Keys in External Keystores

UKCClosedUnbound Key Control - The name of Unbound's key management product. provides unified key management and unified UKCClosedUnbound Key Control - The name of Unbound's key management product. UID-based use of the keys that are stored in external keystores, such as AWS KMSClosedKey Management System and Azure Key Vault. This section provides a quick introduction and specifies UKCClosedUnbound Key Control - The name of Unbound's key management product. capabilities in the following keystores: Azure Key Vault and AWS KMS.

Introduction

  • A partition may have access to many keystores.
  • Multiple partitions can access the same keystore.

External Keystore's Agent in UKC

A partition SOClosedSecurity officer - UKC partition administrator role., acting as the external keystore's agent, may attach and detach the external keystore to the partition if the following requirements are fulfilled:

External Keystore Settings

A partition that was created with the enabled allow-keystores attribute permits its SOClosedSecurity officer - UKC partition administrator role. creating agents of external keystores using the following settings per each keystore:

  • Name - mandatory and permanent.

  • Access key - mandatory. The ID of the keystore's access key.
  • Secret key - mandatory. The secret part of the access key.
  • Parameter - this name-value setting is specific to each keystore as follows:

    Keystore ProviderNameValue Example of Value
    AWS KMSClosedKey Management SystemREGIONname of the region US_WEST_2
    Azure Key VaultURLURL of the key vault https://hello-world.vault.azure.net/

To configure external keystore settings, use UI, or RESTClosedRepresentational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API. Refer to New Keystore.

External key User's RBAC

 The UKCClosedUnbound Key Control - The name of Unbound's key management product. agent's RBACClosedRole Based Access Control setting in the external keystore is shared by all users of the partition. To differentiate among the users, assign different UKCClosedUnbound Key Control - The name of Unbound's key management product. Roles to the users. The UKCClosedUnbound Key Control - The name of Unbound's key management product. user's RBACClosedRole Based Access Control when operating in the external keystore has three stages:

  1. The UKCClosedUnbound Key Control - The name of Unbound's key management product. user's Role must permit the required operation.
  2. The UKCClosedUnbound Key Control - The name of Unbound's key management product. partition's key Policy is considered depending on the type of the required operation:
  3. The UKCClosedUnbound Key Control - The name of Unbound's key management product. agent's Role in the external keystore must permit the required operation.

In addition, the UKCClosedUnbound Key Control - The name of Unbound's key management product. key policy restrictions are applied as follows:

Azure Key Vault

SDK

UKCClosedUnbound Key Control - The name of Unbound's key management product. Release 2.0.2007 is using capabilities provided by Azure Key vault SDK azure-keyvault version 1.2.4.

KV Key Types and Create Options

The following table summarizes supported KV key types and BYOKClosedBring Your Own Key / non-BYOKClosedBring Your Own Key key creation options.

  Key type   Size/Curve BYOK non-BYOK
Import

Generate

Import Generate
RSA 2048, 3072, 4096
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields P-256, P-384, P-521, SECP256K1  

Reference:

KV Key Crypto Operations

The following table summarizes UID-based crypto operations supported by Azure.

Key type Decrypt/Encrypt Sign/Verify Wrap/Unwrap
RSA
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

Note: When generating or importing the external keystore key via UKCClosedUnbound Key Control - The name of Unbound's key management product., it is sufficient to specify Decrypt to enable both Decrypt and Encrypt. The same applies to Sign and to Unwrap. Refer to Azure KV Key Operations.

Crypto algorithms:

KV Key Management Operations

The following table compares UKCClosedUnbound Key Control - The name of Unbound's key management product. and KV key management options and provides a reference to Key Vault documentation for further details.

Operation UKC  KV  Comment Reference
Edit
  • Similar attributes in-sync between KV and UKCClosedUnbound Key Control - The name of Unbound's key management product.:
    • Description of a key.
    • Enabled / Disabled status.

    Similar attributes not synced between KV and UKCClosedUnbound Key Control - The name of Unbound's key management product.:

    • Activation (not before) and Deactivation (expires) Date.

    Distinctive attributes:

    • KV allows flexible Key Tags (except the "description" tag).

     

    Azure Update Key

    Delete

    Differences:

    • UKCClosedUnbound Key Control - The name of Unbound's key management product. provides three flavors of delete: Revoke, Discard and Delete. All these actions are non-reversible. They map to KV "delete".
    • KV provides Delete and Purge.
    • KV settings provide options to reverse the Delete action. Purge is final.
    • KV key delete of a rotated (rekeyed) key moves all versions of the key to the Delete zone. KV restore command restores all versions.

