Please Note:

Importing, Exporting, and Replicating Keys

The XML Interface enables you to:

Import symmetric keys (see KeyImportRequest)
Examples:
Export symmetric keys (see KeyExportRequest)
Examples:
Export public keys (see PublicKeyExportRequest)
Examples:
- Export an RSA Key

Plain text RSA private keys are imported and exported in PEM-encoded ASN.1 DER-encoded PKCS #1 format. In addition, the NAE Server is able to import and export encrypted RSA keys. They are imported and exported in PEM ASCII-encoded PKCS #12 format and can only be used with other NAE Servers.

The client can request that the server export a specified key to the client. That key must be exportable and accessible by the user. Global keys are available to any user; non-global keys are available to their owners. For information on generating exportable keys on the server, see Key Management Operations.

KeyImportRequest

Import a key.

<KeyImportRequest>
    <ID>...</ID>
    <KeyName>...</KeyName>
    <KeyUUID>...</KeyUUID>       #Optional
    <KeyMUID>...</KeyMUID>       #Optional
    <ExternalKeyID>...</ExternalKeyID>           #Optional
    <Algorithm>...</Algorithm>
    <VersionedKey/>                 # optional
    <KeyVersionState>...</KeyVersionState>       # optional
    <WrapAlgorithm>...</WrapAlgorithm>         # optional
    <HashAlgorithm>...</HashAlgorithm>          # optional
    <Salt>...</Salt>                    # optional
    <Info>...</info>                    # optional
    <OkmLen>...</OkmLen>                    # optional
    <WrapKeyName>...</WrapKeyName>                    # optional
    <Padded/>                    # optional
    <WrapFormat>...</WrapFormat>                   # optional
    <PBEParameters>...</PBEParameters>          #optional
    <Password>...</Password>
    <KeyData>...</KeyData>
    <Exportable/>
    <Deletable/>
    <Aliases>                        # optional, supported for 6.3 and higher
    <Alias>
        <Name>...</Name>
    </Alias>
    <Alias>
        <Name>...</Name>
        <Type>...</Type>
    </Alias>
    </Aliases>
    <KeyRotation>                    # optional, supported for 6.3 and higher 
        <Frequency>...</Frequency>       
    </KeyRotation>
</KeyImportRequest>
<KeyImportResponse>
   <ID>...</ID>
   <Success>true</Success>
   <Fingerprint>...</Fingerprint>
   <KeyName>...</KeyName>
</KeyImportResponse>

Import a key having Custom Attributes.

<KeyImportRequest>
    <ID>...</ID>
    <KeyName>...</KeyName>           # optional
    <RandomKey/>                     # optional
    <Algorithm>...</Algorithm>
    <KeySize>...</KeySize>           # optional
    <KeyData>...</KeyData>
    <Exportable/>                    # optional
    <Deletable/> # optional
    <Permissions>...</Permissions>   # optional
    <CustomAttributeList>            # optional
        <CustomAttribute>
            <Name>...</Name>
            <Type>...</Type>         # optional, supported for 3.0, 6.1, and higher
            <Value>...</Value>
        </CustomAttribute>
        ...
    </CustomAttributeList>
</KeyImportRequest>

Element	Description
ID	Contains the user-specified request ID.
KeyName	Specifies a name for the key. Key names must be unique: two keys cannot have the same name. If you do not include the KeyName element in the request, you must request a randomly-generated name for the key, using the RandomKey element. The KeyGenRequest element requires that you include either the RandomKey child element or the KeyName child element.
KeyUUID	Universally Unique Identifier (UUID) is a 128 bits DPM key identifier. It is specified in 32 hexadecimal lowercase digits with 4 dashes. If the UUID is not specified by the user, then system automatically generates a UUID. For example, `<KeyUUID>426ba632-2244-4ae1-8b3a-ad8162a1df47</KeyUUID>`
KeyMUID	Multiversally Unique Identifier (MUID) is a 256 bits DPM key identifier. For example, `<KeyMUID>426ba632-2244-4ae1-8b3a-ad8162a1df476d2c89a7-5830-476a-b5d0-b2edaca55d7e</KeyMUID>`
ExternalKeyID	It's a 32 bit DPM key identifier. It is specified in Long type format. For example, `<ExternalKeyID>9934567890</ExternalKeyID>`
RandomKey	Indicates that the server should generate a random unique key name for the generated key. The randomly-generated key name is guaranteed to be a cryptographically secure random string. If you do not include the RandomKey element in the request, you must specify a name for the key, using the KeyName element. The KeyGenRequest element requires that you include either the RandomKey child element or the KeyName child element.
Algorithm	Contains a standard identifier string for a cryptographic algorithm supported by the server. The length of the Algorithm string should not exceed 256 characters. The algorithm can be any of the following: • AES • DESede • ARIA • HmacSHA1 • HmacSHA256 • HmacSHA384 • HmacSHA512 • RSA • SEED • RSA-Certificate • EC-Certificate (represents ECC)
VersionedKey	Indicates that this is a versioned key. When you use the KeyImportRequest to create a version key, it automatically creates the first version of the key. To create the subsequent versions, use `KeyVersionGenRequest` or `KeyVersionImportRequest`.
KeyVersionState	The desired state of the first key version. Valid values are: • Pre-Active • Active • Restricted • Retired If you do not include this tag, the first key version is Active by default.
KeySize	Specifies the key size. If you do not specify a key size by including the KeySize element, the server uses the default key size for the algorithm, listed in bold below. The supported key sizes are: • AES - 128, 256,192 • DESede - 112, 168 • HmacSHA1 - variable, 160 • HmacSHA1-128 and 25 • HmacSHA256-128/192/256/512 • HmacSHA384-192/288/384 • HmacSHA512-256/384/512 • RSA-4096 • RSA - 512, 1024, 2048 • EC-secp224k1-225 • EC-secp224r1-224 • EC-secp256k1-256 • EC-secp384r1-384 • EC-secp521r1-521 • EC-prime256v1-256 • EC-brainpoolP224r1-224 • EC-brainpoolP224t1-224 • EC-brainpoolP256r1-256 • EC-brainpoolP256t1-256 • EC-brainpoolP384r1-384 • EC-brainpoolP384t1-384 • EC-brainpoolP512r1-512 • EC-brainpoolP512t1-512
KeyData	The KeyData element contains the actual key being imported. For import and export operations the KeyData element contains the ASCII-Hex-encoded bytes of the key.
Exportable	Indicates that the key can be exported from the server using a client XML request. Keys created on the server are not, by default, exportable. This element is optional.
Deletable	Indicates that the key can be deleted from the server using a client request. Keys created on the server are not, by default, deletable. This element is optional.
Aliases	Specifies the list of Alias elements.
Alias	Alias is unique for each key version. You can search the keys using Alias. This element contains `<Name>` and `<Type>` elements.
Name	Indicates the name of the Alias elements.
Type	Specifies the data type of an Alias (`<Name>`) element. It is an optional tag, and can be of the following types: • String • URI NOTE: If `<Type>` is not specified, the data type of the `<Name>` element is selected as String.
Permissions	Specifies the key usage permissions granted to specific groups. An owner of a key can grant key usage permissions to specific user groups by adding the Permissions element, and the Group and appropriate key usage permission elements: Encrypt, Decrypt, MAC, MACV, SIGN, SIGNV, UsePrivate, and UsePublic. This element is optional.
Group	Specifies the group that has permission to use key. A child element of the Permissions element.
Encrypt	Indicates that the group can use the key to encrypt data.
Decrypt	Indicates that the group can use the key to decrypt data.
MAC	Indicates that the group can use the key to create MACs. Available for HMAC and AES keys.
MACV	Indicates that the group can use the key to verify MACs. Available for HMAC and AES keys.
SIGN	Indicates that the group can use the key to create signatures. Available for RSA keys.
SIGNV	Indicates that the group can use the key to verify signatures. Available for RSA keys.
UsePrivate	Indicates that the group can use the private portion of the key to decrypt data. Available for RSA keys.
UsePublic	Indicates that the group can use the public portion of the key to encrypt data. Available for RSA keys.
KeyRotation	Specifies the key rotation attributes. This element is optional.
Frequency	When the KeyRotation attribute is present, this element contains the rotation frequency of a key. It specifies the number of days from the current date to rotate the key. It should be greater than or equal to 0. If set to 0, the auto rotation of key will be disabled. NOTE: The scheduler job that triggers the auto rotation of keys at the specified frequency is `system_auto_key_rotation`. For more details on the Scheduler, refer to Administration Guide.
CustomAttributeList	Specifies the list of custom attributes. This element can contain multiple CustomerAttribute elements. This element is optional.
CustomAttribute	When a custom attribute is present, this element contains one Name and one Value element.
Name	Indicates the name of the custom attribute.
Type	Data type of Custom Attribute. Can be one of the following types: • String • Integer • Long Integer • Big Integer • Enumeration • Boolean • Byte String • Date/Time (default format: "yyyy-mm-dd hr:mm:ss") • Interval *NOTE: If `<Type>` is not specified, then String is selected as the default data-type for `<Value>`.
Value	Specifies the value of the attribute. This value must be base64 encoded, and input is considered as text. If your original data contains non-printable characters, convert the original data to hex values, and then convert the hex values to base64.
WrapAlgorithm	Possible values: • PBE - For password based encryption • HKDF - In case of AES-UNWRAP, if this is specified, then the key will be derived from HKDF parameters. • RSA-AES-WRAP - It is an RSA AES key unwrap mechanism. Supported values: • RSA-AES-WRAP/AES-128 • RSA-AES-WRAP/AES-192 • RSA-AES-WRAP/AES-256 (default) Where, AES-128/AES-192/AES-256 are temporary AES key sizes generated by the CipherTrust Manager.
PBEParameters	Click here for detailed description of PBE parameters.
HashAlgorithm	Possible values: SHA1, SHA224, SHA256, SHA384, SHA512.
Salt	Random HEX bytes of any length.
Info	Random HEX bytes of any length.
OkmLen	The desired OKM length in integer.
WrapKeyName	Key name to be used as unwrapping key. If it is a AES key, it does AES Unwrap. If it is RSA key, it does RSA Unwrap.
Padded	If specified, AES-UNWRAP padding is performed. (RFC 5649)
WrapFormat	The following PKCS1v2.1 implementation formats are applicable for RSA and RSA-AES-WRAP unwrap: • PKCS1v2.1/RSAOAEP-SHA1 • PKCS1v2.1/RSAOAEP-SHA256 (default for RSA-AES-WRAP) • PKCS1v2.1/RSAOAEP-SHA384 • PKCS1v2.1/RSAOAEP-SHA512 NOTE: For RSA unwrap, the default wrap format is PKCS1v1.5. The RSA-AES-WRAP does not support PKCS1v1.5 format.

