Key Material Export and Upload
This section describes how to prevent CCKM users from exporting source key material. The section also describes how to allow CCKM users other than key owners to upload source key material to the cloud.
Preventing CCKM Users from Exporting Key Material
When a CCKM user creates a new source key on the CipherTrust Manager and uploads it to the cloud, then, as a key owner, the CCKM user has all permissions on the source key. So, the CCKM user can export the source key material after upload.
To prevent the CCKM user from exporting the source key material:
-
Create a custom group, for example,
<deny-export-policy-group>
. This group will be denied permission to export the source key material through a policy.POST /api/v1/usermgmt/groups { "name": "<deny-export-policy-group>" }
-
Create a policy, for example,
<deny-export-policy>
to deny the source key export.POST /api/v1/admin/policies { "name": "<deny-export-policy>", "allow": true, "effect": "deny", "actions": [ "ExportKey" ] }
-
Attach the policy, for example,
<deny-export-policy>
to the custom group.POST /api/v1/admin/policy-attachments { "policy": "<deny-export-policy>", "principalSelector": { "cust": { "groups": [ "<deny-export-policy-group>" ] } } }
-
Add the CCKM user,
<cckm-user>
, to the custom group.POST /api/v1/usermgmt/groups/<deny-export-policy-group>/users/<cckm-user> { "name": "<deny-export-policy-group>", "created_at": "<timestamp>", "updated_at": "<timestamp>" }
The CCKM user can no longer export the key material.
Permitting CCKM Users to Upload Key Material
When the CCKM user is not the key owner, grant the read key and export/upload key permisson on the source key to the CCKM Users group or the custom group.
PATCH /api/v1/vault/keys2/<key-id>
{
"meta": {
"ownerId": "<owner-ID>",
"permissions": {
"ReadKey": [
"<group-name>"
],
"UploadKey": [
"<group-name>"
]
}
}
}
The CCKM user can upload the source key material successfully.