CTE Clients"
      ],
      "SignWithKey": [
        "CTE Clients"
      ],
      "UseKey": [
        "CTE Clients"
      ]
    },
    "cte": {
      "persistent_on_client": true,
      "encryption_mode": "XTS",
      "cte_versioned": false
    }
  },
  "xts": true,
  "id": "d32d1b65-5a09-403e-921d-8d1c8db39a75"
}

Deleting CTE Keys

  • A CTE key cannot be deleted if it is being used in a policy.

  • The CTE Admins and Key Admins group permissions are required to delete a CTE key.

API

/v1/vault/keys2/{id} [DELETE]

On this page