For non-versioned keys created on NAE interface, do not create a new version from any other interface such as GUI, REST, or KMIP. This can lead to data corruption on the NAE interface.

KeyImportResponse

Server response to a KeyImportRequest

<KeyImportResponse>
<ID>...</ID>
<Success>true</Success>
<KeyName>...</KeyName>
<Fingerprint>...</Fingerprint>
</KeyImportResponse>

Element	Description
ID	Contains the user-specified request ID.
Success	Indicates if the operation was successful. true indicates success. false indicates failure. When the operation is successful, the response element will contain the elements described below. When the operation fails, the response element contains the FatalError and ErrorString elements to illustrate why the failure occurred and help you troubleshoot. For a list of possible error IDs and strings, see Error Messages.
KeyName	Contains the name of the key
Fingerprint	Contains the fingerprint of the key.

Import a Key

In the example below, the client imports a key with custom attributes.

<KeyImportRequest>
<ID>6</ID>
<KeyName>Key_c</KeyName>
<Algorithm>AES</Algorithm>
<KeyData>f00f09bf5058ff5b552490ab2e8991ae</KeyData>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>6</ID>
<Success>true</Success>
<Fingerprint>6AC4C74C6458F8CE</Fingerprint>
<KeyName>Key_c</KeyName>
</KeyImportResponse>

Import a Key with Custom Attributes

In the example below, the client imports an AES key with custom attributes.

<KeyImportRequest>
    <ID>7</ID>
    <KeyName>key_d</KeyName>
    <Algorithm>AES</Algorithm>
    <KeySize>256</KeySize>
    <KeyData>29DE1ED3C0BD13334684CBF04497E44A1D63DCE0FDB7D5EA382470FF085DC317</KeyData>
    <Exportable/>
    <Deletable/>
    <CustomAttributeList>
        <CustomAttribute>
            <Name>ImportInt</Name>
            <Type>Integer</Type>
            <Value>MTAw</Value>
        </CustomAttribute>
    </CustomAttributeList>
</KeyImportRequest>
<KeyImportResponse>
    <ID>7</ID>
    <Success>true</Success>
    <Fingerprint>BF14803AADF4B8E9</Fingerprint>
    <KeyName>key_d</KeyName>
</KeyImportResponse>

Import a Key with External key-Ids

In the example below, the client imports an AES key.

<KeyImportRequest>
<ID>7</ID>
<KeyName>key_d</KeyName>
<KeyUUID>426ba632-2244-4ae1-8b3a-ad8162a1df47</KeyUUID>
<KeyMUID>426ba632-2244-4ae1-8b3a-ad8162a1df476d2c89a7-5830-476a-b5d0-b2edaca55d7e</KeyMUID>
<ExternalKeyID>9934567890</ExternalKeyID>
<Algorithm>AES</Algorithm>
<KeySize>256</KeySize>
<KeyData>...</KeyData>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>7</ID>
<Success>true</Success>
<Fingerprint>BF14803AADF4B8E9</Fingerprint>
<KeyName>key_d</KeyName>
</KeyImportResponse>

Import a Key using Password Based Encryption (PBE) Parameters

In the example below, the client imports key with PBE parameters. The PBE parameters value must be same as used in the KeyExportRequest.

<KeyImportRequest>
    <ID>001</ID>
    <KeyName>test-key</KeyName>
    <Algorithm>AES</Algorithm>
    <KeySize>256</KeySize>
    <KeyData>Ax0zJk4V0zJo8k7CYHQ+3OHGx93uclqTa6gUkVxnYtI=</KeyData>
    <Exportable/>
    <Deletable/>
    <WrapAlgorithm>PBE</WrapAlgorithm>
    <PBEParameters>
      <HashAlgorithm>sha256</HashAlgorithm>
      <Password>PBEPassword</Password>
      <Iteration>10000</Iteration>
      <DkLen>32</DkLen>
      <Salt>92280e35fa929ec28fb140f2862c5a32</Salt>
      <Purpose>wrapPBE</Purpose>
   </PBEParameters>
</KeyImportRequest>

Import Certificate as a Managed Object using PKCS1

In the example below, the client imports a certificate using PKSC1.

