Wrap your customer-supplied key

  • Release version: Washingtondc
  • Updated December 27, 2024
  • 2 minutes to read

    • Wrap the symmetric key to use for encryption with the downloaded public key.

    Before you begin

    Note:
    This procedure describes options that are available with KMF base system and options to be used with Column Level Encryption Enterprise functionality. Column Level Encryption Enterprise functionality is available only when the com.glide.now.platform.encryption plugin is active. See Activate Column Level Encryption Enterprise for more information on obtaining Column Level Encryption Enterprise.

    Some of the steps in this document require the use of a cryptographic tool installed on your local device. The examples in this task use the OpenSSL tool. For more information on this tool see https://www.openssl.org. If you are using other cryptographic tools, such as LibreSSL or GnuTLS, refer to the documentation for those products for similar steps.

    • Modify optional properties that control the size, padding algorithm, and validity period of the key.

    • You must have your symmetric key (.BIN) for encryption.

      Important:
      Your key must be in binary format. If another format is used, a Token failed validation. Please reattach the unmodified token.error message displays.

    • You must have a cryptographic tool to wrap your key. This example uses OpenSSL 1.1.

    Role required: sn_kmf.cryptographic_manager or sn_kmf.admin

    Procedure

    1. Navigate to All > Key Management Framework > Cryptographic Modules > All.
    2. Select the cryptographic module that you created for the customer supplied key from the Crypto Specifications related list.
    3. You will be directed to the Key Creation step.
    4. If you have not previously downloaded the wrapping key, click the link to download the token_publickey<id>.zip file and save it to the same location as your key.
      Note:
      Do not rename the downloaded token_publickey<id> file.
    5. Unzip the file to your local network.
      The zip file contains two files, an import token and a public key .PEM certificate. Wrap your symmetric key with the public key to encrypt it.
    6. Copy the name of the token_publickey file to your clipboard.
    7. From a command line, use the copied token_publickey file name to open the folder of the unzipped files as a placeholder for the wrapped key.
    8. Edit this script by replacing the examples with the names of your crypto files. 
      "downloads user.name$ cd token_publickey_<token>
openssl pkeyutl -encrypt -pubin -inkey publickey_<keyname>.PEM
-in <keyname.bin>
-out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha<128 or 256> "

      Review the key wrapping commands in the following table for more information.

      Table 1. Key wrapping commands
      Directions Command Example
      Open the file directory where you downloaded the wrapping token. 
      cd
      		 cd token_publickey123456789
      Paste the name of the publickey.PEM certificate. 
      openssl pkeyutl -encrypt -pubin -inkey
      		 publickey_586798643ffff.PEM
      Paste the name of your key here. 
      -in
      		 mykey.bin
      Enter the <-out> command and specify if the key is 128 bit or 256 bit. 
      -out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
      		 N/A
    9. Run the command.
      A system message displays token_publickey_<keynumber>. The key will be generated and a wrapped_key_material file added to the directory.
    10. Upload the wrapped key.

    What to do next

    Return to Configure and upload your customer supplied key to upload your wrapped key.