Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CCKM Administration

Key Material Export and Upload

search

Please Note:

Key Material Export and Upload

This section describes how to prevent CCKM users from exporting source key material. The section also describes how to allow CCKM users other than key owners to upload source key material to the cloud.

Preventing CCKM Users from Exporting Key Material

When a CCKM user creates a new source key on the CipherTrust Manager and uploads it to the cloud, then, as a key owner, the CCKM user has all permissions on the source key. So, the CCKM user can export the source key material after upload.

To prevent the CCKM user from exporting the source key material:

  1. Create a custom group, for example, <deny-export-policy-group>. This group will be denied permission to export the source key material through a policy.

    POST  /api/v1/usermgmt/groups
    {
       "name": "<deny-export-policy-group>"
    }
    
  2. Create a policy, for example, <deny-export-policy> to deny the source key export.

    POST  /api/v1/admin/policies
    {
       "name": "<deny-export-policy>",
       "allow": true,
       "effect": "deny",
       "actions": [
          "ExportKey"
       ]
    }
    
  3. Attach the policy, for example, <deny-export-policy> to the custom group.

    POST  /api/v1/admin/policy-attachments
    {
       "policy": "<deny-export-policy>",
       "principalSelector": {
          "cust": {
             "groups": [
                "<deny-export-policy-group>"
             ]
          }
       }
    }
    
  4. Add the CCKM user, <cckm-user>, to the custom group.

    POST  /api/v1/usermgmt/groups/<deny-export-policy-group>/users/<cckm-user>
    {
       "name": "<deny-export-policy-group>",
       "created_at": "<timestamp>",
       "updated_at": "<timestamp>"
    }
    

The CCKM user can no longer export the key material.

Permitting CCKM Users to Upload Key Material

When the CCKM user is not the key owner, grant the read key and export/upload key permisson on the source key to the CCKM Users group or the custom group.

PATCH  /api/v1/vault/keys2/<key-id>
{
   "meta": {
      "ownerId": "<owner-ID>",
      "permissions": {
         "ReadKey": [
            "<group-name>"
         ],
         "UploadKey": [
            "<group-name>"
         ]
      }
   }
}

The CCKM user can upload the source key material successfully.