<KeyImportRequest>
<ID>1000002</ID>
<KeyName>Cert_PKCS1_XML</KeyName>
<Algorithm>RSA-Certificate</Algorithm>
<KeyData>

-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIWhcNMjMwOTE2MDQzODE5WjBnMQswCQYDVQQGEwJ1czEL
MAkGA1UECBMCY2ExFTATBgNVBAcTDHJlZHdvb2QgY2l0eTEQMA4GA1UEChMHc2Fm
ZW5ldDEUMB0 ......... rx12h6B5OWcCNOfbgTOnTisbC68tJ8w0p3wlU
spCdBamDZ6KjHq46CH8CWfQl19Gj4nYC4fytLhIDJov7LeNiEzTlQ48J0+75RTvycjWKibEI
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIEowIBAAKCAQEAhLItSYS7WHe22H+VOyj5GlAkwcylRsCAl/kbLBUW5adSB5K3
S4SWSV5ufwJZ9CXX0 ......... ypWx5VbvHAmHkLiVIs6Xq8FDtJ6sxXx++QJ3ea0GPf7A
mzXC86k6UN7ya29wDFuWwLK+gnwD2THORrdk5U+1B0PywK4JdDOR
-----END PRIVATE KEY-----
</KeyData>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>1000002</ID>
<Success>true</Success>
<Fingerprint>81162B67DA2D7B5A</Fingerprint>
<KeyName>Cert_PKCS1_XML</KeyName>
</KeyImportResponse>

Import Certificate as a Managed Object using PKCS8

In the example below, the client imports a certificate using PKSC8.

<KeyImportRequest>
<ID>1000002</ID>
<KeyName>Cert_PKCS1_XML</KeyName>
<Algorithm>RSA-Certificate</Algorithm>
<KeyData>

-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIDAKLeMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJV
UzELMAkG ......... 9vKL1Ff7A55/alYey5WvQvIiNSOMNajHJzZCsmI6HW
4GcMTdFet6WLZlrrtfNF2aYZzaT8Z6Xq5WzhZI0aCprrXxJX3LD1yLniYtv+I3sn
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBgSlAgEAAoIBAQD7HkWRxyFZ7 HkWRxyFZ7HkWRxyFZnTwOcuZa ......... M+p2JD1B69yZaIX Kaavs6wmyCCctz5oF7HkWRxyFZ6Ox9VLbWY15BmNFu3w67Jvi+z/Rruwt/Qa
OMDN6GJbHF+NyP8VZPJ2Pwazrg==
-----END RSA PRIVATE KEY-----
</KeyData>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>1000002</ID>
<Success>true</Success>
<Fingerprint>81162W958F2D7B5A</Fingerprint>
<KeyName>Cert_PKCS1_XML</KeyName>
</KeyImportResponse>

Import Certificate as a Managed Object using PKCS12

In the example below, the client imports a certificate using PKSC12.

<KeyImportRequest>
<ID>1000002</ID>
<KeyName>Cert_PKCS12_XML</KeyName>
<Algorithm>RSA-Certificate</Algorithm>
<Password>YXNkZjEyMzQ=</Password>
<KeyData>
MIIKMAIBAzCCCfYGCSqGSIb3DQEHAaCCCecEggnjMIIJ3zCCBH8GCSqGSIb3DQEHBqCCBHAwggRsAgEAMIIEZQYJKoZIhva ......... cNAQcBMBwGCiqGSIb3DQEMAQMwDgQIy
SS8AXipCEzdHu2xWn8epxP/viQmaMTwwFQYJKoZIhvcNAQkUMQgeBgBiAGEAejAjBgkqhkiG9w0BCRUxFgQUXESdPVXviBWt68FfXsKev4XRyT0wMTAhMAkGBSsOAwIaBm2FhTiiTlXbUM29TBAiN4BfHi6e53AICCAA=
</KeyData>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>1000002</ID>
<Success>true</Success>
<Fingerprint>8E70949492BA7892</Fingerprint>
<KeyName>Cert_PKCS12_XML</KeyName>
</KeyImportResponse>

Import a Wrapped AES Key using RSA Unwrap with PKCS1v2.1/RSAOAEP-SHA512 Padding

<KeyImportRequest>
<ID>1000002</ID>
<KeyName>AES_Key_Name</KeyName>
<Algorithm>AES</Algorithm>
<KeySize>256</KeySize>
<KeyData>zPG+lxQBwlYiPq9XTtsPlJ4......gofUqxbm8DQ==</KeyData>
<WrapKeyName>NAME_OF_RSA_PRIVATE_KEY_TO_BE_USED_AS_UNWRAPPING_KEY</WrapKeyName>
<WrapFormat>PKCS1v2.1/RSAOAEP-SHA512</WrapFormat>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>001</ID>
<Success>true</Success>
<Fingerprint>2FAFD1D920FD8ED0</Fingerprint>
<KeyName>AES_Key_Name</KeyName>
</KeyImportResponse>

Import a Wrapped RSA Key using AES Unwrap

<KeyImportRequest>
<ID>1000002</ID>
<KeyName>RSA_Key_Name</KeyName>
<Algorithm>RSA</Algorithm>
<KeySize>2048</KeySize> <KeyData>jAp0gBXBOO5+XKZh2/s+oaEp31DCNVRgpDyOinli1/CEJJS851WWV6rSJk3Yhh/j5Y27mLJ2/FtmWpWGvNJcPYCgFJzAd4S6lxwubxzrs..............MKjvxYb5Uiys4uCQ75SNDmNDVwJkKt90J/K2bD8/VZ8rlhjnJY1lPHhBdlkzn9BvHQjaLh7bv+4Mqf2Ock4KQAOZKMv6HYoYcMnarCMxgrKFfhCoJ72ZMIdsF+e+ZtZjdAfad8KV+ko4BGn8H9/zkE8PaP+BwEyL2AdY9F0k31Fzy8w8Mo=</KeyData>
<WrapKeyName>NAME_OF_AES_KEY_TO_BE_USED_AS_UNWRAPPING_KEY</WrapKeyName>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID>001</ID>
<Success>true</Success>
<Fingerprint>2FAFD1D920FD8ED0</Fingerprint>
<KeyName>RSA_Key_Name</KeyName>
</KeyImportResponse>

Import an Wrapped RSA Key using RSA-AES-WRAP Unwrap with PKCS1v2.1/RSAOAEP-SHA256 Padding

