forked from fortanix/sdkms-plugin-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmanifest
167 lines (167 loc) · 140 KB
/
manifest
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
[
{
"name": "HD Wallet",
"versions": {
"1.0": {
"path": "hd-wallet/plugin.lua",
"description": "## Short Description\nThis plugin implements hierarchical deterministic wallets (or \"HD Wallets\") BIP0032 protocol.\n\n### ## Introduction\nThe plugin allows to derive child key (xprv, xpub) from a master key in a deterministic way, and/or sign transaction hashes for UTXO and ethereum type crypto coin.\n\n## Use cases\n\nThe plugin can be used to\n\n- Derive child key for UTXO\n- Derive child key for ethereum\n- Sign transaction for UTXO\n- Sign transaction for ethereum\n\n## Setup\n\n- Generate HD-Wallets master key manually\n**Example Master Key:** `xprv9s21ZrQH143K31xYSDQpPDxsXRTUcvj2iNHm5NUtrGiGG5e2DtALGdso3pGz6ssrdK4PFmM8NSpSBHNqPqm55Qn3LqFtT2emdEXVYsCzC2U`\n- Importe master key in SDKMS as secret raw key\n\n## Input/Output JSON object format\n\n**Input**\n\n```\n{\n\"master_key_id\": \"<Master-Key-UUID>\",\n\"path\": \"<Child-Key-Path>\" ,\n\"msg_hash\": \"<32-Byte-Message-Hash>\",\n\"coin\": \"<Coin-Type>\"\n}\n```\n\n**Output**\n\n```\n\"xprv\": \"<HD-Wallet-Private-Key>\",\n\"xpub\": \"<HD-Wallet-Public-Key>\",\n\"coin_signature\": \"<Bitcoin-canonicalized-ECDSA-signature>\",\n\"signature\": \"<ECDSA signature>\"\n```\n\n* `master_key_id`: UUID of master key imported in SDKMS\n* `path`: Path of key to be derived to sign e.g: m/0, m/1, m/2/10 etc\n* `msg_hash`: 32 byte SHA-3 message hash\n* `coin`: coin type utxo or eth\n* `xprv`: BIP0032 private key\n* `xpub`: BIP0032 public key\n* `coin_signature`: Bitcoin canonicalized ECDSA signature\n* `signature`: ECDSA signature\n\n## Example Input/Output JSON object\n\n**Input JSON object**\n\n```\n{\n\"master_key_id\": \"0eae8ff0-553e-4f47-bb64-7c87f34bf5e5\",\n\"coin\": \"utxo\",\n\"path\": \"m/2\",\n\"msg_hash\": \"45a0ee821b05400f513891bbb567a99139f3df72e9e1d4b48186841cc5996d2f\"\n}\n```\n\n**Output JSON object**\n\n```\n{\n\"xprv\": \"xprv9uZghWCSYwDho7us3q1WLBjVYx2xzVJNT8qNo4P9i8wa3tQJYbffzztTF6wXjuorG49NXahqraWsrVUmy3uTJLkvSYXyDLnHHU1GJibUk2t\",\n\"xpub\": \"xpub68Z371jLPJn11bzL9rYWhKgE6ysTPx2DpMkybSnmGUUYvgjT68yvYoCw6PP8Vo7YoZRC6iqrfpixEUG694KgHPYYnydGuEYDwjESStYxYxe\",\n\"signature\": \"3045022100af9bf94c4959328b56861ca5f175b5e59014cb5bd2a5fcee2e95b1563dbc652e0220411ff01751af64d6b7209908fc58f527b07a0a9258eee7be7aa5704136954b02\",\n\"coin_signature\": \"af9bf94c4959328b56861ca5f175b5e59014cb5bd2a5fcee2e95b1563dbc652e411ff01751af64d6b7209908fc58f527b07a0a9258eee7be7aa5704136954b02\"\n}\n```\n\n## References\n\n- https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "SSH CA",
"versions": {
"1.0": {
"path": "ssh-ca/plugin.lua",
"description": "## Short Description\nIssue certificates for SSH authentication\n\n### ## Introduction\nSSH certificates are a method for authenticating users and/or servers in the SSH protocol.\nInstead of bare public keys (the usual method of SSH authentication) an authority\nissues a certificate which can then be used to authenticate to an SSH server.\nSSH certificates were originally added to OpenSSH in version 5.6 (released in 2010).\n\n## Use Cases\n\nAuthenticate clients to servers or servers to clients using an trusted third party\nhosted on SDKMS.\n\n## Setup\n\n### Creating CA key with SDKMS\n\nThe initial step is to create a key for the SSH CA. Generate an RSA\nkey with suitable parameters on SDKMS, and then download the public key.\n\nConverting the public to the OpenSSH format requires a two-step process.\nFirst, use OpenSSL to convert the RSA key to \"RSAPublicKey\" format:\n\n`$ openssl rsa -pubin -RSAPublicKey_out -in sdkms_rsa.pub > sdkms_rsa_conv.pem`\n\nThen use `ssh-keygen` to convert this to the SSH format\n\n`$ ssh-keygen -m PEM -i -f sdkms_rsa_conv.pem > ssh_ca.pub`\n\n### Creating CA key with OpenSSH\n\nAlternatively, the key can be created on a trusted machine using OpenSSH\ntools, then transferred to SDKMS:\n\n`$ ssh-keygen -f ssh_ca`\n\nThis will create two files, `ssh_ca.pub` (public key in SSH format)\nand `ssh_ca` (private key in PKCS #8 format).\n\n```\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAI...\n-----END RSA PRIVATE KEY-----\n```\n\nTo import the SSH private key in SDKMS, copy the base64 encoded block\n(but *not* the PEM headers starting with \"-----\") and paste it into\nthe Security Object import field. Make sure Sign and Verify operations\nare enabled. Disable Export unless required.\n\n### Server Configuration\n\nSet up sshd configuration for accepting SSH certificates. In your `sshd_config` add\n\n`TrustedUserCAKeys /path/to/ssh_ca.pub`\n\nand restart `sshd`\n\n### Issue Client Cert\n\nGenerate an RSA key pair that the user will use:\n\n`ssh-keygen -f ~/.ssh/user_key`\n\nThis will again generate two keys, `user_key` (PKCS#8 private key) and\n`user_key.pub` (the SSH format public key). The `user_key.pub` should look like\n\n`ssh-rsa AAAAB3<more base64 data> username@hostname`\n\n## Input/Output JSON\n\n```\n{\n\"cert_lifetime\":<integer>,\n\"valid_principals\":\"<username>\",\n\"cert_type\":\"user\",\n\"ca_key\":\"<sobject name>\",\n\"extensions\":{<map of strings to strings>},\n\"critical_extensions\":{<map of strings to strings>},\n\"pubkey\":\"<string>\"\n}\n```\n\n\"`cert_lifetime`\" specifies the lifetime of the certificate in seconds.\n\n\"`valid_principals`\" specifies what username this certificate can be used for.\n\n\"`cert_type`\" can be \"user\" or \"server\".\n\n\"`ca_key`\" gives the name of the private key that was used when the RSA key was\nimported into SDKMS earlier.\n\n\"`extensions`\" specifies operations the certificate can be used for. Values\nOpenSSH supports include \"`permit-X11-forwarding`\", \"`permit-agent-forwarding`\"\n\"`permit-port-forwarding`\", \"`permit-pty`\", and \"`permit-user-rc`\". In theory,\nextensions can take values, but all currently defined extensions use an empty\nstring. Unknown values will be ignored by the server.\n\n\"`critical_extensions`\" specifies operations which if the server does not\nunderstand the value, then the login attempt will be rejected. The values OpenSSH\nsupports are \"`force-command`\" and \"`source-address`\". \"`force-command`\" specifies a\nsingle command which the certificate can be used for. \"`source-address`\" gives a\nlist of host/mask pairs, login is only allowed from an IP matching one of the\nlisted values.\n\n\"`pubkey`\" gives the contents of the `user_key.pub` file with the leading \"`ssh-rsa `\" and\ntrailing \"` username@hostname`\" removed.\n\n## Example Usage\n\n```\n{\n\"cert_lifetime\":86400,\n\"valid_principals\":\"desired_username\",\n\"cert_type\":\"user\",\n\"ca_key\":\"SSH CA Key\",\n\"extensions\":{\"permit-pty\":\"\"},\n\"critical_extensions\":{\"source-address\":\"10.2.0.0/16,127.0.0.1\"},\n\"pubkey\":\"AAAAB3<more base64 data>\"}\n}\n```\n\nWhen the plugin is invoked it will return a string that looks like\n\n`\"ssh-rsa-cert-v01@openssh.com AAAAHHNza....\"`\n\nCopy the entire contents to `~/.ssh/user_key-cert.pub`\n\nNow test the output using `ssh-keygen`:\n\n```\n$ ssh-keygen -L -f user_key-cert.pub\nuser_key-cert.pub:\nType: ssh-rsa-cert-v01@openssh.com user certificate\n...\n```\n\nNow run\n\n`$ ssh -i ~/.ssh/user_key server_host whoami`\n\nThe login should succeed with the command executed on the remote host.\n\nIf you use `-v` option when using a certificate you should see something like\n\n```\ndebug1: Offering public key: RSA-CERT SHA256:Hcb9trzeAptUdTgqWj9VEncbkAGOpAglGnUrYGq4/Vo user_key\ndebug1: Server accepts key: pkalg ssh-rsa-cert-v01@openssh.com blen 1029\n```\n\n## References\n\nhttps://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD\n\n### Release Notes\n\nInitial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "DUKPT",
