This article describes the various key operations supported by Fortanix Data Security Manager (DSM). These include Encrypt, Decrypt, WrapKey, UnwrapKey, DeriveKey, MacGenerate, MacVerify, AppManageable, Sign, Verify, AgreeKey, and Export key operations.
Key operations are cryptographic and management operations that can be performed on a security object.
Generally, key operations are defined at the time of the creation of a security object. For more information on key creation, refer to Creating-a-Security-Object.
By default, all key operations except for ‘Export’ that are implemented for that type of key will be enabled. These may be overridden by requesting specific operations in the key creation request. Note that the key operations restricted for a security object on creation cannot be re-enabled after creation. If none of the operations are selected all key operations will be disabled.
Key Operations Definitions
Figure 1: Key operations
- Encrypt – This operation allows the key to be used for encryption. Encryption involves the process of converting data in plain text format to an encoded format called ciphertext using a key generated by an algorithm. Both asymmetric and symmetric keys can be used to perform the ‘Encrypt’ operation.
- Decrypt - This operation allows the key to be used for decryption. Decryption involves the process of converting ciphertext into plain text using a key. Both asymmetric and symmetric keys can be used to perform the ‘Decrypt’ operation.
- WrapKey- This operation allows a key to be wrapped (encrypted) by another key for export from Fortanix DSM, so they can be later imported into Fortanix DSM or another key management system. The key being wrapped must have the ‘Export’ operation enabled and the wrapping key must have the ‘WrapKey’ operation enabled. The following wrapping operations are supported:
- Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys.
- Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported.
For more information on the ‘WrapKey’ operation, refer to Wrapping a key.
- UnwrapKey- This operation allows the key to be used to unwrap (decrypt) a wrapped key. This allows securely importing security objects into Fortanix DSM, that were previously wrapped by Fortanix DSM, or another key management system. A new security object will be created in Fortanix DSM with the unwrapped data. The key used for unwrapping must have the ‘UnwrapKey’ operation enabled.
- DeriveKey- This operation allows the key to be used to derive another key. Fortanix DSM can generate new keys by deriving them from existing keys and some additional data. Currently, the only supported mechanism for deriving keys is by encrypting some data with a key. For more information, refer to Deriving Security Object.
- MacGenerate and MacVerify - These operations allow the key to be used to compute and verify Message Authentication Code (MAC) on a message using symmetric keys. The symmetric key must have the ‘MacGenerate’ operation enabled to generate a MAC and the ‘MacVerify’ operation enabled to verify a MAC. In addition, the key must be enabled.
- AppManageable- This operation enables applications (App) to perform management operations like
remove_private(removes the private half of an asymmetric key), and so on, on the security object. A user with access or an admin app can still perform these operations. This option is only relevant for cryptographic applications. For more information, refer to User's Guide: Security Controls for Fortanix Data Security Manager Applications.
- Sign- This operation enables the key to be used for generating a digital signature. The signing key must be an asymmetric key such as RSA, DSA, or elliptical key, with the private part present. Symmetric keys may not be used to sign data. They can be used only with the ‘MacGenerate’ and ‘MacVerify’ operations.
- Verify- This operation enables the key to be used for verifying a signature. The verifying key must be an asymmetric key such as RSA, DSA, or elliptical curve key, with the ‘Verify’ operation enabled. Symmetric keys may not be used to verify data. They can be used only with the ‘MacGenerate’ and ‘MacVerify’ operations.
- AgreeKey- This operation enables the key to be used for key agreement. The cryptographic key agreement operation is between public and private keys.
Both keys must have been generated from the same parameters (such as the same elliptic curve) and must have enabled the ‘AgreeKey’ operation.
- Transform – This operation is applicable for BIP32 keys. It accepts an index input and creates a non-hardened child in the same network as the parent key.
- Export- This operation enables the value of the key to be retrieved with an authenticated request. By default, the ‘Export ‘operation is disabled for all key types. The operation should not be enabled unless required. It is more secure to keep the key's value inside Fortanix DSM only.
- Highvolume- This operation is enabled only when the audit logs for the key are disabled. It is used only for scenarios where a key is used for cryptographic operations with very high usage. For more information on disabling audit logs, refer to User's Guide: Logging.