Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Key Life Cycle Management APIs

Uploading Keys to AWS KMS

search
suggest an edit

Uploading Keys to AWS KMS

Use the post /v1/cckm/aws/upload-key API to upload a key created on the CipherTrust Data Security Platform Service to the AWS KMS.

copy link to clipboardSyntax

curl -k '<IP>/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_tier": "<source_key_tier>",\n  "source_key_identifier": "<source_key_identifier>",\n  "region": "<region>",\n  "kms": "<kms_identifier>",\n  "key_expiration": <boolean>,\n  "aws_param": {<aws parameters>}' --compressed

copy link to clipboardRequest Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
kmsstringName or ID of the KMS where the key will be uploaded.
regionstringName of the region.
source_key_tierstringTier of the source - local for CipherTrust Data Security Platform Service (default).
source_key_identifierstringName or ID of the key to be uploaded.
If source_key_tier is local, this is the ID of the CipherTrust Data Security Platform Service key to be uploaded.
aws_paramJSONAWS key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details.
external_accountsarray of stringsAWS accounts that can use this key.
key_adminsarray of stringsIAM users who can administer this key using the KMS API.
key_admins_rolesarray of stringsIAM roles that can administer this key using the KMS API.
key_usersarray of stringsIAM users who can use this key in cryptographic operations.
key_users_rolesarray of stringsIAM roles that can use the CMK in cryptographic operations.
policytemplatestringID of the policy template to apply.
Note: When a policy template is applied to an AWS key, CCKM adds the template tag (cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud.
key_expiration (optional)booleanWhether to enable key expiration.

Note

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardAWS Key Parameters

ParameterTypeDescription
AliasstringAlias of the key.
BypassPolicyLockoutSafetyCheckbooleanFlag to bypass the key policy lockout safety check.
CustomerMasterKeySpecstringType of the key. Whether the KMS key contains a symmetric key or an asymmetric key pair. Refer to Supported Key Types.
Depending on the selected key type, you might need to specify KeyUsage.
KeyUsagestringIntended use of the key. Specify the cryptographic operations to be performed by the key. Suported operations are:
• ENCRYPT_DECRYPT
• SIGN_VERIFY
• GENERATE_VERIFY_MAC
Refer to Key Usage for more information.
DescriptionstringDescription of the key.
MultiRegionbooleanWhether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions.
PolicystringKey policy to attach to the CMK.
Tagsarray of JSONsAn optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values:
• Alphanumeric characters
• Special characters ** _ . / = + - @ **
ValidTostringKey expiration time, must be formatted as per RFC3339.

Note

Specify Policy, policytemplate, or one of key_admins, key_users, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardSupported Key Types

??? "

Expand to view supported key types
"

**CipherTrust Manager (Local or External)**

* SYMMETRIC_DEFAULT (Default)

* RSA_2048 (Asymmetric)

* RSA_3072 (Asymmetric)

* RSA_4096 (Asymmetric)

* ECC_NIST_P256 (secp256r1) (Asymmetric)

* ECC_NIST_P384 (secp384r1) (Asymmetric)

* ECC_NIST_P521 (secp521r1) (Asymmetric)

* ECC_SECG_P256K1 (secp256k1) (Asymmetric)

* HMAC_224

* HMAC_256

* HMAC_384

* HMAC_512

copy link to clipboardKey Usage

  • For the SYMMETRIC_DEFAULT and HMAC key types, you don't need to specify the usage explicitly. The default usage for SYMMETRIC_DEFAULT is ENCRYPT_DECRYPT, and for HMAC, the default usage is GENERATE_VERIFY_MAC.

  • Asymmetric RSA keys support SIGN_VERIFY and ENCRYPT_DECRYPT key usages. You need to specify a usage explicitly.

  • For asymmetric ECC keys, you don't need to specify the usage explicitly. The default key usage for ECC keys is SIGN_VERIFY.

copy link to clipboardExample Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_identifier": "test-key",\n  "region": "ap-south-1",\n  "kms": "kms",\n  "aws_param": {\n    "Alias": "test-upload-key-1",\n    "Tags": [\n   {\n "TagKey": "key",\n "TagValue": "value"\n  }\n ]\n  }\n}' --compressed

copy link to clipboardExample Response

{
"id": "02c40491-f5bd-4204-93f3-5f9077740116",
"uri": "kylo:kylo:cckm:aws-key:02c40491-f5bd-4204-93f3-5f9077740116",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:00:53.99845058Z",
"updatedAt": "2020-11-05T07:00:54.504758124Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:00:53.990295894Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/a3d6b6ab-e953-45f7-8275-e915277f5ee2",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "a3d6b6ab-e953-45f7-8275-e915277f5ee2",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "EXTERNAL",
    "CreationDate": "2020-11-05T07:00:41Z",
    "Policy": {
        "Version": "2012-10-17",
        "Id": "key-default-1",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    },
    "Alias": [
        "alias/test-upload-key-1"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "KeyRotationEnabled": false,
    "ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}

The sample output shows that a key (with alias test-upload-key-1) is uploaded to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (02c40491-f5bd-4204-93f3-5f9077740116) for the uploaded key is returned.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

copy link to clipboardResponse Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page