"versions": {
"1.0": {
"path": "dukpt/plugin.lua",
"description": "## Short Description\nPlugin for importing DUKPT BDKs and for encrypting and decrypting data using the DUKPT procedure.\n### ## Introduction\nDUKPT plugin is an SDKMS implementation of the Derived Unique Key Per Transaction process that's described in Annex A of ANS X9.24-2009. This module provides DUKPT decryption using the 3DES scheme. It decrypts the encrypted card information using the KSN and BDK-ID as inputs to the plugin and generates decrypted/plain card information.\n\nInitially there is a Base Derivation Key (BDK) that is used to generate the \"Initial PIN Encryption Key\" (IPEK). The BDK always stays in the HSM and is never injected into the devices. It is known only by the manufacturer and the merchant. The \"Key Serial Number\" (KSN) and IPEK are injected into each device. The KSN is sent with the \"crypt\" material so that the receiving end can also decrypt it. The last 21 bits of the KSN are a counter that gets incremented every transaction.\n\nThere is a single DUKPT plugin, with three supported operations: `import`, `encrypt`, and `decrypt`.\n\n## Use Cases\nAs described above in the Introduction, the value of DUKPT is the ability to secure many independent messages in such a way that compromising the keys for any individual message doesn't endanger other messages while still minimizing the number of keys that need to be stored and managed. The canonical example of\nthis, and the use case for which this procedure was developed, is to encrypt payment information during transactions.\n\n## Setup\n### Using SDKMS Plugins\n* Plugins are an independent and secure subsystem where business logic can be\nexecuted inside SDKMS.\n* Plugins are invoked using a REST API similar to the cryptographic and key\nmanagement APIs.\n* Plugins are identified by UUID, like apps and security objects.\n* To invoke a plugin, make a POST request to `https://<API endpoint>/sys/v1/plugins/<uuid>`.\nThe POST request body must be either valid\nJSON or empty. The exact structure is defined by the plugin.\n* The request may return:\n- 200 OK with a JSON response body,\n- 204 No Content with empty response body, or\n- a 4xx/5xx error with a plain text error message response body.\n\n### Invoking SDKMS plugins from SDKMS Python CLI\nCheck the SDKMS CLI README for information on setting up the CLI.\n\nLogin to sdkms inorder to invoke plugin:\n\n`$ sdkms-cli user-login`\n\nTo invoke a plugin:\n\n`$ sdkms-cli invoke-plugin --name dukpt --in <decrypt-in.json>`\n\n* Plugins can either be invoked using `--name` or `--id`, taking the plugin's name or UUID respectively.\n* `in` : Path to input json file.\n\n## DUKPT Input/Output JSON Formats\nThe following sections specify the fields in the inputs and outputs of the plugin's operations, which are JSON maps.\n\n### DUKPT Import Operation\n#### Input\n* `operation` : Must be the string `import` for importing BDKs.\n* `name` : A string to be used as the name of the key in SDKMS. Must be unique.\n* `material` : A string containing the 16 hex encoded bytes of the key material.\n\n#### Output\n* `key_id` : The UUID of the imported key in SDKMS. Referred to in the other\noperations as `bdk_id`.\n\n### DUKPT Encrypt and Decrypt\n#### Input\n* `operation` : Either `encrypt` or `decrypt`, for encryption and decryption\nrespectively.\n* `bdk_id` : The UUID of the imported BDK key to use.\n* `ksn` : Key serial number, hex encoded.\n* `key_mode` : The method used for deriving the session key from the IPEK.\nPossible values are:\n- `datakey`\n- `pinkey`\n- `mackey`\n* `card_data` : The data to be encrypted or decrypted, encoded in a string in accordance with the encoding specified below.\n* `encoding` : For the `encrypt` operation this is the encoding of the data to be encrypted. For `decrypt`, this is the encoding that the data should be returned in.\nPossible values are:\n- `base64`\n- `hex`\n\n#### Output\n* `card_data` : The result of the encryption or decryption.\n\n## Example Usages\n### DUKPT Import\nImports a BDK into SDKMS for use with the other operations.\n\n#### Example Input\n```json\n{ \"operation\": \"import\",\n\"name\": \"my_bdk\",\n\"material\": \"0123456789ABCDEFFEDCBA9876543210\" }\n```\n\n#### Example Output\n```json\n{ \"key_id\": \"d17e7c0c-3246-41c4-9824-c98d2c6515fb\" }\n```\n\n### DUKPT Encrypt and Decrypt\nEncrypts or decrypts data with a key derived from the given BDK and KSN.\n\n#### Example Input\nBelow is a sample input json to the SDKMS DUKPT plugin's decrypt operation. The\nstructure is the same for encryption, though the semantics change slightly as\ndescribed above.\n```json\n{ \"operation\": \"decrypt\",\n\"bdk_id\": \"fd1fbe76-6d64-4d30-b351-e79449e1eb77\",\n\"ksn\": \"FFFF9876543210E00008\",\n\"key_mode\": \"datakey\",\n\"card_data\": \"y07Fue/gKW7x9yDM06LZBg==\",\n\"encoding\": \"base64\" }\n```\n\n#### Example Output\n```json\n{ \"card_data\": \"Zm9ydGFuaXg=\" }\n```\n\n## References\n\n* [https://github.com/dpjayasekara/node-dukpt](https://github.com/dpjayasekara/node-dukpt \"NodeJS DUKPT implementation\")\n* [https://github.com/sgbj/Dukpt.NET](https://github.com/sgbj/Dukpt.NET \"C# DUKPT implementation\")\n* [https://support.fortanix.com/sdkms/developers-guide-plugin.html](https://support.fortanix.com/sdkms/developers-guide-plugin.html \"SDKMS developers guide plugin\")\n* [https://support.fortanix.com/api/#/Plugins](https://support.fortanix.com/api/#/Plugins \"SDKMS plugins API\")\n\n### Release Notes\n- Initial Release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "X.509 CA",
"versions": {
"1.0": {
"path": "x509-ca/plugin.lua",
"description": "## Short Description\nIssue X.509 certificates for keys stored in SDKMS.\n\n### ## Introduction\nThe X.509 CA plugin allows SDKMS users to issue certificates for keys stored in SDKMS.\nThe plugin requires the CA key and certificate to be stored in SDKMS as well.\n\nOnce invoked, the plugin generates an X.509 certificate and returns the new certificate in PEM format encoded as a JSON string. To invoke the plugin, the user must specify the following as input to the plugin:\n\n- Subject's Distinguished Name (DN),\n- The name of the issuer certificate stored in SDKMS,\n- The name of the issuer key stored in SDKMS,\n- The name of the subject key stored in SDKMS,\n- The lifetime of the generated certificate in seconds.\n\nThe public key of the subject key will be included in the generated certificate.\nThe generated certificate will have a randomly generated serial number.