<KeyImportRequest>
<KeyName>NewKey</KeyName>
<Algorithm>RSA</Algorithm>    <KeyData>JPLA0G4VxFlxk8mJJoRNhGrEOcV7xGn4iIHWlSdORtC1aNVQ9I+gp8kTbumRqEX36m8jAagGoPvN+YloRBMLWZibifhUVRkKpbXKIpVXky3Tx2xRs7W6AeFzgAAtLgN2tYlmJ5/txVXiGWcZ/r2SIvRpwvnCF+ORCnjblxAxyConHgd27X1yBt+J/JEMTAyZf/pAQ4y4k/32c7Dpc5pJCCXI/wm1ykeGvaH/osFtizx0lHSjtyyAdalnI/cGf6wW8jLsRwPRrFrFUfPPxdGLXfAt4qf48nldmNj13qMnaxJ1nPVNvSQuIibWwBv02yio82sx5NrVC1llAtv45l2aK73tmZgqU/hwAw0jDjrxVcLf0Xb43t9vuxKgKzv+7v4ocVgFWwoFN6uX++Z8YuFSRttZwI0qkM4c85qDiVHCL+itQTpaIVqH91crAvJa3epCzwASZknTAUOQePq08CPW9aS2vTlHEzMOnKBparYYfkap20L9eW2cnFY7sDRWxF1yDnYjVhlSN6pEdN/Y6t/6mbMxHcHAniHuMLDeNmzgkW2XGDIgybbnl3YhVp4oWo5LQeWNrUUIPM9rUJU3Gvm2WKl0jpQvK/6TLziarzIFVmx5KzoWcE9oFtv8zNSSV8oQ6RDgfYVUdRBbJEQBWqrUIb74jwJFzZbgbnNs9SCZrcdW6Xec61zleDBQaVAARtB+X47rgI2vlhvgDyNukrluRyIpIxVl5D0PrN0dEKBd5YgU0p0ywxdqDUkVd9MpbBm40PAiHtdxIx0XwWgCIQN6GBcgpGSIot+468erEuejv8dm70wd5yddpTvqUQc8sU08npW/WZJs5fEYgenNJd/TghWl2T744LAzWDbmvwWxEb2vM03v+LPUorYHVgEeevQpx8qlZb7bNiB3ZMqs445pnWzvQqrrHoR3oBAX/LcWlJtdC4trAkC+fgywzx/2O0Vus3gENc426+6ukdM5v30RzLh945RtAsN6r0ceMgWc8IjcSFoS7n629qHkNXVpFwB/h6iAQkbfWRwYeDNm+wuZK4HEWLwz/nqL3m/KJEvfTktCRiCmR2/mc8F6/lyosatGOrvc+2mwHTzVxV0MAd+8NrWWIyPeIAwY0EGosmt20KDYx38fpLHz0oALBanJBzK+/k1/rxGg9ml9W8jqZNmb4bJ6/s/ccxkfsMcxx7iLU+PQE/GnVBDsMx98njbeGDc6GB8j08K7gxTXN5doN90UZsEhXv7frLbeIFWmK+5Ta7YfO1ijRsOf8lnaLKdZAnVOK5egWbWSncxndzq4KBE7PhkZS4n/BUs53el3pBQJbWu8GX0nE8PyJSjgRKR0CBjiIurGuCllgxhn715SkgbAxNvb0MM7v9MSRc+QjORLoskxgCk6y9RtLvh60V5osNiZDlCR25h8qYwxLhTx6oHgB6RJZDXjJi6UOEWNzk6Pd/yEpa+mWFBNdAIrX/kPhPfReqDX3AMeIxsdZuVXajFQ4SOUOzwDYsXhIjLwzQFKfCQdA1HyXDWqM9Mfw4Vd9Fttw8yQ5tM2b4zCC+0TyzHU5wt+Nb2FuOCKyzLqaHx5e6JvlF6eFCgND1oAlXMma5foZQ/Yo4lm1eTU6iWffQJJTylNq6zIzWz/BWRxXzC8WYpquV+4RtQTpGWjL5X7LbDh8b/A00Sf1Zrfs8euX8zUnnyGQLiovgLPO6vy3khzG72w58n3ILkh17Jcly0Hn2CEprRsGJ8QN4xHW5yPVmC6fFbCryJknmC8NgNMK2ZNsyrbhGj2oVN4GhFWjpKijPEH4MGfDUaSTTuW29QGmwRKyp733yWNGICWOmwtWh5D33WVrXEWhxFS4NHoCexdrXnpWu9TQTHHT6H2oNsRJuQzNh0ujexPjkAHav3NnvNdn1Wn18fjIZjK50/HnjiMDYLGMgJxl4mvtYb31PbZ4uZXlQ==</KeyData>
<WrapKeyName>rsaKek_test</WrapKeyName>
<WrapAlgorithm>RSA-AES-WRAP/AES-256</WrapAlgorithm>
<WrapFormat>PKCS1v2.1/RSAOAEP-SHA256</WrapFormat>
<Exportable/>
<Deletable/>
</KeyImportRequest>
<KeyImportResponse>
<ID></ID>
<Success>true</Success>
<Fingerprint>81AAAA71A3FB5961</Fingerprint>
<KeyName>NewKey</KeyName>
</KeyImportResponse>

Element	Description
ID	Contains the user-specified request ID.
KeyName	Specifies a name for the key. Key names must be unique: two keys cannot have the same name. If you do not include the KeyName element in the request, you must request a randomly-generated name for the key, using the RandomKey element. The KeyGenRequest element requires that you include either the RandomKey child element or the KeyName child element.
RandomKey	Indicates that the server should generate a random unique key name for the generated key. The randomly-generated key name is guaranteed to be a cryptographically secure random string. If you do not include the RandomKey element in the request, you must specify a name for the key, using the KeyName element. The KeyGenRequest element requires that you include either the RandomKey child element or the KeyName child element.
Algorithm	Contains a standard identifier string for a cryptographic algorithm supported by the server. The length of the Algorithm string should not exceed 256 characters. The algorithm can be any of the following: • AES • DESede • HmacSHA1 • RSA • SEED • RSA-Certificate • EC-CR (represents ECC)
KeyData	The KeyData element contains the actual key being imported. For import and export operations the KeyData element contains the ASCII-Hex-encoded bytes of the key.
Exportable	Indicates that the key can be exported from the server using a client XML request. Keys created on the server are not, by default, exportable. This element is optional.
Deletable	Indicates that the key can be deleted from the server using a client request. Keys created on the server are not, by default, deletable. This element is optional.
Permissions	Specifies the key usage permissions granted to specific groups. An owner of a key can grant key usage permissions to specific user groups by adding the Permissions element, and the Group and appropriate key usage permission elements: Encrypt, Decrypt, MAC, MACV, SIGN, SIGNV, UsePrivate, and UsePublic.This element is optional.
Password	The password (in base 64) used to encrypt the key.
Group	Specifies the group that has permission to use key. A child element of the Permissions element.
Encrypt	Indicates that the group can use the key to encrypt data.
Decrypt	Indicates that the group can use the key to decrypt data.
MAC	Indicates that the group can use the key to create MACs. Available for HMAC keys.
MACV	Indicates that the group can use the key to verify MACs. Available for HMAC keys.
SIGN	Indicates that the group can use the key to create signatures. Available for RSA keys.
SIGNV	Indicates that the group can use the key to verify signatures. Available for RSA keys.
UsePrivate	Indicates that the group can use the private portion of the key to decrypt data. Available for RSA keys.
UsePublic	Indicates that the group can use the public portion of the key to encrypt data. Available for RSA keys.
CustomAttributeList	Specifies the list of custom attributes. This element can contain multiple CustomerAttribute elements. This element is optional.
CustomAttribute	When a custom attribute is present, this element contains one Name and one Value element.
Name	Indicates the name of the custom attribute.
Type	Data type of Custom Attribute. Can be one of the following types: • String • Integer • Long Integer • Big Integer • Enumeration • Boolean • Byte String • Date/Time (default format: "yyyy-mm-dd hr:mm:ss") • Interval NOTE: If `<Type>` is not specified, then String is selected as the default data-type for `<Value>`.
Value	Specifies the value of the attribute. This value must be base64 encoded, and input is considered as text. If your original data contains non-printable characters, convert the original data to hex values, and then convert the hex values to base64.
KeySize	Specifies the key size. If you do not specify a key size by including the KeySize element, the server uses the default key size for the algorithm, listed in bold below. The available key sizes are: • AES - 128, 256,192 • DESede - 112, 168 • HmacSHA1 - variable, 160 • HmacSHA1-128 and 25 • HmacSHA256-128/192/256/512 • HmacSHA384-192/288/384 • HmacSHA512-256/384/512 • RSA-4096 • RSA - 512, 1024, 2048 • EC-secp224k1-225 • EC-secp224r1-224 • EC-secp256k1-256 • EC-secp384r1-384 • EC-secp521r1-521 • EC-prime256v1-256 • EC-brainpoolP224r1-224 • EC-brainpoolP224t1-224 • EC-brainpoolP256r1-256 • EC-brainpoolP256t1-256 • EC-brainpoolP384r1-384 • EC-brainpoolP384t1-384 • EC-brainpoolP512r1-512 • EC-brainpoolP512t1-512
WrapAlgorithm	Possible values: • PBE - For password based encryption • HKDF - In case of AES-UNWRAP, if this is specified, then the key will be derived from HKDF parameters. • RSA-AES-WRAP - It is an RSA AES key unwrap mechanism. Supported values: • RSA-AES-WRAP/AES-128 • RSA-AES-WRAP/AES-192 • RSA-AES-WRAP/AES-256 (default) Where, AES-128/AES-192/AES-256 are temporary AES key sizes generated by the CipherTrust Manager.
HashAlgorithm	This is an optional tag. Valid values: • SHA1 • SHA224 • SHA256 • SHA384 • SHA512
Salt	This is an optional tag. Random HEX bytes of any length
Info	This is an optional tag. Random HEX bytes of any length
OkmLen	This is an optional tag. The desired OKM length in integer
WrapKeyName	This is an optional tag. Key name to be used as unwrapping key. • If it is an AES key, it does AES Unwrap. • If it is a RSA key, it does RSA Unwrap.
Padded	This is an optional tag. • If specified, AES-UNWRAP padding is performed. (RFC 5649) • Else, AES-UNWRAP is performed. (RFC 3394)
WrapFormat	The following PKCS1v2.1 implementation formats are applicable for RSA and RSA-AES-WRAP unwrap: • PKCS1v2.1/RSAOAEP-SHA1 • PKCS1v2.1/RSAOAEP-SHA256 (default for RSA-AES-WRAP) • PKCS1v2.1/RSAOAEP-SHA384 • PKCS1v2.1/RSAOAEP-SHA512 NOTE: For RSA unwrap, the default wrap format is PKCS1v1.5. The RSA-AES-WRAP does not support PKCS1v1.5 format.

