Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Key Life Cycle Management APIs

Uploading Keys to Azure Key Vault

search

Please Note:

Uploading Keys to Azure Key Vault

Use the post /v1/cckm/azure/upload-key API to upload a key created on CipherTrust Manager to the Azure key vault.

Syntax

curl -k '<IP>/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "<key_name>",\n "local_key_identifier": "<local_key_id>",\n "key_vault": "<key_vault>"\n}' --compressed

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
key_name string Name of the key on Azure. Key name can only contain alphanumeric characters and dashes.
key_vault string Name or ID of the key vault where the key will be uploaded.
azure_param JSON Azure key parameters. Refer to Azure Parameters below for details.
local_key_identifier string Name or ID of the CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is local.
luna_key_identifier string Name or ID of the HSM Luna key to upload. This parameter is mandatory if source_key_tier is hsm-luna.
password string PFX password. Specify only if the PFX certificate is provided.
pfx string PFX key. Specify a Base64 encoded key.
source_key_tier string Tier of the source. Possible options are:
• local (default)
• pfx
• hsm-luna
• dsm
dsm_key_identifier string ID of the DSM key. This parameter is mandatory if source_key_tier is dsm.
kek_kid string ID of the Azure key encryption key.
exportable boolean Whether the private key can be exported from Azure. Set to true to allow the key export. Also, specify release_policy. Currently, the exportable parameter is valid only when the key source is hsm-luna and the Azure vault is a premium vault or a managed HSM vault.
The exportable parameter cannot be modified after key creation.
release_policy JSON Policy rules under which the key can be exported. release_policy is mandatory when exportable is set to true.

Azure Parameters

Parameter Type Description
attributes JSON Attributes for the key such as exp, enabled, and nbf. Possible option are:
• nbf - Activation date for the key in Unix Epoch time format.
• exp - Expiration date for the key in Unix Epoch time format.
• enabled - Specify whether the key is enabled or disabled (true/false).
hsm boolean Allow key creation in Azure HSM. Set to true to allow, false to deny.
key_ops array of strings Cryptographic operations performed by the key. Possible options are:
• encrypt
• decrypt
• sign
• verify
• wrapKey
• unwrapKey
tags JSON Optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values.

  • CCKM allows the following characters in tag values:

    • Alphanumeric characters

    • Special characters ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _

  • CCKM does not allow the following special characters in tag values:
    \ , : " %

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc   3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4  iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z  TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "Uploadtestkey",\n "local_key_identifier": "rsakey",\n "key_
vault": "bedb82b9-582c-402d-9874-f3368722cf46"\n}' --compressed

Example Response

{
    "id": "b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
    "uri": "kylo:kylo:cckm:azure-key:b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T10:24:41.448099979Z",
    "updatedAt": "2020-09-30T10:24:41.446020965Z",
    "key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
    "region": "northcentralus",
    "deleted": false,
    "backup_at": "2020-09-30T10:24:41.435775419Z",
    "soft_delete_enabled": true,
    "key_soft_deleted_in_azure": false,
    "status": "ACTIVE",
    "syncedAt": "2020-09-30T10:24:40Z",
    "created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
    "modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
    "version": "628cd445146240c3bbd226e3d7ca5c62",
    "key_size": 2048,
    "backup": "c95104adb1684af69b86927cb993a03e905f0462e19d42c5be40778ac993ddc2",
    "key_name": "Uploadtestkey",
    "local_key_id": "c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3",
    "local_key_name": "rsakey",
    "cloud_name": "AzureCloud",
    "azure_param": {
        "key": {
            "kid": "https://keyvaultsoftkeys.
            vault.azure.net/keys/Uploadtestkey/628cd445146240c3bbd226e3d7ca5c62",
            "kty": "RSA",
            "key_ops": [
                "encrypt",
                "decrypt",
                "sign",
                "verify",
                "wrapKey",
                "unwrapKey"
            ],
            "n": "nkxK6mYxOvM_ZQfc1AM2vPxslhg5WYGqaP3CtG9K4c6WEoVsPn_Iijc8bRdU02VjlAmIkRqHMms1_xxCSmy2ZMG91PQGwdrX-TeOa6kLv5b-RCsu_IP46SkDSGOgCpD0-DyfUXnPe3zgIfNOulAvFCy-rKbGmzrTuqCkEcznRHHOLiZRP1M4MF5cHBS33aqKaH5KfKndoF5Qk5PhHrqaxJ9SKBa5NL9ZZzm_DC1J4hnu2HcLVq-5cw1xL--uReyKAKsDjYZcxh6C6A9DuDe10qux1LieWJi7xzDJKbmBNWSTqle92kVOvOSy2jfxTdi721FTQucxs_Sh-lZ2eS4rQ",
            "e": "AAAAAAABAAE"
        },
        "attributes": {
            "recoveryLevel": "CustomizedRecoverable+Purgeable",
            "enabled": true,
            "created": 1601461480,
            "updated": 1601461480
        }
    },
    "azure_created_at": "2020-09-30T10:24:40Z",
    "azure_updated_at": "2020-09-30T10:24:40Z",
    "tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
    "meta": {
        "source_key_id": "rsakey"
    },
    "key_material_origin": "cckm",
    "rotated_at": "2020-09-30T10:24:41.435777091Z",
    "gone": false
}

The sample output shows that a key (Uploadtestkey) is created on the Azure vault (bedb82b9-582c-402d-9874-f3368722cf46) and it uses local key material (c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3) created on the CipherTrust Manager. As the key material is created on the Key Manager, key material's origin is cckm.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.