\n\nNote that this plugin does not add limiting extensions, such as the key usage extension, to the generated certificate. It also does not ensure that the generated certificate is acceptable for any particular use case. For example, it allows the user to generate a certificate for `CN=domain1.com` while the issuer certificate is for `CN=domain2.net` which may not be acceptable. For more information about X.509 certificates see [RFC 5280](#rfc5280).\n\nAlso note that this plugin does not store the generated certificate in SDKMS and does not track generated certificates in any way, therefore, it does not prevent issuance of multiple certificates for the same subject.\n\n## Setup\nIn order to use this plugin, you need to generate or import your CA key and certificate in SDKMS. Additionally, you need to generate/import the subject key for each certificate you like to generate using this plugin.\nNote that the plugin needs to have access to these security objects in SDKMS. To ensure the plugin has access to these security objects, make sure that the plugin shares a group with each security object that it needs to access.\n\nHere is an example arrangement of objects in SDKMS:\n\n- Two groups: `X.509 CA` and `TLS Keys`,\n- The CA certificate (`x509 CA cert`) and CA key (`x509 CA key`) residing in group `X.509 CA`,\n- The subject key for an app that requires a certificate (`my app key`) residing in `TLS Keys`,\n- The X.509 CA plugin residing in both groups.\n\nThe example usage section shows how to invoke the plugin using the above setup to generate a certificate.\n\n## Input/Output\n\nThis plugin accepts a JSON object with the following fields as input:\n\n* `subject_dn`: a map of OIDs to values\n* `issuer_cert`: the name of the issuer cert security object\n* `issuer_key`: the name of the issuer key security object\n* `subject_key`: the name of the subject key security object\n* `cert_lifetime`: the lifetime of the certificate in seconds\n\nIt returns the newly generated certificate in PEM format encoded as a JSON string.\n\n\n## Example Usage\n\nAssuming the necessary objects are created as described in the example in the setup section, we can generate a certificate for `my app key` by invoking the plugin with the following input:\n\n```json\n{\n\"subject_dn\": {\n\"CN\": \"localhost\",\n\"OU\": \"Testing\"\n},\n\"subject_key\": \"my app key\",\n\"issuer_key\": \"x509 CA key\",\n\"issuer_cert\": \"x509 CA cert\",\n\"cert_lifetime\": 86400\n}\n```\n\nThe value for `cert_lifetime` in the example above is 24 hours expressed in seconds.\n\n\n## References\n- <a name=\"rfc5280\"></a>[RFC 5280](https://tools.ietf.org/html/rfc5280)\n\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "X.509 TBS CA",
"versions": {
"1.0": {
"path": "x509-tbs-ca/plugin.lua",
"description": "## Short Description\nCreates a signed X.509 Certificate structure for keys managed by SDKMS. It showcases the flexibility of the plugin framework to use user-specific data formats.\n\n### ## Introduction\nX.509 certificates are a key element of many security architectures. It cryptographically ties a public key to the issuer of the certificate. Companies may wish to use their own input format.\nThis example plugin shows the flexibility of Fortanix's plugin framework. In this case a basic JSON structure is accepted as input. After the input passes a user-specified verification function, any desired fields can be added and a valid X509 certificate is created. The signed certificate is returned in PEM format.\n\n## Use Cases\n\nX.509 certificates are used in a wide variety of applications:\n\n- Webservers use X.509 certificates as part of TLS to authenticate their identity\n- IPsec uses it to authenticate peers\n- Code signing systems such as Microsoft Authenticate enable verification of vendors of computer programs\n\n## Input/Output JSON Object Format\n\nThe input is a JSON map with the following fields:\n\n* `subject_key`: the name of the key that will be included in the certificate\n* `issuer_cert`: the name of the issuer cert stored in SDKMS\n* `issuer_key`: the name of the issuer key stored in SDKMS\n* `cert_lifetime`: the lifetime of the certificate in seconds\n* `subject_dn`: a map of OIDs to values\n\n## Example Usages\n\n```\n{\n\"issuer_cert\": \"my CA cert\",\n\"issuer_key\": \"my CA key\",\n\"subject_key\": \"my server key\",\n\"cert_lifetime\": 86400,\n\"subject_dn\": { \"CN\": \"localhost\", \"OU\": \"Testing\" }\n}\n```\n\n## References\n\n- https://www.rfc-editor.org/rfc/rfc5280.txt\n\n### Release Notes\n- Initial release",
"commit": "dbef09043904fb5dd344523acd94949e98f366ac"
},
"2.0": {
"path": "x509-tbs-ca/plugin.lua",
"description": "## Short Description\nCreates a signed X.509 Certificate structure for keys managed by SDKMS. It showcases the flexibility of the plugin framework to use user-specific data formats.\n\n### ## Introduction\nX.509 certificates are a key element of many security architectures. It cryptographically ties a public key to the issuer of the certificate. Companies may wish to use their own input format.\nThis example plugin shows the flexibility of Fortanix's plugin framework. In this case a basic JSON structure is accepted as input. After the input passes a user-specified verification function, any desired fields can be added and a valid X509 certificate is created. The signed certificate is returned in PEM format.\n\n## Use Cases\n\nX.509 certificates are used in a wide variety of applications:\n\n- Webservers use X.509 certificates as part of TLS to authenticate their identity\n- IPsec uses it to authenticate peers\n- Code signing systems such as Microsoft Authenticate enable verification of vendors of computer programs\n\n## Input/Output JSON Object Format\n\nThe input is a JSON map with the following fields:\n\n* `subject_key`: the name of the key that will be included in the certificate\n* `issuer_cert`: the name of the issuer cert stored in SDKMS\n* `issuer_key`: the name of the issuer key stored in SDKMS\n* `cert_lifetime`: the lifetime of the certificate in seconds\n* `subject_dn`: a map of OIDs to values\n\n## Example Usages\n\n```\n{\n\"issuer_cert\": \"my CA cert\",\n\"issuer_key\": \"my CA key\",\n\"subject_key\": \"my server key\",\n\"cert_lifetime\": 86400,\n\"subject_dn\": { \"CN\": \"localhost\", \"OU\": \"Testing\" }\n}\n```\n\n## References\n\n- https://www.rfc-editor.org/rfc/rfc5280.txt\n\n### Release Notes\n- Fixed number of arguments passed to sign()",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Key/Value Pair",
"versions": {
"1.0": {
"path": "kvp/plugin.lua",
