Creating Keys
This section describes steps to create an encryption key using the CTE API.
Overview
Keys in a CTE policy must fulfill the following conditions. The keys should:
Have the CTE Clients group permissions
Have the Key Users group permissions (for ESG GuardPoints only)
Be exportable
Be non-versioned/versioned
Be of the type "CBC_CS1"
- Have metadata with the following details:
{ "cte": { "is_used": <true/false>, "cte_versioned": <true/false>, "encryption_mode": <"CBC_CS1">, "persistent_on_client": <true/false> }, "ownerId": "string", "permissions": { "ReadKey": [ "CTE Clients" ], "ExportKey": [ "CTE Clients" ] } }
CTE supports standard policies.
Keys for Standard Policies
Standard policies support only non-versioned keys.
Keys should have the CTE Clients group access and Key Users group access (for ESG GuardPoints).
CTE Clients group should have the Read Key and Export Key permissions.
Key Users group should have the Read Key and Export Key permissions (for ESG GuardPoints only).
Standard policies support "CBC_CS1" keys.
API
/v1/vault/keys2/
Sample
{
"name": "Standard_pol_key",
"algorithm": "aes",
"size": 256,
"undeletable": true,
"unexportable": false,
"meta": {
"ownerId": "local|f02d8ec9-34dd-42fd-99e7-85cb7f18180c",
"permissions": {
"DecryptWithKey": [
"CTE Clients"
],
"EncryptWithKey": [
"CTE Clients"
],
"ExportKey": [
"CTE Clients"
],
"MACVerifyWithKey": [
"CTE Clients"
],
"MACWithKey": [
"CTE Clients"
],
"ReadKey": [
"CTE Clients"
],
"SignVerifyWithKey": [
"CTE Clients"
],
"SignWithKey": [
"CTE Clients"
],
"UseKey": [
"CTE Clients"
]
},
"cte": {
"persistent_on_client": true,
"encryption_mode": "CBC_CS1",
"cte_versioned": false
}
},
"xts": false
}
Deleting CTE Keys
A CTE key cannot be deleted if it is being used in a policy.
The CTE Admins and Key Admins group permissions are required to delete a CTE key.
API
/v1/vault/keys2/{id} [DELETE]