What KMIP coverage do we provide?

1.0 KMIP

The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management.

2.0 KMIP Versions Supported

  • 1.4

  • 1.3

  • 1.2

  • 1.1

  • 1.0

3.0 Supported Operations

  • ACTIVATE

  • ARCHIVE

  • CHECK

  • CREATE

  • CREATE_KEY_PAIR

  • DECRYPT

  • DELETE_ATTRIBUTES

  • DERIVE_KEY

  • DESTROY

  • DISCOVER_VERSIONS

  • ENCRYPT

  • GET

  • ADD_ATTRIBUTE

  • GET_ATTRIBUTE_LIST

  • GET_ATTRIBUTES

  • LOCATE

  • MAC

  • MAC_VERIFY

  • HASH

  • MODIFY_ATTRIBUTE

  • QUERY

  • RECOVER

  • REGISTER

  • REKEY

  • REKEY_KEY_PAIR

  • REVOKE

  • SIGN

  • SIGNATURE_VERIFY

4.0 Supported Object Types

  • PUBLIC_KEY

  • PRIVATE_KEY

  • SYMMETRIC_KEY

  • CERTIFICATE

  • SECRET_DATA

  • OPAQUE_OBJECT

  • SPLIT_KEY

5.0 Supported Attributes for Operations: Register/Create/Rekey

  • Name

  • Alternate Name

  • Application Specific Information

  • Cryptographic Length

  • Cryptographic Usage Mask

  • Cryptographic Algorithm

  • Activation Date

  • Process Start Date

  • Process Stop Date

  • Deactivate Date

  • Cryptographic Parameters

  • Contact Information

  • X- All custom attributes starting with X-  of  the following data types:

    • Big Integer

    • Boolean

    • Byte String

    • Date-Time

    • Enumeration

    • Integer

    • Interval

    • Long Integer

    • TextString

  • Digest

  • Default Operation Policy

  • Original Creation Date

  • Object Group

  • Operation Policy Name

  • Last Change Date

6.0 Changelog

This section outlines the new features, improvements, and bug fixes for the Fortanix DSM KMIP client.

DSM 4.37 - Latest

  • Updated KMIP tab user interface (UI) under Fortanix DSM Settings → Client Configuration to provide greater flexibility in filtering keys.

    • The Allow secrets with unknown operations check box has been removed.

    • The Ignore unknown key operations for section has been added to disallow keys with unknown operations in the KMIP client configuration settings.

    For more details, refer to User's Guide: Group Client Configurations and User's Guide: Account Client Configurations.

DSM 4.36

  • Introduced EXPORT permission for all keys during creation.

    • Using DSM UI: A new check box Default to creating keys with Export permission is added in DSM account Settings → CLIENT CONFIGURATION →  KMIP to enable this permission.

      For more details, refer to User's Guide: Group Client Configurations and User's Guide: Account Client Configurations.

    • Using DSM REST API: Added EXPORT operation in key_ops_override method to apply EXPORT permission for all keys.
      Example:

      "kmip": {
                      "ignore_unknown_key_ops_for_secrets":
                      "key_ops_override": {
                          "add_key_ops": ["EXPORT"]
               }