"description": "## Short Description\nSeamlessley extend the functionality of Fortanix Self Defending KMS Secrets. Leverage applications generate and manage key-value (KV) pairs through Self Defending KMS Secrets.\n\n### ## Introduction\nEvery day, application teams come to rely on numerous secrets in their development and operational (DevOps) processes. Secrets ranging from passwords, tokens, certificates, SSH keys and database credentials simply cannot be hard-coded or statically configured.\n\n**Fortanix Self Defending KMS is THE MOST SECURE KMS** in the market. With this Plugin, DevOps can now easily manage their build and deployment secrets to maintain confidentiality throughout their CI/CD pipelines as well as during application runtime.\n\n### Use cases\n\n* Set and retrieve keys and corresponding values\n- keys and values are comma-separated parameters inside JSON\n\n* Namespace support prevents secret path collisions\n- names of Self Defending KMS Secrets are unique within an Self Defending KMS Account\n- Plugin prefixes KV secrets paths with a namespace to allow path reuse\n- allows multiple secrets with the same path inside an Self Defending KMS Account\n\n* Versioning support for keys such that:\n- Key update/delete automatically creates a new version\n- Key update/delete does not delete other keys\n- Uses Self Defending KMS custom metadata to validate versions\n\n* Deletion truncates the latest version (LIFO) or purges all versions\n\n## Setup and Usage\n### Invoking Plugins from Self Defending KMS CLI\nCheck the Self Defending KMS Python-based CLI README for information on setting up the CLI.\n\n* Log in to Self Defending KMS first. `$ sdkms-cli user-login`\n- Currently, the CLI only allows `user-login` for Plugin invocation.\n- Specify an account argument if user has access to multiple accounts:\n- `--account-name`\n* Invoke the Plugin:\n`$ sdkms-cli invoke-Plugin --name kvp --in <read-secret-kvp.json>`\n- Either of the following argument should work:\n- `--name`\n- `--id`\n- `in` : Path to input JSON file.\n\n\n## Input and Output JSON Formats\nThe following sections specify the fields in the inputs and outputs of the\nPlugin's operations, which are JSON maps.\n\n__Important note__ about some of the input JSON parameters:\n\n* `group` : string, the prefix of the KVP secret.\n- Can be some arbitrary namespace label or an Self Defending KMS Group UUID.\n- In case a Group UUID is specified, KVP secret creation will be attempted in that Group.\n- The Plugin also needs to be a member of the specified Self Defending KMS Group.\n* `path` : string, the label of the KVP secret.\n- If `group` isn't specified, then the path needs to be unique within the entire Self Defending KMS Account.\n\n\n### GET Operation\n#### Input\n* `op` : string, must be = `get` for reading a specific KVP secret.\n* `group` : string, the prefix of the KVP secret. ***Optional***.\n* `path` : string, the label of the KVP secret. **Required**\n* `version` : string, version of the KVP secret. ***Optional***.\n* `keys` : string, comma-separated list of key labels. ***Optional***.\n\n#### Output\n* `v#` : string, version number of the KVP secret.\n* [array] containing all key-value pairs or those matching the input keys, if specified:\n- `<key_name>`: string, JSON record index.\n- `<key_value>`: string, JSON record value.\n\n### PUT Operation\n#### Input\n* `op` : string, must be = `put` for writing a specific KVP secret.\n* `group` : string, the prefix of the KVP secret. ***Optional***.\n* `path` : string, the label of the KVP secret. **Required**\n* `keys` : string, comma-separated list of key labels. **Required**.\n* `values` : string, a comma-separated list of key values. **Required**.\n\n#### Output\n* `v#` : string, the version number of the KVP secret. **Auto-incremented**.\n* [array] containing all key-value pairs that match the input keys as well as those preexisting :\n- `<key_name>`: string, JSON record index.\n- `<key_value>`: string, JSON record value.\n\n### DEL Operation\n#### Input\n* `op` : string, must be = `put` for dropping a key within a specific KVP secret.\n* `group` : string, the prefix of the KVP secret. ***Optional***.\n* `path` : string, the label of the KVP secret. **Required**\n* `keys` : string, comma-separated list of key labels. **Required**.\n\n#### Output\n* `v#` : string, the version number of the KVP secret. **Auto-incremented**.\n* [array] containing all key-value pairs excluding the keys specified:\n- `<key_name>`: string, JSON record index.\n- `<key_value>`: string, JSON record value.\n\n### DEBUG Operation\n#### Input\n* `op` : string, must be = `debug` for displaying all the versions of a specific KVP secret.\n* `group` : string, the prefix of the KVP secret. ***Optional***.\n* `path` : string, the label of the KVP secret. **Required**\n* `keys` : string, comma-separated list of key labels. ***Optional***.\n\n#### Output\n* [array] containing **all versions** of the KVP secret:\n- `v#` : string, the version number of the KVP secret.\n* [array] containing all key-value pairs excluding the keys specified :\n- `<key_name>`: string, JSON record index.\n- `<key_value>`: string, JSON record value.\n\n### TERMINATE Operation\n__Note__: All versions are deleted and the operation is audited.\n#### Input\n* `op` : string, must be = `ter` for completely destroying a specific KVP secret.\n* `group` : string, the prefix of the KVP secret. ***Optional***.\n* `path` : string, the label of the KVP secret. **Required**\n\n#### Output\n* `message`: [string] error or success.\n\n## Testing\n\nFollowing example shows the lifecycle of a KVP secret as each operation is performed through the KVP Plugin.\n\n* `op:put` creates new key(s)\n- Version: new >> v1\n- Input: `{op:put, [k1], [val1]}`\n- Output: `v1{[k1:val1]}`\n* `op:put` updates and/or adds new key(s)\n- Version: v1 >> v2\n- Input `{op:put, keys:k1,k2, values:v1,v2}`\n- Output: `v2{[k1:v1,k2:v2]}`\n* `op:del` removes a key and bumps up version\n- Version: v2 >> v3\n- Input: `{op:del, keys: k2}`\n- Output: `v3{[k1:v1]}`\n* `op:put` increments always version\n- Version: v3 >> v4\n- Input: `{op:put, keys:k3, values:val3}`\n- Output: `v4{[k1:v1,k3:val3]}`\n* `op:debug` returns all versions and filters by key(s)\n- Versions: v1 <<>> v4:\n- Input: `{op:debug, keys:k1}`\n- Output: `v1{[k1:val1]}, v2([k1:v1]}, v3{[k1:v1]}, v4{[k1:v1]}`\n* `op:ter`destroys the KV secret altogether\n- Versions: `{[v4,v3,v2,v1]}` >> destroyed\n- Output: error or success message\n\n\n## Room for Improvement\nFollowing use cases are not supported yet:\n\n* alternative storage to Self Defending KMS Opaque Security Objects\n* explicit auditing with fine-grained levels\n* deletion of specific version and linking adjacent versions\n* revert to version and truncate all future version\n\nCommunity improvements are welcome. Join us on [Slack](https://fortanix.com/community/).\nGet your **API KEY** by signing up at [sdkms.fortanix.com](https://sdkms.fortanix.com).\n\n## References\n* [support.fortanix.com/sdkms/developers-guide-Plugin.html](https://support.fortanix.com/sdkms/developers-guide-Plugin.html \"Self Defending KMS developers guide Plugin\")\n* [support.fortanix.com/api/#/Plugins](https://support.fortanix.com/api/#/Plugins \"Self Defending KMS Plugins API\")\n* [bitbucket.org/fortanix/kubernetes-integration](https://bitbucket.org/fortanix/kubernetes-integration \"Kubernetes Integration\")\n\n### Release Notes\n- Initial Release\n- Uses Self Defending KMS Secret Security Object\n- Self Defending KMS Secrets are fully audited\n- Storage of KVPs limited to 1024 bytes\n- Test script provided\n- Tested with **Kubernetes Secrets Injection** referenced above.",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "JWS+JWE Encrypt",
"versions": {
"1.0": {
"path": "jws-jwe-encrypt/plugin.lua",