KeyVersionImportRequest

Import version of a NAE versioned key.

<KeyVersionImportRequest> 
    <ID>...</ID> 
    <KeyName>...</KeyName> 
    <KeyUUID>...</KeyUUID>                  #Optional
    <KeyMUID>...</KeyMUID>                  #Optional
    <ExternalKeyID>...</ExternalKeyID>           #Optional
    <KeyVersionState>...</KeyVersionState>  # optional
    <KeyVersionData>...</KeyVersionData>
</KeyVersionImportRequest>

Example

<KeyVersionImportRequest>
    <ID>001</ID>
    <KeyName>AES-25694V</KeyName>
    <KeyVersionData>0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20</KeyVersionData>
    <KeyUUID>426ba632-2244-4ae1-8b3a-ad8162a1df47</KeyUUID>
    <KeyMUID>426ba632-2244-4ae1-8b3a-ad8162a1df476d2c89a7-5830-476a-b5d0-b2edaca55d7e</KeyMUID>
    <ExternalKeyID>9934567890</ExternalKeyID>
</KeyVersionImportRequest>

Element	Description
ID	Contains the user-specified request ID.
KeyName	The name of the key.
KeyUUID	Universally Unique Identifier (UUID) is a 128 bits DPM key identifier. It is specified in 32 hexadecimal lowercase digits with 4 dashes. If the UUID is not specified by the user, then system automatically generates a UUID. For example, `<KeyUUID>426ba632-2244-4ae1-8b3a-ad8162a1df47</KeyUUID>`
KeyMUID	Multiversally Unique Identifier (MUID) is a 256 bits DPM key identifier. For example, `<KeyMUID>426ba632-2244-4ae1-8b3a-ad8162a1df476d2c89a7-5830-476a-b5d0-b2edaca55d7e</KeyMUID>`
ExternalKeyID	It is a 32 bit DPM key identifier. It is specified in Long type format. For example, `<ExternalKeyID>9934567890</ExternalKeyID>`
KeyVersionState	The desired state of the new key version. Valid values are: • Pre-Active • Active • Restricted • Retired If you do not include this tag, the new key version is `Active` by default.
KeyVersionData	Contains the actual key being imported for the new version of the key.

KeyVersionImportResponse

Server response to a KeyVersionImportResponse

<KeyVersionImportResponse>
    <ID>001</ID>
    <Success>true</Success>
    <KeyName>AES-25694V</KeyName>
    <KeyVersion>2</KeyVersion>
    <Fingerprint>4C9B68754CC4C6A5</Fingerprint>
</KeyVersionImportResponse>

Element	Description
ID	Contains the user-specified request ID.
KeyName	Contains the name of the key.
KeyVersion	Contains the current key version.
Fingerprint	Contains the fingerprint of the versioned key.

KeyExportRequest

Export a key. If key wrapping is used, all exported versions are wrapped with the same key and algorithm parameters.

<KeyExportRequest>
    <ID>...</ID>
    <KeyName>...</KeyName>                  # optional
    <KeyAlias>...</KeyAlias>                # optional
    <KeyVersion>...</KeyVersion>                    # optional
    <Format>...</Format>                    # optional
    <Password>...</Password>                        # optional
    <WrapPublicKey>...</WrapPublicKey>                  # optional
    <PBEParameters>...</PBEParameters>              # optional
    <IV>...</IV>                                # optional
    <AllVersions/>                              # optional
    <WrapFormat>....</WrapFormat>                   # optional
    <Algorithm>.….</Algorithm>                          # optional
    <WrapSymmetricKeyName>….</WrapSymmetricKeyName>         # optional
    <WrapKeyName>...</WrapKeyName>        # optional, supported for 6.7 and higher
    <HashAlgorithm>...</HashAlgorithm>          # optional
    <Salt>...</Salt>                    # optional
    <Info>...</info>                    # optional
    <OkmLen>...</OkmLen>                    # optional
 </KeyExportRequest>

