copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2020-07-07 |
import standard encryption key, upload standard encryption key, import secret, persist secret, store secret, upload secret, store encryption key, standard key API examples |
key-protect |
{:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:external: target="_blank" .external} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:term: .term}
{: #import-standard-keys}
You can add your existing encryption keys by using the {{site.data.keyword.cloud_notm}} console, or programmatically with the {{site.data.keyword.keymanagementserviceshort}} API.
{: #import-standard-key-gui}
After you create an instance of the service, complete the following steps to import an existing key by using the {{site.data.keyword.cloud_notm}} console.
If you enable dual authorization settings for your service instance, keep in mind that any keys that you add to the service require an authorization from two users to delete keys. {: note}
-
Log in to the {{site.data.keyword.cloud_notm}} console{: external}.
-
Go to Menu > Resource List to view a list of your resources.
-
From your {{site.data.keyword.cloud_notm}} resource list, select your provisioned instance of {{site.data.keyword.keymanagementserviceshort}}.
-
To import a new key, click Add key and select the Import your own key window.
Specify the key's details:
Table 1. Describes the Import your own key settings Setting Description Name A human-readable alias for easy identification of your key. Length must be within 2 - 90 characters.
To protect your privacy, ensure that the key name does not contain personally identifiable information (PII), such as your name or location.
Key type The [type of key](/docs/key-protect?topic=key-protect-envelope-encryption#key-types) that you would like to manage in {{site.data.keyword.keymanagementserviceshort}}. From the list of key types, select Standard key. Key material The base64 encoded key material, such as a symmetric key, that you want to manage in the service. For more information, check out [Base64 encoding your key material](#how-to-encode-standard-key-material).
Ensure that the key material meets the following requirements:
- The key can be up to 10,000 bytes in size.
- The bytes of data must be base64 encoded.
-
When you are finished filling out the key's details, click Import key to confirm.
{: #import-standard-key-api}
Import a standard key by making a POST
call to the following endpoint:
https://<region>.kms.cloud.ibm.com/api/v2/keys
{: codeblock}
-
Retrieve your service and authentication credentials to work with keys in the service.
-
Call the {{site.data.keyword.keymanagementserviceshort}} API{: external} with the following cURL command.
curl -X POST \ 'https://<region>.kms.cloud.ibm.com/api/v2/keys' \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'content-type: application/vnd.ibm.kms.key+json' \ -H 'correlation-id: <correlation_ID>' \ -H 'prefer: <return_preference>' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "name": "<key_alias>", "description": "<key_description>", "expirationDate": "<YYYY-MM-DDTHH:MM:SS.SSZ>", "payload": "<key_material>", "extractable": <key_type> } ] }'
{: codeblock}
Replace the variables in the example request according to the following table.
Table 2. Describes the variables that are needed to add a standard key with the {{site.data.keyword.keymanagementserviceshort}} API Variable Description region Required. The region abbreviation, such as
us-south
oreu-gb
, that represents the geographic area where your {{site.data.keyword.keymanagementserviceshort}} service instance resides.For more information, see [Regional service endpoints](/docs/key-protect?topic=key-protect-regions#service-endpoints).
IAM_token Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the
IAM
token, including the Bearer value, in the cURL request.For more information, see [Retrieving an access token](/docs/key-protect?topic=key-protect-retrieve-access-token).
instance_ID Required. The unique identifier that is assigned to your {{site.data.keyword.keymanagementserviceshort}} service instance.
For more information, see [Retrieving an instance ID](/docs/key-protect?topic=key-protect-retrieve-instance-ID).
correlation_ID The unique identifier that is used to track and correlate transactions. return_preference A header that alters server behavior for
POST
andDELETE
operations.When you set the return_preference variable to
return=minimal
, the service returns only the key metadata, such as the key name and ID value, in the response entity-body. When you set the variable toreturn=representation
, the service returns both the key material and the key metadata.key_alias Required. A unique, human-readable name for easy identification of your key. To protect your privacy, do not store your personal data as metadata for your key. key_description An extended description of your key. To protect your privacy, do not store your personal data as metadata for your key. YYYY-MM-DD
HH:MM:SS.SSThe date and time that the key expires in the system, in RFC 3339 format. If the expirationDate
attribute is omitted, the key does not expire.key_material The base64 encoded key material, such as a symmetric key, that you want to manage in the service. For more information, check out [Base64 encoding your key material](#how-to-encode-standard-key-material).
Ensure that the key material meets the following requirements:
- The key can be up to 10,000 bytes in size.
- The bytes of data must be base64 encoded.
- Ensure that the key is 128, 192, or 256 bits in length.
key_type A boolean value that determines whether the key material can leave the service.
When you set the
extractable
attribute totrue
, the service designates the key as a standard key that you can store in your apps or services.To protect the confidentiality of your personal data, avoid entering personally identifiable information (PII), such as your name or location, when you add keys to the service. For more examples of PII, see section 2.2 of the NIST Special Publication 800-122{: external}. {: important}
A successful
POST api/v2/keys
response returns the ID value for your key, along with other metadata. The ID is a unique identifier that is assigned to your key and is used for subsequent calls to the {{site.data.keyword.keymanagementserviceshort}} API. -
Optional: Verify that the key was added by running the following call to get the keys in your {{site.data.keyword.keymanagementserviceshort}} service instance.
curl -X GET \ 'https://<region>.kms.cloud.ibm.com/api/v2/keys' \ -H 'accept: application/vnd.ibm.collection+json' \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>'
{: codeblock}
{: #how-to-encode-standard-key-material}
When importing an existing standard key, it is required to include the encrypted key material that you want to store and manage in the service.
{: #open-ssl-encoding-standard-existing-key-material}
-
Download and install OpenSSL{: external}.
-
Base64 encode your key material string by running the following command:
$ openssl base64 -in <infile> -out <outfile>
{: codeblock}
Replace the variables in the example request according to the following table.
Table 3. Describes the variables that are needed to base64 encode your key material. Variable Description infile The name of the file where your key material string resides.
outfile The name of the file where your base64 encoded key material will be be outputted once the command has ran.
Ensure that the key is 128, 192, or 256 bits in length.
If you want to output the base64 material in the command line directly rather
than a file, run the command openssl enc -base64 <<< '<key_material_string>'
,
where key_material_string is the key material input for your imported key.
{: note}
{: #open-ssl-encoding-standard-new-key-material}
-
Download and install OpenSSL{: external}.
-
Base64 encode your key material string by running the following command:
$ openssl rand <bit_length> -base64
{: codeblock}
Replace the variable in the example request according to the following table.
Table 4. Describes the variable that is needed to create and encode new key material. Variable Description bit_length The length of the key, measured in bits.
Acceptable bit lengths: 128, 192, 256
{: #import-standard-key-next-steps}
- To find out more about programmatically managing your keys, check out the {{site.data.keyword.keymanagementserviceshort}} API reference doc{: external}.