"description": "## Short Description\nThis plugin generates a **JSON Web Encryption (JWE)** from the **JSON Web Signature (JWS)**, which is constructed using the user's input payload.\n\n### ## Introduction\nThis plugin, performs encrypt using JWE standards: enc: A256CBC-HS512 alg: RSA-OAEP-256.\n\nThis plugin performs the following steps:\n\n1. It generates a JWS from the `payload`.\n2. Generates a header for JWS containing `alg` and `typ`, as:\n```\n{typ : \"JWT\", \"alg\" : \"RS256\"}\n```\n3. Encodes header and input payload to the Base64URL format.\n4. Constructs the JWS Signing input by concatenating header and payload.\n5. Sign the above constructed `Jws Signing input` by RSA private key (provided in input) using SHA-256 and mode as PKCS1-v1_5.\n6. Encodes the signature in the Base64URL format and constructs JWS by concatenating header, payload, and signature by using `\".\"` as a separator. It will use this `jws` as input payload to `JWE`.\n7. Generate the header for JWE, containing `alg, enc, typ`.\n```\n{alg = \"RSA-OAEP-256\", enc = \"A256CBC-HS512\", typ = \"JWT\"}\n```\n8. Generate an exportable `transient` `AES` key of size `256` bits and an exportable `transient` `HMAC` key of size `256` bits.\n9. Encrypts the above generated JWS using the transient AES key in `CBC` mode.\n10. Generate `aad` using the `header` and `al` to store the size of `aad`.\n11. Creates an input payload for HMAC consisting of `aad, iv, cipher, al`.\n12. Creates a HMAC of the payload created above using HMAC key using `SHA-512` as the hashing algorithm.\n13. Truncate the digest generated above to half the length and use as authentication-tag.\n14. Import the `certificate` as a transient key.\n15. Encrypt the combined transient AES key and HMAC key with the `certificate` given as input, using `OAEP_MGF1_SHA256` as the mode and `RSA` is the algorithm.\n16. Returns the header, encrypted transient key, encrypted input payload, iv (used for encrypting input payload), the authentication-tag and JWE.\n\n## Use cases\n\n1. Assert one\u2019s identity, given that the recipient of the JWE trusts the asserting party.\n2. Transfer data securely between interested parties over a unsecured channel.\n\n## Setup\n\n1. For these plugin, we need a RSA private key already imported in SDKMS, and its corresponding public key as a certificate which the user should provide as input.\n\n## Input/Output JSON object format\n\n1. **`payload`** corresponds to input data, which is first signed and then encrypted.\n2. **`key`** is the name of `RSA` private key which should be already imported in `SDKMS`. This is used for signing the payload.\n3. **`cert`** contains the contents of the certificate (`pem` file) in base64 encoding. This is used to encrypt and verify the signature.\n\n## Example usages\n\nSample Input format: (The certificate value should be supplied as base64 encoded string)\n```\n{\n\"payload\" : \"hello world\",\n\"key\" : \"keyname\",\n\"cert\" : \"....\"\n}\n```\n\nSample Output format:\n```\n{\nheader : header,\nencrypted_key : encrypt_trans_key,\ncipher : cipher,\niv : iv,\ntag : digest,\njwe : jwe,\n}\n```\n\n## References\n\n1. https://tools.ietf.org/html/rfc7515\n2. https://tools.ietf.org/html/rfc7516\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "JWS+JWE Decrypt",
"versions": {
"1.0": {
"path": "jws-jwe-decrypt/plugin.lua",
"description": "## Short Description\nGenerates the user's payload from a **JSON Web Encryption (JWE)** .\n\n### ## Introduction\nThis plugin performs decrypt using JWE standards: `enc: A256CBC-HS512 alg: RSA-OAEP-256`.\n\nIt performs the following steps:\n\n1. It takes the JWE as input and splits it to get the parts i.e. encrypted key material, iv, ciphertext, and tag.\n2. Decrypts the encrypted composite transient key using the RSA private key (provided in input), and generate AES, HMAC transient keys from the decrypted key-material.\n3. Computes the `aad` from the header in the input and `al` to store the size of `aad`.\n4. Using `iv` from the input, and the generated AES key, it decrypts the cipher provided in the input in `CBC` mode. We receive the plaintext after decryption, which is correct only after the verification is successful.\n5. For verification, it creates an input payload for HMAC consisting of `aad, iv, cipher, al`.\n6. Creates a HMAC of the payload created above using HMAC key using `SHA-512` as the hashing algorithm.\n7. It truncates the digest generated above to half the length and compares it to the tag in the input.\n8. If the generated digest matches the tag, then it verifies the plaintext which is a JWS.\n9. It takes the JWS and splits it to get the parts i.e. header, payload, and signature.\n10. From the header and payload, it re-constructs the `Jws Signing input`.\n11. Decodes the signature from Base64URL to Base64, so as to use for verifying the signature.\n12. Imports the `certificate` as a transient key.\n13. Verifies the above constructed `Jws Signing input` and the decoded `signature` by `certificate` using `SHA-256` and mode as `PKCS1-v1_5`.\n14. The plugin output is `VERIFIED` and the actual `payload` (inside the JWS) in case signature is correctly verified and `VERIFICATION FAILED` otherwise.\n\n## Use cases\n\n1. Assert one\u2019s identity, given that the recipient of the JWE trusts the asserting party.\n2. Transfer data securely between interested parties over a unsecured channel.\n\n## Setup\n\n1. For these plugin, we need a RSA private key already imported in SDKMS, and its corresponding public key as a certificate which the user should provide as input.\n\n## Input/Output JSON object format\n\nInput parameters details:\n\n1. **`jwe`** corresponds to JWE generated by `Encrypt` plugin.\n2. **`key`** is the name of `RSA` private key which should be already imported in `SDKMS`. This is used for decrypting the payload.\n3. **`cert`** contains the contents of the certificate (`pem` file) in base64 encoding. This is used to verify the signature.\n\n## Example usages\n\nSample Input format: (The certificate value should be provided as a base-64 encoded string).\n```\n{\n\"jwe\": \"...\",\n\"key\" : \"keyname\",\n\"cert\" : \"...\"\n}\n```\n\nSample output format:\n```\n{\n\"payload\": \"...\",\n\"output\": \"VERIFIED\"\n}\n```\n\n## References\n\n1. https://tools.ietf.org/html/rfc7515\n2. https://tools.ietf.org/html/rfc7516\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "AWS BYOK",
"versions": {
"1.0": {
"path": "aws/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for AWS cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of AWS KMS.\n\n### ## Introduction\n\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the AWS cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in AWS KMS\n- List Fortanix Self-Defending KMS AWS BYOK key\n- Rotate Fortanix Self-Defending KMS AWS BYOK key\n\n\n## Setup\n\n- Log in to AWS portal\n- Create AWS IAM policy\n- Create AWS KMS plicy\n- Attach policy to IAM user\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures AWS IAM secret key and access key in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `secret_key`: AWS secret key\n* `access_key`: AWS access key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"secret_key\": \"GZA....sz\",\n\"access_key\": \"AK...ZCX\"\n}\n```\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### Create operation\n\nThis operation will create an AES-256 key in Fortanix Self-Defending KMS and import it in AWS KMS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n\n```\n{\n\"operation\": \"create\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{\n\"key_size\": 