    Azure Delete Key

     

    Deletion Recovery Level

     

    Azure Purge Key

    Cancel Deletion  

    Soft Delete

    Activate / Revoke

     
  • Differences:
    • KV has no Activate or Revoke command and no revoke-reasons.
    • The only cause of key revoke is the expiration of its validity.

     

     

    Azure Update Key

    Enable

    For KV implementation - see the "Edit" command.

    Disable For KV implementation - see the "Edit" command.
    Get Info

    For KV implementation - see the "Edit" command.

    Azure Get Key
    Get Public    
    Get Policy    
    Update Policy

    Differences:

    • UKCClosedUnbound Key Control - The name of Unbound's key management product. provides a fine-grain policy that reaches all crypto-use parameters. The policy is per partition - the same crypto-operation policy applies to all keys with the same crypto attributes.
    • KV crypto-operation policy addresses key usage, without accounting for the usage parameters. The policy is per key.

    To align the policies, make the required changes in both keystores.

     
    Get Private   Exporting from Azure is not supported.  
    Rekey Azure Key Rotation
    Backup/Restore Azure Key Backup

    Note: the ≈ sign indicates the availability of alternatives.

    AWS KMS

    SDK

    UKCClosedUnbound Key Control - The name of Unbound's key management product. Release 2.0.2007 is using AWS KMSClosedKey Management System SDK aws-java-sdk-kms version 1.11.682.

    KMS Key Types and Create Options

    The following table summarizes supported KMSClosedKey Management System key types and BYOKClosedBring Your Own Key/non-BYOKClosedBring Your Own Key key creation options.

      Key type   Size/Curve BYOK non-BYOK
    Import

    Generate

    Import Generate
    RSA 2048, 3072, 4096      
    ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields P-256, P-384, P-521, SECP256K1      
    AES 256

    References:

    KMS Key Crypto Operations

    The following table summarizes UID-based crypto operations supported by AWS KMSClosedKey Management System.

    Key type Decrypt/Encrypt Sign/Verify
    RSA
    ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields
    AES  

    References:

    Crypto algorithms:

    MS Key Management Operations

    The following table compares UKCClosedUnbound Key Control - The name of Unbound's key management product. and KMSClosedKey Management System key management options and provides a reference to KMSClosedKey Management System documentation for further details.

    Operation UKC  KV  Comment Reference
    Edit
  • Similar attributes in-sync between KV and UKCClosedUnbound Key Control - The name of Unbound's key management product.:
    • Description of a key.
    • Enabled / Disabled status.

    Similar attributes not synced between KV and UKCClosedUnbound Key Control - The name of Unbound's key management product.:

    • Activation (not before) and Deactivation (expires) Date.

    Distinctive attributes:

    • KV allows flexible Key Tags (except the "description" tag).
     
    Delete

    Differences:

    • UKCClosedUnbound Key Control - The name of Unbound's key management product. provides three flavors of delete: Discard and Delete. Both actions are non-reversible. They map to KV "delete".
    • KV provides Delete and Purge.
    • KV settings provide options to reverse the Delete action. Purge is final.
    • KV key delete of a rotated (rekeyed) key moves all versions of the key to the Delete zone. KV restore command restores all versions.
     
    Cancel Deletion    

    Activate / Revoke

     
  • Differences:
    • KV has no Activate or Revoke command and no revoke-reasons.
    • The only cause of revoke is the expiration of the validity.
     
    Enable

     

    Disable  
    Get Info
  • For KMSClosedKey Management System implementation - see the "Edit" command.
  •  
    Get Public For KMSClosedKey Management System implementation - see the "Edit" command.  
    Get Policy For KMSClosedKey Management System implementation - see the "Edit" command.  
    Update Policy

  • Differences:
    • UKCClosedUnbound Key Control - The name of Unbound's key management product. provides a fine-grain policy that reaches all crypto-use parameters. The policy is per partition - the same crypto-operation policy applies to all keys with the same crypto attributes.
    • KV crypto-operation policy addresses key usage, without accounting for the usage parameters. The policy is per key.
  • To align the policies, make the required changes in both keystores.
  •  
    Get Private   Exporting from KMSClosedKey Management System is not supported.  
    Rekey
  • AWS Key Rotation.
  • Backup/Restore

    UKCClosedUnbound Key Control - The name of Unbound's key management product. provides backup/restore of all key material and secure transfer of keys to/from the air-gapped vault.

     

    Note: the ≈ sign indicates the availability of alternatives