Element	Description
ID	Contains the user-specified request ID.
KeyName	The KeyName child element specifies which key the server should export.
KeyAlias	Defines the alias name of the key. It's mandatory for KeyExportRequest element to include either the KeyName child element or the KeyAlias child element.
KeyVersion	Indicates a specific key version. To retrieve all versions of a versioned key, use AllVersions.
Format	The requested format of the exported key. Valid values are: • PEM-PKCS#1 : Private key is exported in PKCS#1 format, public key pkcs#1 by default • PEM-PKCS#8: Private key is exported in PKCS#8 format, public key pkcs#1 by default (for ECC, public key SEC1 by default). If specified with wrapping, the PEM encoding of key will be wrapped. • DER-PKCS#8: Only valid with wrapping. If specified, the DER encoding of key will be wrapped. • PKCS#12 (Used for exporting certificates) • PEM-PKCS#6 (used for extended certificates , so private keys can not be exported) • PEM-PKCS#1-PKCS#8: Public key is exported in PKCS#1 and Private key is exported in PKCS#8 format • PEM-PKCS#6-PKCS#1: Public key is exported in PKCS#6 and Private key is exported in PKCS#1 format • PEM-PKCS#6-PKCS#8: Public key is exported in PKCS#6 and Private key is exported in PKCS#8 format • PEM-SEC1: default format for both public and private key, for ECC
Password	The password (in base 64) used to encrypt the exported key. This element is only used (and is required) when exporting asymmetric keys in PKCS#12 format.
WrapPublicKey	The RSA public key that will be used to wrap (encrypt) the key specified in the KeyName element.
PBEParameters	Click here for detailed description of PBE parameters.
AllVersions	Indicates that the request is to export all versions of a versioned key, regardless of their state. To retrieve a specific version, use KeyVersion.
WrapFormat	The following PKCS1v2.1 implementation formats are applicable for RSA and RSA-AES-WRAP unwrap: • PKCS1v2.1/RSAOAEP-SHA1 • PKCS1v2.1/RSAOAEP-SHA256 (default for RSA-AES-WRAP) • PKCS1v2.1/RSAOAEP-SHA384 • PKCS1v2.1/RSAOAEP-SHA512 NOTE: For RSA unwrap, the default wrap format is PKCS1v1.5. The RSA-AES-WRAP does not support PKCS1v1.5 format.
Algorithm	The algorithm used for wrapping. Valid values are: • PBE: For password based encryption • AES-WRAP: This standard is followed when AES is used as wrap algorithm. AES belongs to NIST approved KeyWrap. For more information visit: https://tools.ietf.org/html/rfc3394#section-1 • HKDF NOTE: AES-WRAP supports wrapping of all the symmetric keys and private asymmetric keys. While wrapping asymmetric keys, AES-256 keys are used and the Alternative Initial Value (AIV) is used as a default value mentioned in RFC 5649. For more information visit: https://tools.ietf.org/html/rfc5649 • RSA-AES-WRAP: It is an RSA AES key wrap mechanism. Supported values: • RSA-AES-WRAP/AES-128 • RSA-AES-WRAP/AES-192 • RSA-AES-WRAP/AES-256 (default) Where, AES-128/AES-192/AES-256 are temporary AES key sizes generated by the CipherTrust Manager.
WrapSymmetricKeyName	This is an optional tag. The AES key that will be used to wrap the key specified in the KeyName element.
WrapKeyName	The key that wraps the key specified in the `KeyName` element.
HashAlgorithm	This is an optional tag. Possible HashAlgorithm valid values: • SHA1 • SHA224 • SHA256 • SHA384 • SHA512
Salt	This is an optional tag. Random HEX bytes of any length.
Info	This is an optional tag. Random HEX bytes of any length.
OkmLen	This is an optional tag. The desired OKM length in integer.
Padded	This is an optional tag. • If specified, AES-WRAP padding is performed. (RFC 5649) • Else, AES-WRAP is performed. (RFC 3394)

The Password Based Encryption (PBE) is used to wrap/unwrap symmetric keys, private asymmetric keys, and certificates. The below table describes the PBE parameters.

Element	Description
HashAlgorithm	Possible values: • sha1 • sha256 • sha224 • sha384 • sha512 • sha512/224 • sha512/256 • sha3-224 • sha3-256 • sha3-384 • sha3-512
Password	Base password to generate derive keys. It cannot be used in conjunction with `passwordidentifier`. Password must be in range of 8 bytes to 128 bytes.
PasswordIdentifier	Secret password identifier for password. It cannot be used in conjunction with `password`.
PasswordIdentifierType	Specifies the type of the Password Identifier. If not set then default value is name. Options: • id • name • slug
Iteration	Iteration count increase the cost of producing keys from a password. Iteration must be in range of 1 to 1,00,00,000.
DkLen	Specifies the length of the derived key in octets. The `dklen` must be in the range of 14 bytes to 512 bytes.
Salt	A Hex encoded string. The `Salt` must be in range of 16 bytes to 512 bytes. Note: If salt is not provided, it is generated internally and will be used in the export response.
Purpose	Specifies the user defined purpose. If specified, it is prefixed to `Salt`. The `Purpose` must not be greater than 128 bytes.

KeyExportResponse

Server response to a KeyExportRequest.

<KeyExportResponse>
<ID>...</ID>
<Success>true</Success>
<KeyName>...</KeyName>
<KeyExportDataList>...</KeyExportDataList>
<KeyExportData>
<KeyVersion>...</KeyVersion> # only for versioned keys
<KeyData>...</KeyData>
<Fingerprint>...</Fingerprint>
</KeyExportData>
</KeyExportData>
</KeyExportResponse>

Element	Description
ID	Contains the user-specified request ID.
Success	Indicates if the operation was successful. true indicates success. false indicates failure. When the operation is successful, the response element will contain the elements described below. When the operation fails, the response element contains the FatalError and ErrorString elements to illustrate why the failure occurred and help you troubleshoot. For a list of possible error IDs and strings, see Error Messages.
KeyExportDataList	Contains the KeyExportData elements.
KeyExportData	Contains the key version (for versioned keys), key data, and fingerprint. There is one element for each exported key version.
KeyVersion	Contains the version of the key (only used for versioned keys).
KeyData	Contains the key data.
Fingerprint	Contains the fingerprint of the key.

Export a Key

In the example below, the client exports key_a using the KeyExportRequest element.

<KeyExportRequest>
<ID>9</ID>
<KeyName>key_a</KeyName> 
</KeyExportRequest>
<KeyExportResponse>
<ID>9</ID>
<Success>true</Success>
<KeyName>key_a</KeyName>
<KeyData>58BF7737F38B24A0BD1BD1FB9B88C7B25F0F2C5AB1D3CF6D9B90F031E2AE512F</KeyData>
<Fingerprint>C0698613D81AC601</Fingerprint>
</KeyExportResponse>

Export and Delete a Versioned Key

In the example below, the client exports and deletes a versioned key.

<KeyExportRequest>
<ID>17</ID>
<KeyName>aes-12v</KeyName>
</KeyExportRequest>
<KeyExportResponse>
<ID>17</ID>
<Success>true</Success>
<KeyName>aes-12v</KeyName>
<KeyExportDataList>
<KeyExportData>
<KeyVersion>2</KeyVersion>
<KeyData>A9BAA72AA124618A2C740BCEC433857EBB10763FB7A98C48</KeyData>
<Fingerprint>278D9810FBD7F411</Fingerprint>
</KeyExportData>
</KeyExportDataList>
</KeyExportResponse>
<KeyDelRequest>
<ID>18</ID>
<KeyName>aes-12v</KeyName>
</KeyDelRequest>
<KeyDelResponse>
<ID>18</ID>
<Success>true</Success>
<Fingerprint>278D9810FBD7F411</Fingerprint>
<KeyName>aes-12v</KeyName>
</KeyDelResponse>

Export a Key with PKCS1v2.1/RSAOAEP-SHA512 Padding

In the example below, the client exports key with PKCS1v2.1/RSAOAEP-SHA512 padding.