256,\n\"custom_metadata\": {\n\"AWS_KEY_ID\": \"46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\"\n},\n\"created_at\": \"20200725T155625Z\",\n\"lastused_at\": \"19700101T000000Z\",\n\"obj_type\": \"AES\",\n\"never_exportable\": false,\n\"state\": \"Active\",\n\"acct_id\": \"15e5e446-c911-4ad4-92b4-85eabefabfe7\",\n\"activation_date\": \"20200725T155625Z\",\n\"creator\": {\n\"plugin\": \"c2aa3055-5532-4ff2-8ca5-cb450c26e280\"\n},\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"enabled\": true,\n\"origin\": \"FortanixHSM\",\n\"kid\": \"04286b5c-4707-4ed1-bf92-934c7a077d5f\",\n\"name\": \"test-key\",\n\"public_only\": false,\n\"group_id\": \"9564adfd-2399-46d0-90c0-4cf80b7bcc33\",\n\"compliant_with_policies\": true\n}\n```\n\n### List operation\n\nThis operation will list all the BYOK keys from AWS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n\"\n{\n\"operation\": \"list\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n\"\n```\n\nOutput JSON\n```\n{\n\"KeyCount\":1,\n\"Keys\":[\n{\n\"KeyArn\":\"arn:aws:kms:us-west-1:513076507034:key/46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\",\n\"KeyId\":\"46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\n}\n],\n\"Truncated\\\":false\n}\n```\n\n### Rotate operation\n\nThis operation will rotate a key in Fortanix Self-Defending KMS as well as in AWS KMS key.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `rotate`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"rotate\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{\n\"obj_type\": \"AES\",\n\"kid\": \"49521024-e28f-4f6c-82e7-a9f29088ec43\",\n\"activation_date\": \"20200725T155809Z\",\n\"lastused_at\": \"19700101T000000Z\",\n\"compliant_with_policies\": true,\n\"group_id\": \"9564adfd-2399-46d0-90c0-4cf80b7bcc33\",\n\"enabled\": true,\n\"acct_id\": \"15e5e446-c911-4ad4-92b4-85eabefabfe7\",\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"origin\": \"FortanixHSM\",\n\"created_at\": \"20200725T155809Z\",\n\"key_size\": 256,\n\"state\": \"Active\",\n\"creator\": {\n\"plugin\": \"c2aa3055-5532-4ff2-8ca5-cb450c26e280\"\n},\n\"never_exportable\": false,\n\"custom_metadata\": {\n\"AWS_KEY_ID\": \"129bfa49-3dde-4d5f-87f7-f883e80e7893\"\n},\n\"name\": \"test-key\",\n\"public_only\": false\n}\n```\n\n### Release Notes\n- Initial release",
"commit": "d37c379dd72a3b627480f66abc586d4e46ed3b05"
},
"2.0": {
"path": "aws/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for AWS cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of AWS KMS.\n\n### ## Introduction\n\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the AWS cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in AWS KMS\n- List Fortanix Self-Defending KMS AWS BYOK key\n- Rotate Fortanix Self-Defending KMS AWS BYOK key\n- Disable AWS BYOK key from Fortanix Self-Defending KMS\n- Enable AWS BYOK key from Fortanix Self-Defending KMS\n- Delete AWS BYOK key from Fortanix Self-Defending KMS\n- Reimport key material from Fortanix Self-Defending KMS to AWS CMK\n\n## Setup\n\n- Log in to AWS portal\n- Create AWS IAM policy\n- Create AWS KMS plicy\n- Attach policy to IAM user\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures AWS IAM secret key and access key in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `secret_key`: AWS secret key\n* `access_key`: AWS access key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"secret_key\": \"GZA....sz\",\n\"access_key\": \"AK...ZCX\"\n}\n```\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### Create operation\n\nThis operation will create an AES-256 key in Fortanix Self-Defending KMS and import it in AWS KMS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n\n```\n{\n\"operation\": \"create\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{\n\"key_size\": 256,\n\"custom_metadata\": {\n\"AWS_KEY_ID\": \"46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\"\n},\n\"created_at\": \"20200725T155625Z\",\n\"lastused_at\": \"19700101T000000Z\",\n\"obj_type\": \"AES\",\n\"never_exportable\": false,\n\"state\": \"Active\",\n\"acct_id\": \"15e5e446-c911-4ad4-92b4-85eabefabfe7\",\n\"activation_date\": \"20200725T155625Z\",\n\"creator\": {\n\"plugin\": \"c2aa3055-5532-4ff2-8ca5-cb450c26e280\"\n},\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"enabled\": true,\n\"origin\": \"FortanixHSM\",\n\"kid\": \"04286b5c-4707-4ed1-bf92-934c7a077d5f\",\n\"name\": \"test-key\",\n\"public_only\": false,\n\"group_id\": \"9564adfd-2399-46d0-90c0-4cf80b7bcc33\",\n\"compliant_with_policies\": true\n}\n```\n\n### List operation\n\nThis operation will list all the BYOK keys from AWS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n\"\n{\n\"operation\": \"list\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n\"\n```\n\nOutput JSON\n```\n{\n\"KeyCount\":1,\n\"Keys\":[\n{\n\"KeyArn\":\"arn:aws:kms:us-west-1:513076507034:key/46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\",\n\"KeyId\":\"46fa7bfd-24de-4e5d-be94-99fa3e3bf09e\n}\n],\n\"Truncated\\\":false\n}\n```\n\n### Rotate operation\n\nThis operation will rotate a key in Fortanix Self-Defending KMS as well as in AWS KMS key.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `rotate`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"rotate\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{\n\"obj_type\": \"AES\",\n\"kid\": \"49521024-e28f-4f6c-82e7-a9f29088ec43\",\n\"activation_date\": \"20200725T155809Z\",\n\"lastused_at\": \"19700101T000000Z\",\n\"compliant_with_policies\": true,\n\"group_id\": \"9564adfd-2399-46d0-90c0-4cf80b7bcc33\",\n\"enabled\": true,\n\"acct_id\": \"15e5e446-c911-4ad4-92b4-85eabefabfe7\",\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"origin\": \"FortanixHSM\",\n\"created_at\": \"20200725T155809Z\",\n\"key_size\": 256,\n\"state\": \"Active\",\n\"creator\": {\n\"plugin\": \"c2aa3055-5532-4ff2-8ca5-cb450c26e280\"\n},\n\"never_exportable\": false,\n\"custom_metadata\": {\n\"AWS_KEY_ID\": \"129bfa49-3dde-4d5f-87f7-f883e80e7893\"\n},\n\"name\": \"test-key\",\n\"public_only\": false\n}\n```\n\n### Disable operation\n\nThis operation will disable a AWS KMS key.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `disable`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"disable\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{}\n```\n\n### Enable operation\n\nThis operation will enable a AWS KMS disabled key.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `enable`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"enable\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n```\n\nOutput JSON\n```\n{}\n```\n\n### Release Notes\nAdded support for the following new features:\n- Disable AWS BYOK key from Fortanix Self-Defending KMS\n- Enable AWS BYOK key from Fortanix Self-Defending KMS\n- Schedule deletion for AWS CMK from Fortanix Self-Defending KMS\n- Reimport key material from Fortanix Self-Defending KMS to AWS CMK",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Self-Defending KMS-Azure Bring Your Own Key (BYOK)",
"versions": {
"1.0": {
