Wrap your customer-supplied key

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:5分

    • Wrap the symmetric key to use for encryption with the downloaded public key.

    始める前に

    注:
    This procedure describes options that are available with KMF base system and options to be used with Field Encryption Enterprise functionality. Field Encryption Enterprise functionality is available only when the com.glide.now.platform.encryption plugin is active. See Activate Field Encryption for more information on obtaining Field Encryption Enterprise.

    Some of the steps in this document require the use of a cryptographic tool installed on your local device. The examples in this task use the OpenSSL tool. For more information on this tool see https://www.openssl.org. If you are using other cryptographic tools, such as LibreSSL or GnuTLS, refer to the documentation for those products for similar steps.

    • Modify optional properties that control the size, padding algorithm, and validity period of the key. See Configure properties for customer-supplied keys.

    • You must have your symmetric key (.BIN) for encryption.

      重要:
      Your key must be in binary format. If another format is used, a Token failed validation. Please reattach the unmodified token.error message displays.

    • You must have a cryptographic tool to wrap your key. This example uses OpenSSL 1.1.

    Role required: security_admin  and sn_kmf.cryptographic_manager  or sn_kmf.admin

    手順

    1. Navigate to All > System Security > Field Encryption > Field Encryption Experience.
    2. Select View module details for the cryptographic module that you created for the customer-supplied key from the Field Encryption modules overview.
    3. Select the Add encryption key option from the Complete these steps in any order to set up the module section.
    4. Select Select and continue under the Bring-your-own-key option.
    5. You will be directed to the Key Creation step.
    6. If you have not previously downloaded the wrapping key, click the link to download the token_publickey<id>.zip file and save it to the same location as your key.
      注:
      Do not rename the downloaded token_publickey<id> file.
    7. Unzip the file to your local network.
      The zip file contains two files, an import token and a public key .PEM certificate. Wrap your symmetric key with the public key to encrypt it.
    8. Copy the name of the token_publickey file to your clipboard.
    9. From a command line, use the copied token_publickey file name to open the folder of the unzipped files as a placeholder for the wrapped key.
    10. Edit this script by replacing the examples with the names of your crypto files. 
      "downloads user.name$ cd token_publickey_<token>
openssl pkeyutl -encrypt -pubin -inkey publickey_<keyname>.PEM
-in <keyname.bin>
-out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha<128 or 256> "

      Review the key wrapping commands in the following table for more information.

      表 : 1. Key wrapping commands
      Directions Command Example
      Open the file directory where you downloaded the wrapping token. 
      cd
      		 cd token_publickey123456789
      Paste the name of the publickey.PEM certificate. 
      openssl pkeyutl -encrypt -pubin -inkey
      		 publickey_586798643ffff.PEM
      Paste the name of your key here. 
      -in
      		 mykey.bin
      Enter the <-out> command and specify if the key is 128 bit or 256 bit. 
      -out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
      		 N/A
    11. Run the command.
      A system message displays token_publickey_<keynumber>. The key will be generated and a wrapped_key_material file added to the directory.
    12. Upload the wrapped key.

    次のタスク

    Return to Configure and upload your customer supplied key to upload your wrapped key.