<KeyExportRequest>
<ID>123</ID>
<KeyName>hmac_1key</KeyName>
<WrapPublicKey>-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAvahj3FLByCbctHWoTp8tbHZmIyWRbqIZW+qeh6l8YjBd3dt/5ogq
hLGi4Vyj+b8YV805w7YiObm4exhQnYeiwlR89pKHdjY2M8W3lP6abonOe3dGHjRz
snFwEkMFBglEYnymovk2XPztyZuxXfSGBlFdmVzzdW8ZrrfsqQtHlBTd/iCVj5GV
HZOyspuwezF8nKMJlOz85F+bKc5pivrlqbtXU83tC8fQLVrwd1q1ADcd2YdJvHFV
khpbL+Z/AqMr+mKSuqDbBQNqSOdpSizNKxrck0tTYclhJCPG1xityskVZ1TRktfR
xKCDeoGtZ67Thfhg0mZ7d8/Nadm+TExJ0VqBPObPQJzlVPj8ZkYuUTXcPG+bPgvJ
aArANwpmzWnKUMNrXoxN1IlmKojh1ea5gZQ0xMzgzi3G29BJTkrsO9k6RypKj47G
832zU1ifFh4NuvSLqWMPiav8gMFlkckMqXCe/pImDMa3ByfGuPKKhox7mEVcMOq0
XhwvAAq5Iaw1j5BOhSlm2/J0zEjoMDHC2ZFwXPvZOqMwph8v/4adQAnJTe2DNFUL
+bKop6XIKm4zKtQc/KKFKkpigujnrb21nKNSAKhg+V+Vgn0I4kL4I0wgmjhcJUOh
/MCWLS/Jb6ZiSgztzrnz11RQ4+rPxcOXcbqcJnzSrqndOBNk21fhNJ8CAwEAAQ==
-----END RSA PUBLIC KEY-----
</WrapPublicKey>
<WrapFormat>PKCS1v2.1/RSAOAEP-SHA512</WrapFormat>
</KeyExportRequest>
<KeyExportResponse>
<ID>123</ID>
<Success>true</Success>
<KeyName>hmac_1key</KeyName>
<KeyExportDataList>
<KeyExportData>
<KeyData>eP4ljZvANh53Huso6Gr8ZGnGwb7N9JkTJOzkt012DfziYeIg7e19/P7
FVeVK3ZWC7QaizjybV80mrl7uu9USkR/N0mvxTpHiT4POQcqUK5ul3yTg4YCHpye
CAnFHc28VmH2Mvh174GL1XYy/SqzozVWwHxLGUf2UaLZyW7XPay6xvAfwYspNGod
uhR48r3MTU4wbi4AdNka0TBHN6+Jbmb+9Wj1vnd3F4OvKBPYmn/BLyNhLghlMHdx
Xba7dFFD/m2TTdKBMGAN67CM5Poj/TindQd3bdeVvAL3E9s8Ll9SnNDgBm4AC6EM
SXjB50K0bQZPOaMQ6Pc8xWyE9jTIoO4LXv3vbdXnqxd9Vof6DwSy4tvt8NLRbI/f
Rzd6OP747t66oBWQ4t3TscisMSr6uU8uzpGsxbfGae9nn7F81uvheyPbkqHVQ9JM
VKH6OMbwLXxIYuwdc5gSNoU41pY5q7IoXxd5bNdYo8kGEzbBitUN6hq5Y3d5msGc
49unlQq1rHxXgivUdgGfJCWYvfct51rJBvhuD2L29vANrF8pI7epOvqXpU/QQwoa
5knBXX3qpY2HmCKHlmCj1F4tUzc+WfrVB9fBaJHHU/tKMp2ehaIv4Yz1U+rWwJGM
dEwlUS+cc3Bp5nrI0WxE5L7ZJD1aooxhcK9O4jSWXcOOH7JETlm0=</KeyData>
<Fingerprint>C2D1AF00844F5799</Fingerprint>
</KeyExportData>
</KeyExportDataList>
</KeyExportResponse>

Export a Key using Password Based Encryption(PBE) Parameters

In the example below, the client exports key with PBE parameters.

<KeyExportRequest>
    <ID>001</ID>
    <KeyName>test-key</KeyName>
    <Algorithm>PBE</Algorithm>
    <PBEParameters>
      <HashAlgorithm>sha256</HashAlgorithm> 
      <Password>PBEPassword</Password> 
      <Iteration>10000</Iteration> 
      <DkLen>32</DkLen>  
      <Salt>92280e35fa929ec28fb140f2862c5a32</Salt> 
      <Purpose>PBEWrap</Purpose> 
    </PBEParameters>
</KeyExportRequest>

Element	Description
ID	Contains the user-specified request ID.
KeyName	Specifies which key the server should export.
Algorithm	Contains a standard identifier string for a cryptographic algorithm supported by the server. The length of the Algorithm string should not exceed 256 characters. The algorithm can be any of the following: • PBE • AES • DESede • ARIA • HmacSHA1 • HmacSHA256 • HmacSHA384 • HmacSHA512 • RSA • SEED • RSA-Certificate • EC-Certificate (represents ECC)
HashAlgorithm	Possible values: • sha256 • sha1 • sha224 • sha384 • sha512 • sha512/224 • sha512/256 • sha3-224 • "sha3-256 • sha3-384 • sha3-512
Password	Base password to generate derive keys. It cannot be used in conjunction with `passwordidentifier`. Password must be in range of 8 bytes to 128 bytes.
PasswordIdentifier	Secret password identifier for password. It cannot be used in conjunction with `password`.
PasswordIdentifierType	Specifies the type of the Password Identifier. If not set then default value is name. Options: • id • name • slug
Iteration	Iteration count increase the cost of producing keys from a password. Iteration must be in range of 1 to 1,00,00,000.
DkLen	Specifies the length of the derived key in octets. The `dklen` must be in the range of 14 bytes to 512 bytes.
Salt	A Hex encoded string. The `pbeSalt` must be in range of 16 bytes to 512 bytes. Note: If salt is not provided, it is generated internally and will be used in the export response.
Purpose	Specifies the user defined purpose. If specified, it is prefixed to `pbeSalt`. The `pbePurpose` must not be greater than 128 bytes.

Export an AES Key Wrapped with Another AES Key

In the example below, the client exports an AES 128 key wrapped with AES_256 key.

<KeyExportRequest>
<ID>test2</ID>
<KeyName>aes128key</KeyName>
<Algorithm>AES-WRAP</Algorithm>
<WrapSymmetricKeyName>aes256key</WrapSymmetricKeyName>
</KeyExportRequest>
<KeyExportResponse>
<ID>test2</ID>
<Success>true</Success>
<KeyName>a</KeyName>
<KeyExportDataList><KeyExportData>
<KeyData>I8/tuzsEwawHFTIblD9jJKyZrGlvcvhp</KeyData>
<Fingerprint>DB7B3327EE35316E</Fingerprint>
</KeyExportData></KeyExportDataList>
</KeyExportResponse>

