1.0 Overview
The Fortanix-Data-Security-Manager (DSM) can perform encryption and decryption of data with RSA keypairs.
2.0 Prerequisites
Performing public key cryptography requires a Fortanix DSM account, a group with an RSA key, and an application configured in that group. See the Fortanix Data Security Manager Getting Started Guide for more details.
3.0 Required Operations
The RSA key must have the Encrypt operation enabled for encryption and the Decrypt operation enabled for decryption. In addition, the key must be enabled.
4.0 Authorization and Configuration
You must first authenticate and optionally configure a default API client as described in Configure API Client and Client Authentication. Performing cryptography requires authenticating as an app with an API key or a client certificate. (User accounts cannot perform encryption and decryption)
5.0 Create an EncryptionAndDecryptionApi Client Object
Encryption is performed using an EncryptionAndDecryptionApi object.
import com.fortanix.sdkms.v1.api.EncryptionAndDeryptionApi();
EncryptionAndDecryptionApi cryptoApi = new EncryptionAndDecryptionApi();
6.0 Encrypting Data
Data may be encrypted even if you have only a public key.
6.1 Create an Encryption Request
The encryption request object encodes the request parameters. Only the plain (plaintext) and alg (encryption algorithm) parameters are used for public key encryption. The plaintext should be binary data passed as an array of bytes. The cryptographic algorithm is required, and must match the type of the key (in this case, RSA).
import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.EncryptRequest;
EncryptRequest encryptRequest = new EncryptRequest().plain(<plaintext data as byte[]>).alg(ObjectType.RSA);6.2 Make the Encryption Call
Data is encryped with the encrypt() method of the EncryptionAndDecryptionApi object. encrypt() is called with the UUID of the key used to perform encryption, and the encryption request. The UUID of the key can be found in the key details page of the UI, or it can be retrieved by looking up keys with the API.
import com.fortanix.sdkms.v1.model.EncryptResponse;
EncryptResponse encryptResponse = cryptoApi.encrypt(<key UUID>, encryptRequest);
byte[] ciphertext = encryptResponse.getCipher();7.0 Decrypting Data
You will need a private key in order to decrypt data.
7.1 Create a Decryption Request
The decryption request object encodes the request parameters. Only the cipher (ciphertext) and alg (encryption algorithm) parameters are used for public key decryption. The ciphertext should be binary data passed as an array of bytes. The cryptographic algorithm is required, and must match the type of the key (in this case, RSA).
import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.DecryptRequest;
DecryptRequest decryptRequest = new DecryptRequest().cipher(<ciphertext data as byte[]>).alg(ObjectType.RSA);7.2 Make the Decryption Call
Data is decrypted with the decrypt() method of the EncryptionAndDecryptionApi object. decrypt() is called with the UUID of the key used to perform decryption, and the decryption request. The UUID of the key can be found in the key details page of the UI, or it can be retrieved by looking up keys with the API.
import com.fortanix.sdkms.v1.model.DecryptResponse;
DecryptResponse decryptResponse = cryptoApi.decrypt(<key UUID>, decryptRequest);
byte[] plaintext = decryptResponse.getPlain();