| copyright | lastupdated | Keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-04-10 |
standard keys, import keys, encryption keys, Hyper Protect Crypto Services GUI |
hs-crypto |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"} {:pre: .pre} {:tip: .tip}
{: #import-standard-keys}
You can add your existing encryption keys with the {{site.data.keyword.hscrypto}} GUI, or programmatically with the {{site.data.keyword.hscrypto}} API.
{: #import-standard-key-gui}
After you create an instance of the service, complete the following steps to enter your existing standard key with the {{site.data.keyword.hscrypto}} GUI.
-
Log in to the {{site.data.keyword.cloud_notm}} console
{: new_window}. -
Go to Menu > Resource List to view a list of your resources.
-
From your {{site.data.keyword.cloud_notm}} resource list, select your provisioned instance of {{site.data.keyword.hscrypto}}.
-
To import a new key, click Add key and select the Import your own key window.
Specify the key's details:
Table 1. Describes the Generate new key settings Setting Description Name A unique, human-readable alias for easy identification of your key.
To protect your privacy, ensure that the key name does not contain personally identifiable information (PII), such as your name or location.
Key type The type of key that you would like to manage in {{site.data.keyword.hscrypto}}. From the list of key types, select Standard key. Key material The base64 encoded key material, such as a symmetric key, that you want to manage in the service.
Ensure that the key material meets the following requirements:
- The key can be up to 10,000 bytes in size.
- The bytes of data must be base64 encoded.
-
When you are finished filling out the key's details, click Import key to confirm.
{: #create-standard-key-api}
Create a standard key by making a POST call to the following endpoint:
https://<region>.hs-crypto.cloud.ibm.com:<port>/api/v2/keys
{: codeblock}
-
Retrieve your service and authentication credentials to work with keys in the service.
-
Call the {{site.data.keyword.hscrypto}} API
{: new_window} with the following cURL command.curl -X POST \ https://<region>.hs-crypto.cloud.ibm.com:<port>/api/v2/keys \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'content-type: application/vnd.ibm.kms.key+json' \ -H 'correlation-id: <correlation_ID>' \ -H 'prefer: <return_preference>' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "name": "<key_alias>", "description": "<key_description>", "expirationDate": "<YYYY-MM-DDTHH:MM:SS.SSZ>", "payload": "<key_material>", "extractable": <key_type> } ] }'{: codeblock}
Replace the variables in the example request according to the following table.
Table 2. Describes the variables that are needed to add a standard key with the {{site.data.keyword.hscrypto}} API Variable Description region The region abbreviation, such as us-southoreu-gb, that represents the geographic area where your {{site.data.keyword.hscrypto}} service instance resides. For more information, see Regional service endpoints.IAM_token Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAMtoken, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID The unique identifier that is assigned to your {{site.data.keyword.hscrypto}} service instance. For more information, see Retrieving an instance ID. correlation_ID The unique identifier that is used to track and correlate transactions. return_preference Optional: A header that alters server behavior for
POSTandDELETEoperations.When you set the return_preference variable to
return=minimal, the service returns only the key metadata, such as the key name and ID value, in the response entity-body. When you set the variable toreturn=representation, the service returns both the key material and the key metadata.key_alias A unique, human-readable name for easy identification of your key.
Important: To protect your privacy, do not store your personal data as metadata for your key.
key_description Optional: An extended description of your key.
Important: To protect your privacy, do not store your personal data as metadata for your key.
YYYY-MM-DD
HH:MM:SS.SSOptional: The date and time that the key expires in the system, in RFC 3339 format. If the expirationDateattribute is omitted, the key does not expire.key_material The base64 encoded key material, such as a symmetric key, that you want to manage in the service.
Ensure that the key material meets the following requirements:
- The key can be up to 10,000 bytes in size.
- The bytes of data must be base64 encoded.
key_type A boolean value that determines whether the key material can leave the service.
When you set the
extractableattribute totrue, the service designates the key as a standard key that you can store in your apps or services.To protect the confidentiality of your personal data, avoid entering personally identifiable information (PII), such as your name or location, when you add keys to the service. For more examples of PII, see section 2.2 of the NIST Special Publication 800-122
{: new_window}.
{: tip}A successful
POST /v2/keysresponse returns the ID value for your key, along with other metadata. The ID is a unique identifier that is assigned to your key and is used for subsequent calls to the {{site.data.keyword.hscrypto}} API. -
Optional: Verify that the key was added by running the following call to get the keys in your {{site.data.keyword.hscrypto}} service instance.
curl -X GET \ https://<region>.hs-crypto.cloud.ibm.com:<port>/api/v2/keys \ -H 'accept: application/vnd.ibm.collection+json' \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \{: codeblock}
{: #import-standard-key-next}
To find out more about programmatically managing your keys, check out the {{site.data.keyword.hscrypto}} API reference doc {: new_window}.