Export an RSA Key Wrapped with another RSA Key using RSA-AES-WRAP

<KeyExportRequest>
<ID>jLPhHLPd</ID>
<KeyName>rsaDek_test</KeyName>
<Algorithm>RSA-AES-WRAP/AES-256</Algorithm>
<WrapKeyName>rsaKek_test</WrapKeyName>
<WrapFormat>PKCS1v2.1/RSAOAEP-SHA256</WrapFormat>
</KeyExportRequest>
<KeyExportResponse>
<ID>jLPhHLPd</ID>
<Success>true</Success>
<KeyName>rsaDek_test</KeyName>
<KeyExportDataList>
<KeyExportData>    <KeyData>JPLA0G4VxFlxk8mJJoRNhGrEOcV7xGn4iIHWlSdORtC1aNVQ9I+gp8kTbumRqEX36m8jAagGoPvN+YloRBMLWZibifhUVRkKpbXKIpVXky3Tx2xRs7W6AeFzgAAtLgN2tYlmJ5/txVXiGWcZ/r2SIvRpwvnCF+ORCnjblxAxyConHgd27X1yBt+J/JEMTAyZf/pAQ4y4k/32c7Dpc5pJCCXI/wm1ykeGvaH/osFtizx0lHSjtyyAdalnI/cGf6wW8jLsRwPRrFrFUfPPxdGLXfAt4qf48nldmNj13qMnaxJ1nPVNvSQuIibWwBv02yio82sx5NrVC1llAtv45l2aK73tmZgqU/hwAw0jDjrxVcLf0Xb43t9vuxKgKzv+7v4ocVgFWwoFN6uX++Z8YuFSRttZwI0qkM4c85qDiVHCL+itQTpaIVqH91crAvJa3epCzwASZknTAUOQePq08CPW9aS2vTlHEzMOnKBparYYfkap20L9eW2cnFY7sDRWxF1yDnYjVhlSN6pEdN/Y6t/6mbMxHcHAniHuMLDeNmzgkW2XGDIgybbnl3YhVp4oWo5LQeWNrUUIPM9rUJU3Gvm2WKl0jpQvK/6TLziarzIFVmx5KzoWcE9oFtv8zNSSV8oQ6RDgfYVUdRBbJEQBWqrUIb74jwJFzZbgbnNs9SCZrcdW6Xec61zleDBQaVAARtB+X47rgI2vlhvgDyNukrluRyIpIxVl5D0PrN0dEKBd5YgU0p0ywxdqDUkVd9MpbBm40PAiHtdxIx0XwWgCIQN6GBcgpGSIot+468erEuejv8dm70wd5yddpTvqUQc8sU08npW/WZJs5fEYgenNJd/TghWl2T744LAzWDbmvwWxEb2vM03v+LPUorYHVgEeevQpx8qlZb7bNiB3ZMqs445pnWzvQqrrHoR3oBAX/LcWlJtdC4trAkC+fgywzx/2O0Vus3gENc426+6ukdM5v30RzLh945RtAsN6r0ceMgWc8IjcSFoS7n629qHkNXVpFwB/h6iAQkbfWRwYeDNm+wuZK4HEWLwz/nqL3m/KJEvfTktCRiCmR2/mc8F6/lyosatGOrvc+2mwHTzVxV0MAd+8NrWWIyPeIAwY0EGosmt20KDYx38fpLHz0oALBanJBzK+/k1/rxGg9ml9W8jqZNmb4bJ6/s/ccxkfsMcxx7iLU+PQE/GnVBDsMx98njbeGDc6GB8j08K7gxTXN5doN90UZsEhXv7frLbeIFWmK+5Ta7YfO1ijRsOf8lnaLKdZAnVOK5egWbWSncxndzq4KBE7PhkZS4n/BUs53el3pBQJbWu8GX0nE8PyJSjgRKR0CBjiIurGuCllgxhn715SkgbAxNvb0MM7v9MSRc+QjORLoskxgCk6y9RtLvh60V5osNiZDlCR25h8qYwxLhTx6oHgB6RJZDXjJi6UOEWNzk6Pd/yEpa+mWFBNdAIrX/kPhPfReqDX3AMeIxsdZuVXajFQ4SOUOzwDYsXhIjLwzQFKfCQdA1HyXDWqM9Mfw4Vd9Fttw8yQ5tM2b4zCC+0TyzHU5wt+Nb2FuOCKyzLqaHx5e6JvlF6eFCgND1oAlXMma5foZQ/Yo4lm1eTU6iWffQJJTylNq6zIzWz/BWRxXzC8WYpquV+4RtQTpGWjL5X7LbDh8b/A00Sf1Zrfs8euX8zUnnyGQLiovgLPO6vy3khzG72w58n3ILkh17Jcly0Hn2CEprRsGJ8QN4xHW5yPVmC6fFbCryJknmC8NgNMK2ZNsyrbhGj2oVN4GhFWjpKijPEH4MGfDUaSTTuW29QGmwRKyp733yWNGICWOmwtWh5D33WVrXEWhxFS4NHoCexdrXnpWu9TQTHHT6H2oNsRJuQzNh0ujexPjkAHav3NnvNdn1Wn18fjIZjK50/HnjiMDYLGMgJxl4mvtYb31PbZ4uZXlQ==</KeyData>
<Fingerprint>81AAAA71A3FB5961</Fingerprint>
</KeyExportData></KeyExportDataList>
</KeyExportResponse>

PublicKeyExportRequest

Export the public portion of an RSA key.

<PublicKeyExportRequest>
<ID>...</ID>
<KeyName>...</KeyName>
<KeyVersion>...</KeyVersion> # optional
<AllVersions/> # optional
</PublicKeyExportRequest>

Element	Description
ID	Contains the user-specified request ID.
KeyName	Specifies which key the server should export.
PublicKeyExportResponse	Server response to a PublicKeyExportRequest

<PublicKeyExportResponse>
<ID>...</ID>
<Success>true</Success>
<KeyName>...</KeyName>
<KeyExportDataList>
<KeyExportData>
<KeyVersion>...</KeyVersion>
<KeyData>...</KeyData>
<Fingerprint>...</Fingerprint>
</KeyExportData>
</KeyExportDataList>
</PublicKeyExportResponse>

Element	Description
ID	Contains the user-specified request ID.
Success	Indicates if the operation was successful. true indicates success. false indicates failure. When the operation is successful, the response element will contain the KeyName, KeyData, and Fingerprint elements described below. When the operation fails, the response element contains the FatalError and ErrorString elements to illustrate why the failure occurred and help you troubleshoot. For a list of possible error IDs and strings, see Error Messages.
KeyName	Contains the key name.
KeyData	Contains the key data.
Fingerprint	Contains the fingerprint of the key.

Export an RSA Key

In the example below, the client exports an RSA public key.

<PublicKeyExportRequest>
<ID>11</ID>
<KeyName>key_b</KeyName> 
</PublicKeyExportRequest>
<PublicKeyExportResponse>
<ID>11</ID>
<Success>true</Success>
<KeyName>key_b</KeyName>
<KeyData>-----BEGIN RSA PUBLIC KEY-----
MEgCQQC7+Th9U8akLjyFLxSQnvSbVOYU/0pLWLGZpagnKZFAbE7qyTXKshH5Ku fY+gb5fpA7/bMEGYW9CNp9veuv0oq1AgMBAAE=
-----END RSA PUBLIC KEY-----
</KeyData>
<Fingerprint>C0E01D79C0F29C14</Fingerprint>
</PublicKeyExportResponse>

Suggest A Change

Importing, Exporting, and Replicating Keys

KeyImportRequest

KeyImportResponse

Import a Key

Import a Key with Custom Attributes

Import a Key with External key-Ids

Import a Key using Password Based Encryption (PBE) Parameters

Import Certificate as a Managed Object using PKCS1

Import Certificate as a Managed Object using PKCS8

Import Certificate as a Managed Object using PKCS12

Import a Wrapped AES Key using RSA Unwrap with PKCS1v2.1/RSAOAEP-SHA512 Padding

Import a Wrapped RSA Key using AES Unwrap

Import an Wrapped RSA Key using RSA-AES-WRAP Unwrap with PKCS1v2.1/RSAOAEP-SHA256 Padding

KeyVersionImportRequest

KeyVersionImportResponse

KeyExportRequest

KeyExportResponse

Export a Key

Export and Delete a Versioned Key

Export a Key with PKCS1v2.1/RSAOAEP-SHA512 Padding

Export a Key using Password Based Encryption(PBE) Parameters

Export an AES Key Wrapped with Another AES Key

Export an RSA Key Wrapped with another RSA Key using RSA-AES-WRAP

PublicKeyExportRequest

Export an RSA Key