"path": "azure/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for Azure cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of Azure key vault.\n### ## Introduction\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the Azure cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in Azure key vault\n- List Azure BYOK key\n- Rotate key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n- Delete key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n- Backup Azure key vault key\n- Recover Azure key vault key\n- Restore Azure key vault key\n- Purge Azure key vault key\n\n## Setup\n\n- Log in to https://portal.azure.com/\n- Register an app in Azure cloud (Note down the Application (client) ID, Directory (tenant) ID, and client secret of this app). We will configure this information in Fortanix Self-Defending KMS.\n- Create a Key vault in Azure\n- Add the above app in the `Access Policy` of the above key vault\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures Azure app credential in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `tenant_id`: Azure tenant ID\n* `client_id`: Azure app ID or client ID\n* `client_secret`: Azure app secret\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"tenant_id\": \"de7becae...88ae6\",\n\"client_id\": \"f8d7741...6abb6\",\n\"client_secret\": \"SvU...5\"\n}\n```\n\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### Create Key operation\n\nThis operation will create an RSA key in Fortanix Self-Defending KMS and in Azure key vault and return a key ID.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `exp`: Key expiration time. Accepted format is Unix time.\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"create\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"exp\": 1596240000,\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"updated\": 1593587162,\n\"exp\": 1596240000,\n\"enabled\": true,\n\"created\": 1593587161\n},\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/12860b1156e448dda3a5a3fba9b19a4d\",\n\"key_ops\": [\n\"sign\",\n\"verify\"\n],\n\"n\": \"AOWMCffn25U5JFX7M8zW-ncjOOaVuVPBFSI6Ae_N6Nl9Uzn_2Y_DfJX4gjaPRNcercZ8Fib7WzF_UwZPU486D7lqB8_YxP8F9WyM8cOYgT1KL4KdRh-6-dstQ9MmVp06FmvV2E8T7njY-Ds218gHW4eXA4UWeu2GXrClKmD7ADkD\",\n\"e\": \"AQAB\",\n\"kty\": \"RSA\"\n}\n}\n}\n```\n\n### List Key operation\n\nThis operation will list all the BYOK keys from azure.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"list\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"value\": [\n{\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587162,\n\"created\": 1593587161,\n\"exp\": 1596240000\n},\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key\",\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n],\n\"nextLink\": null\n}\n}\n```\n\n### Rotate Key operation\n\nThis operation will rotate a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `rotate`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"rotate\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"e\": \"AQAB\",\n\"kty\": \"RSA\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n}\n```\n\n\n### Backup Key operation\n\nThis operation will return encrypted Azure key vault key.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `backup`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"backup\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"activation_date\": \"20200814T075259Z\",\n\"key_ops\": [\n\"EXPORT\"\n],\n\"created_at\": \"20200814T075259Z\",\n\"acct_id\": \"d97b7540-052d-422b-a6a9-017517f221e9\",\n\"origin\": \"External\",\n\"key_size\": 75000,\n\"compliant_with_policies\": true,\n\"public_only\": false,\n\"enabled\": true,\n\"obj_type\": \"OPAQUE\",\n\"value\": \"JkF6dXJlS2V5VmF1bHRLZXlCYWNrdXBWMS5taWNyb3NvZnQuY29tZXlKcmFXUWlPaUkwTXpnMVlqQTNZaTFrTlRRM0xUUXlaVFV0WVdVNVpTMDJNVEJrWXpNNVpHWmhaamdpTENKaGJHY2lPaUpTVTBFdFQwRkZVQ0lzSW1WdVl5STZJa0V5TlRaRFFrTXRTRk0xTVRJaWZRLnVHUzdEaWtOa1BzZ3dqb1lmYnltYl9NVnM1elpOZERzR1E2STdJVEx1Uy1IbHd1UXpoYkw5NjBfRzV6a1o5MkY0NnppV1FSWVJDS2ZCY3IyRWpoXzFkRGlkOTFQN3M5QVdNNlZsNlVHSEk2bjJ0Q3R0djlDRkw1U2trSm5YeDNkZllHcEVBY1c4amlrYUlVendBMjc3OFVBa1NlZDY1S2VYUXhWR0poenlOX1hPZVgwRWZtSlZnaUZrSmRrM1k2SmFmRzBjWTdTZnItajZXZzd1UHVOT1NPZW1Lb25pTW1nWDRjeUNpSnRvQzFVNG96eDk0UUdQblhETXl4T2VYVlFOeXl6cUotZndyQldMUUZUdFN5bmNlYnJGRGdwc2plcGVuWVhQbnkxUU1qVXN6MXlEOUpqRjgxdXcxUDZnNVl3LThyckg5ckVhY3phQUNpUzRKNzVIQS5PbHhKakZTZDdIWXRtX0dUdnFPY1N3LkNQVThTRjZUZDI1Q0oxNnZEQ3dQOVdJczF1bTNKYkpadTQwRFdPZE1ibzJDdEM4aVVzdk9FSE9BemI3WHFkOXJTSThSNERuTG5maEVnSHRfMnZkcUV6OXBUY2pldlhuRnBkbGdfMDdsc2xScDdJNGZEcm94LVhlOU9nMXhWRjZkd3JqUjdpWE9URTVFZjVvYnk2Ums0NkJSZG1TNHV3S3U1Wk9KLWVKQnR0WmFNckgzVmdqbkowUFpnaThFQ1NWOEN1ZFE5R3dvX1Z3R1FhTHZjYVhnNWR6SkNYdlk4dkY0eU5wZnloYWY5RnVtLVFLYzNrYnNsTjhKR19vMFNjZFdKdWh2d2JIc0VRQW9zZ3JFQlJHQ2tjcG12U0xJd1Fja3pUTmVmemJOTGwzZXVXY3JJZzgwSmM1VkdfSFRGN3VDNXV1Ry13UnVfblhUZ0hPNFFWVnVPempZMmgwZ3djdjk3TVZSWjg5OXA0NFM2ZDhZNUJZNXJmbkhvUXh4U0Q2cGJtbThxcGdwdDV6cmd6VUtKaFNNRWZ1X2xpOE5nM0ctVXFLSlZ6alFmUmw5OHlLbGdPUi05VW5DbnZGUEtKYzN3RmFhWlVhV09hR01USEoyeXkyWGJJcEwycGJCUTEtRURHNmFkZERwYi1sNEU5Z0RpVlZvQkVGVVVwbzNwQWNES3N0bEloSWQxNzlBMUhjQ0h3cFFYeEVTb3E3aUpOUkJvbmg3cmtoU2hVQjFfR050U3RaemtBOXF1Q3B5U0twNXhOcEFZdlJaOXlod2JhZzZfSkJMZXRiT3ZIVmtQT1lqSTFheFlVWm9YMGhaRHZFc2lFcHVoNjJGUDNqc3ZDMGFQRUFNdjhhb0ZXQ1h0UF9VYlp6NE1xZC1mbnA2S09YYlNBeDVDTDR1emloTHI4RndUZkxCMXhxSlEwR0cxNG9qSnlCQ2M5WjhmN3NrcmFOWlpXNU5wRkRSdU0zTWZCUmQxU3N5Z0xuNXZkZnlRajFtXy0xTUtpY0lQSDJROWQ3eVhNWnE4N0lJMDBlNnczVVFIUGxUd25WUnNWSDFkRGg0TWhvdGdkakRqWC0tbGhGMmhCZTVFbHgycURkN3FEM05TTGNnVFRnSW9JRXhWMkg5OHNpUVBjeHc2RDIyYzZfTndtYlNtLU9XeGhaLUVZSkJ4c25NQjV0UFNWTkUxY2dGZnBRSE5KN1R3bVA0T2JCV1dmR2VDZjlEbU1DOXJuVi1GX2k1RTMzWUhpXzNVbWdEM29aZXhDOHJjVmFPbGdtc3pWQnUySVR2aEJabXc0S3ZKc2MzeTYwSDB3N1RSbzNFWXpTbnpmWVc0ajQtOU9GRmljMjU1SzFzdURVbmpkLU81alJkd3NaNk4yOU16MWFFeS1uTTdiTm1aNl9TQ0NxMFJLdi14MVhfVW5TQUNIVGJNVUFNTFhHNkhRaVlYZGtqUHNtMk9YTUF1cXB1VDBqWUJsTWVmMEIweEJQVE5QWXlxcG5DRXRxcmRIWTBxdER5TzRQTmU2dHpOYWxUSTBPVk1qN2NZTmhxQ3pqQW14OEk0QTd2TkcwMlR2TE9sSVlTZXVTN2R4dHFUemtPNVEwaVJxMVVwdUFJemJjOElwV1EzZkU4eDZva1ZJOHBWZFpocGcwbF8xakxCNE5FZExMMlFOVEVSZUtyUzc0SDlONE1hTFlEY0VtU2JScTFVM3JZQTNhZy1JNGxaQXEzVmNjdHp2WVZnY1l3MGM3U1E3NEo0eWd4OERYZDA5S00yMmpiZHdvYkRyWms4Y3I5aTJkd3lfRzlEU2d3XzZOSS1wbklDVGtkVU9IdlN3b0w4R01JYmd5LTl0UGtwSE9CRXBDaHFzaUpVRXU1VG05b0lwM0wtR0FzeTVjZ0ZHMmxUV1R3dGlzRUU4aXZsNlNXWjVVSHMzZ2JKTjcxUExMbkw5cUlneW5Zem1YckdvSkdkT1lkZnVqVWthT3RCNmJSWWpnZnVJSlZoN3lSUVlfOVpJVGczVEZTMTlFYzFNOVR1WVlaZzU3ZjhHWEJUXzFMSkZDd09JMmJ1SEh1cDNiYU9XbWhLWEswVm1NNGF0OXp5SzJiS21oSHRVLWNLb3VudEtUTVVtTmFNU05ObnJGRzlmZ0FiLVNMTjJROHBwZnpGOFJYajlTM0lIVmJfSldFNmY4dng0MDRvY1R2VEpUZFpvWGxwamtKdjd1d3Q0QVZldVhmZ1VqT0c0dkk2SmZMTnJMNEVhU0pEQmViR2Fnc0xXOHlkR2F0dnRnem9zYXpRUUhydWdKS2U2a2IxRWNtSEZCcDh2azlqWGtSY1JsekVZSktCMVdGejRvYmhPTllLbEp1YlF3Y3Z1Q0xqM1NmVDBVMldYSFhJWjNMQU5UczJkekFabWNXaEwtbTVUdWpsR1BQUXg3aVgtVXlSZWhPc1BEVXA5WnFYVmdQV1ZWOVdNOHlXeVpRTmx2MGxkdml3aHljd0hSTElEX25lcEg3NlBSeThiWUlGWUZGRHh0dXNadjlqRXA2d19YQWZiQzNRNzctaWRGQ24yaUxLbHZGbkdiVGxCajd3RlFJaDVLaWFEX0JDOW9hVGJTZE5jajVPNmRtMG5QVFB4T3pNTEt3clNxSHF3dWY4Um9SZVg5d1VDR3hmWE5jNkF3UjhheHJwWXlQUmhZZUJxdWtRSFFaYVFQclhMYkNWNUZxblRNM2tsUm8zNHJ5R1hHMnBweDFKNldBWmRFc084d2x2U3NUUjU5S3h4Q2FKMEExckJQblFxUUNsR1ZnZ0dsM3VjRjBDdTItdXBGTWtleGRTOWJ3T3gxZDN6SFJncmtWVks4eE9XRGNvMl80OWpHVnlGT1hQQkI2a0hPcWR2d28tYXRKTDFZUmFTSUEtbkxPbmF5bXBsMlZzZDhrd2lnQ21SV2R4a1FUME9kSFBSQUtZbFBKNkREU3RubVBIeWFpWDlCbUZ0TVh2cWNMeG1mdE4yTzBaZ09mdUV3bkRXZFNUdGhCVUxSNjd6czJkZExwXzYwSVlNSEpRZDFsSHQxbl93akV6TFlOU253T2NGdG1xQkQ0T05ib3lmWGNtVEhwc0c5T1l1SC1uODVNMWF3UEFRaGRZWURWY2lOdTJhRlRPYXcyM0FSbXNYQTNtQlpjNU1LcS1rZ2N6R1VnMlIyTjQzbUVVZFpoWXV6Y3NMSEhkdXA5Z092N19iZk5rcmxMWEl6Z3NoMERRMjZHTnhVNHd4aUZGRms3a09xYV8tR1NOcWRDejdfUUl1QUFiaXhZd29MZU1rRXllVHVzZnN2b2tjMURUTUJGT2otSkx3VGdiVzZFcHhZeldZTDVNZzFhc1ZjRTBncVhUSnlSSHJhWE85RjRMMTNNclQ3TThSTnJEQy1Td2pkLUhzdWVpamVYbmVLSTREOTlEUUhGUnpVVmFWNUNuT3BHSktYOUtELTR0T0g5eS1HdHIzQ3VTWkhXRjRxeFFPYURTWFBrYm1idTJ5NGoxcHQ0VnIyWERJd2IxeGphdVVtLXVvUDJickg0a0Rkbm9wS0MyZmNfdVpwR1VCcEpfMDJNM0NSajVGQ1F5UFpQUTMwdlpybFllaE9RZnNSOHJ0c0phSnUzWDRNUTFRX0JLeGotNWlXbGNjMHJEVDUwYWNkN096elZtREI4RDg0QlNKdmwxNjFQeUxUN0FjcURRODNOZUFoX2RCeE5MQV80WklPMUlTc2Z0d0VjMlRNNDlMWXJ3NDhia2hTTU1qWjF0T0lrMEs4R3JOYzVPM2V6VDYtTUVPWnZralctV2F5N215aHJ5V0Rxc2ZCaTc1bTQwbm1qUUFMeEVBZ3ZMRUs5M29GbmJpY1l3NlpNNmJ5V0ptUkpucmxjNldpOW9DbWkxTFhCTlRIQndhMFFJSURvcXFHSTlmdGE5Qld4WE81VWQ5RXVlZkE5blNNUWw5WVZQa0szejVJeTd4TEQtY2NReHZyYUFrYi0ybHNkUVpJbDVGYzJFRjBUTVlBT3RSMWJBMXZXU2tEblkxNXg4bnpoZVFLTmUzdk5FMHhvWXp2Nnh0TldrV0pjU3NzUkw3Mmp0UnAtajh4OEZIaGhGQ0VvVGRsVTB5RnUxcXdmQjdfXzkzeTMyWUhSZ1V3dTFVUWZIMklLYnZVbjhZN2pkTDNSX0xUUEQ2d1JIS3l4SzNQajFNbi1YaFEzTW9SZFJIQ09xN2w3djVoVllhZF95SnpjMUhVcGxjSTVvb0VBUkU1TW1rSl9abm9sbmZ3aEVPZFB6TTFXVXRYMl84SzFoNHlGRUNaNThWdHRyaG42NTVrXy1MTHNoYk1KUVNKT2tkLTd2YS1od1R1eFliRHd6NElwVTZqRUo5eU5fSHdYQy1wemdCTkRkbXNYOTJndnI2MjFtZ1p6UTgyQmRjWHM1MWhNMHhfWUl4WkkyUVctTk5nNVNWNG1KNVdsbWFjcEYwNUFxUnFST2JLbndpNEthMmhFUWg4TWhDcDB5VDVCc0Y1V1pCOVNRWW5vVERCcHEyamYtNGRIeUIzUkFFNktwODdKbE9STE5TaFFqcEwyVzgzRV93RWRuOVdDaGpyTG96bnhVbUttRXp1alE1VG9rNE1yZ1VwdjZHdlBVbm9PWVdHV2pEZ3BGZTlxYmtWcUpQZGpiUkNIUkczTEQ1OXZOMFVIaml5U0FxcXJzQ2RMSXVJdzRWcVZNa3ZjQS1ROEhfNjBwMDBfNWZld29EeWc4NHpkVlNqeW95cjZ1ZlZWa3kyMjBLQnhnQ3h0OFhRUlNONDN1Yk1ZV3lmUXFXTUN2MmxKQkhIMklJblZPQTY2QVAyX1ktZ2NwcTBqQzJNLUE0YUx0LWVDLU4wazRTdWRZQUFxejhHWDVvMUZnVkZXbjFLQXB6N1RwaTJQcnUzOEY5aFJGaHRacTRHVWpCeVp5M1E2QlpEVkxBNG5UN09Ka19DUFVOZ1pXY25RdTFIUW1za2JQczRiRkk5Mnh0Z2R4N1hfZlNQajB1RnAxNzBzYlBHTk1Db0NBQlRXSFBfRjNLMlJObjdrS3ZDRWVqMnRLMGZRcUZjWWVLa1piWGxpUzVGN2d3dWFkLWhxdFg4SmlNNmVqcnlTeEFGRGREYTNwWG8zX3NBbVhIaHZqUDlfbzBNNVNoV0k3OFVMUTY0V0pIVTAyZWhuTVFDdGlIUDg5RkZWRE5QaXhJRm9wdEdrY2FnNkl5QjFHbDZaMGVtOUdURVU0YndZODZ3Z2l0dThEaER0ZmhxemJUSXpKeENkTGxwTWVjQk9EVEFNTmZmUXR2am15STBSR3NXLTFzZDBKNzBKcmR4aldQSVNhN3h3V0E1cVZreEllMzZlQ3Jkb0JDQTlTeThDWEVIaFJXS3J4QXNwb2k5UWc5WjRnR0RsdDVlTGdpYk9UNnNDWTdpcFlZT29NVlI3RS15Vk9ydUJDemF1d1BBMXhqRFRsNTRwNGo2ZFhoTkZNVmJhQlRseGtyUmJUeGlYSkNEYlA0ZWpxWHpkTmEzOFU1LXRQdW5Bb3p4TFRwZnBrQ3pReUF0SnZfM3liZ19QeTV0d015MHhzLVE5c3pMUXpQS010VHZsNjc4VXJ5VUhwVFgxUmp5RFVKN2p3R3NNdEt5ZXVIdWlpaEx3N2VieDF1QUxNeUxQV2Zmc3FhcjBCRnpGdS1lMTlPM0d4R0ozMm9iNFBDd3VUVWROYVRtWUJmaTdqMmNHNGY1LWk0SlQ5UDQwNmd3cTUzcWdwSUtGSWlTME1SLTJ1MzRXXzRVdjNVVTUtSGNkekg5bjlIMVpxTGdINlVmSW5pTDU4b2RMX0dxc3dEUFE5SGdUZDRyemxHLWFqOWMyUHI3XzJYbGptSjdQcWlzck5TYklmVzBESFliZ05vY1ctRm00X3lUcUpMMkpJc0NCWFVwcV9nZUlObTFpalIyRW5mMmJUaThyUG1SVXk4cEtfcXdOTkhrVk9OWl9tQjBfYTBCOFpLOHcyZ1VwbTk0ZWxPTHloWFhKb1pmQ2hiM3I4QnNvZDRzc2twQVVlYXUtTGZMSDRFOVBzTjRNd1ZhWXpycHItTGtlYy1XUVlWLXpxOG1rN0xsd3dTdnVhNnliWHBJWGRmM0ZpVDVqT3c4WlVZN2ZSSG5nU1dBNGdPSC1jQ3pxdVRveS1SLVBZZnE4WktHWUZjWE1XVWlBVzRXbTZidkhZemFXMUN2RVlITkt5SVpfZGJzNjBRY2pTUmdDMzhfdmw4emNIU1I5NEJUYUlES3hBcm5ncy05RVUxVC1KaG9zODJMV3NsN0I2dlV2dGlsZXZEOXI5bnRpM2IzY3BlM3hHYXliWkxYLTRaa3BFSXJraWV2TC0zcnBNSzBhQk4wbWE2dGViOUJlNldWSVJqSFdRa0x4dkNFc2xSVlItWTVSR0VjUUdPN0h6bmRxT2dKSE1ncEZjUXI2QW4yMHZBc2FmZ1ltYVFNdi13REZlZWlNZWdGUFloNENpcU1STmcyUXRuSzJHdDlLTmFYZFQ0NnU2LTBBanlpLXlmLVg5Y1d0U0ZsSUVaU2JOcWJldHptUGZ0OHNXTEV1OWZoZzZLZzdwRDdiZlYzNVZxdE1McENGYndQZHoybHREZUQ1Yl9uMFdKYnozRUlXZ095ck5zNFptdTBlU3YxOXRoMklGVmlsZ0czZmtZNklYMlBQbkxKa2dWSHNpZTRrMDdpcUFteUI5SFM1WExzbnkzZmUtTzF0cmFFRU0tS1FoRTlrdkJaYlNmWnBmQ3B0aHIxYkdLaXZZdjg3R190WlB3R3ZySTJKTG9NaHJIcURzSmhNZjNma25aTFRoZTVUQzdPbnhOdTMtbkpRa0lrR3NJLVNJZFZzTDRyV25NYW4xNWowZ0Exbmd5Z0VPQkJqUU9hR2ZtLUxYOUREVVJFYnNjQmJheGNwZHBtOHZCMU5KRTRza3psbVI3NV9yb2wwMFdDeTJ1RXZscV9pTGF1dkp0RzZoYUhjbm5oVC1XSjdNMUJZZHdpbFp6VHdkUE5PVkhBMlRjQ3U4MEhrTkZPcVMwemhha29CU09VOTBPTDBfSkltbTdHcko2V3AyRmFGTDVvQWNYUVhOTEtKc2E4dXRpcHR2SG1IbGhNYkRQRHBiMDVEWGw4cXNKMGx4TmN0NUpwclpFdDgwaWMzdC1xYWNHR0U4UFd3ZENpczUwd2pHRXZCeVgwT1dXUmt1TE5hMVAyOW9KVl9FYlFZcEMzV0hkaFNxMnFBZnRtU1FmTDlzY2k1emdCZnBBdXRsQlpWS2xJQ0UxM0FoeVdnX1RGby05bTBLVVp2cmh3ZncxWlpobWZZNlJsTk9aUTJ1SWl3WFpRZ0t6bnpEZFY0UnZuSjhZM2sydjNFY2wxQnBPbllGZUpyT2ZJTVhoMnFVZEdZVmxCY1RkdGFaTDROeTNzY3k1dkhHN2l5bWI3N1Z5bjdUU3RscTg3U0c2c2ZvcXdqUVRqdFVHVzh1ODhfYUpTNmpsQ3loeTFnUVNZTU5keGhvUHowV0tJU29SUW1ZWG1aVDJVTGJtUjZZZ1RJUU9YZUpUMkEzZ2RLb3NOZjZqNERCYUVFTmdwODZGVk1DQ1c2Z2h5TS1VRmZuSU54WVhqZHZoQmZfOXJTRDI5bFRWRzNGeEktdkR4cHhKd094dmFxNUpMUjVrdmpuRXE1Z29zYzM2eGZKakFyU2NNTng0ajFmajUxNEdtNnZBcVhoMXBsb2lXS3NoVkNwaW1OSS1nQWxJVEJidGlDc2lINWFURVltdEp4U0ZrSUhhaHJzOG1GZWY4Nmhjc2tCc3N2UWhmazlRaFhPbGpJalpETzBJbm5EUUpEcnhnZzZqUzc3UlhGNUM4eGpZNGtEMVFiV2o2bUJweS1HMi1RU0pqcmtWZURYUkFHSDdsU3QxUHM5ajlLZGF1NWtfQ2ZPSEFvbkU0dFBadVV0ZDBxTzY3a2ZoNmozN1lweHV1MU16VnJQem9aS2tpenZuS2pTNmRZZThPZnExZlZHU01qbWd6R1hyRENFeDhjZEIwc1B2Qnh3VHVWczRPc3ZNNWlteEg5X0FyQnRNTGY0ckJoZUJkOVRiVkpjZ1Y3aVlWMlhDTi1wdVRSTVkwRzJmUDd0azR3a1J1OUdhLUkyd2JVcHFhcTdBdkhXSnpYa3FNZlM3N3B1ODM3RGJZWWtWODE2U2FIU2lnMEdPX0RhcEFrZG1PMzFrWHYxbTlYWExxMU4wMDN1NW9TTHAwSTJMcXI0NF9sLTJBZjJOQWFBbWhiYXllVzZLWms4MldpWTZnNUJGY3BPdl8ta0J6ZGJmSi1CeWU2X1lUcER3dkk0emtuZkp1M2J0RjNfckVQM3ROVFhkZ0xyMEFHay1SZklJejJ0SkR0bWE3NzNZSm9OQjJ0X1VEMGV6RXgtaTQ4QW9jbF9yLXVnOXlPbEp1bGFSVnNZQVIwOF9yMXdfVThVRjNrOXBJc3hVU1NsNUswWmEyS3FmYnJZVXlwVW40QkZuWlpQQl9QNGlWaXctTWVFTWt5c1cxR3BYamtOblhWVzc4SWFxd0ZPWWpybUJzdGszcDREM3ZUMS1MdE1hRDliUTBoTFExUWVvQ2kzQXF5amt5ejdXUlVJTmZRa2U0M2t1R09YQTBfbVhXWkFndHlwd01qY05lR3NZVDI1Y1N6cHFwMzR4eDktNnU3UjdoTGxOWElieTdZTHdoa2NlSTV1T3NmNlNpcFBwTVYtQVhQdmM3UTdQSjlZOXY3TEVUY2V6T2xyMldvdE43WHFfUjF2N0MtQjhlSFVhTjQxQTZVbkVNV2M3dEtza1gxSFBuaVNWblBFZ0dsYktRYkFibU4wdmxLZUVCQWdQQ0diZ0dCUlhQcG9kaEJpcUUtYkd0eFBkNURYMmRxakRpcnMxOFg2ZXlNanpaM3JGNU5xUFJ4aVp1TlQ3TEV0a2VaNFd3TjdRUWtrM3ZIQ1MzbkJiZUNjd1hlWHptZk4zRmVSWGxyWjBhRDVCdmNXZVllaG5aYXFQc0tEZHVxSDNhZ1F3Uk9qSXd4ckxkN2xwbkpKZk91OXFDRFl4VVhOaVdxS3BZcHk4NURrOGFqcUt5XzN3c1NRVGJQVmFmZng2R2o5cUVTc0g5QUd5dTNBVndSdXpSaElHVm5BQkF4VDBSY3lLNlVEWV8xd01vRnhyNHdVUjhPejVldUJUSTBycEtnQ1lUcG00NlhVTVA2OWFncDdXRU83QkZkNWNzOHd0SFJsbzhvVmtDN0FQTjJvak5GRXZ5NWpaX0tPbmdRYk5wUXZaZ0ZBcGFNZVI1MVRwMkRXRWp1UnZUTEVWc0xMbFV1ZVdVSVVwbTFuaDhBdkVVUkpUYzZaZjBxUExva0p5UVZ0TDFUXzRmRnlHTHlUaHphTDFiMUVkOWRqZE55YXV2WDdhT0IyMF9ONThlazNXakVfcEtaNk9paVY1bTBqMS1RenZrdDZNVWlxeXM2cnZYRlFIb2xodEYyc0JEMFRxSGhGMlE0Y3ZJWEZEdHo2dzZrNENaMmZyMVlCaThFS0xOZzRoUUIwNjZfWGtyUUM4bmE0T0VUakhxMlI5Z2xMZGVvNWZlZ2paTzk0eVJiUXpsQnRIM3Y0TG0tOS1TYXJ6Rm1fYVhlbmFZajFtTUhwMFNjZWlidy1oeHVkZkc4b0tJTk5EN2ViUG9RbnRNQ1dPbnR3LXZRWW5uUjRZQU55ZEk3aW5wY2NJNVJQUENtVmh1UFBuSVBoX2VUWFp0N1hORVY0bldyRUFmRlBGbUUzR2JYakwxV3RKZ3hxQ1E0Rk55dWFaa1ZtMnFXeVp6dlA1aUpVY3BpNExrLUhJTU1iZUQ2X25FaGJ0NHNYS096dFZ2ZDUwVUx1Wnp6M1Bsa1NBUktIUXVoQmI4US1NSzQwMFpaX1NhZkZKdEZ5QkpIckUxLVp1Z3JpbjYtX1pabk1zLUZWanJKTEtMUGNoOVg3Q2R6dGhLYXJqOEhKaTNNMTF5Z3BBU25TM3NndDRvMURtTDhCRGpnTUx6Ul9kekNPeHpRRFJhU192Nk5jbzRGbXZPUzliSS1xSHlIRWVEOGQ2cTZMbER3WlVkZFZhcE81ajl2RklHT3BSRWowLUZrbXFncVBMSkNESXBTQldQU18xVExPYkFLVnlBb1NzcXdvODlnY2ltTHhLQkFiN1EzaWNIalNrV3gwbDBGSDBwOU5hUDJoczZVT3pxUERJYXhDZjIwRFZLNGRQeVlhT3FFY2V2NVkwTmtXUU03dlNkTHJhVXVYZ2tiM3Y2NlRBZFV2cTAtZ2NGR2l6d2RrX2tldzN3am92MFloMy1PY0thdzJtTW5kSVJoWnBpRG9UcjdIX3ZQSWs5Q1Q5TlFyMDViVm5TOERaQU4xVHU3QzJORDU4ZzEwa21tTEFWZEhQT1FFMFYwLVFlOTNVNTdDX1hQSjZ5UlpwOV9UbTlaajlBWFRQNHZUN05sejY3clZ5SmlqUml1aVdib09VckdPWFRubjBHUmxrN0V2UlJvUHNuNXFmSU54OVNVczUybW1JaG9hTGVPWnduV3FYWjd4bmhoT0dxQldFRzNaQVpURm5kN1MzV3QtNjgwWGhoWVZCSHBIdUZfRFhrTVlkbXJhSDRUVXNaMDVJVUthOGxPbHVLWFVnT09TX2N5OWphN1F3VDUxNm1RQUFtcUI4NDdEc29ldUx6elBLdFFkckl0UkpxRHJNbHdWREtTYUV4eDItbzkwZU16RURDNTNFdzRJb1d0N3hOVks3MVEtbWpSQUY0d295WDh3TWJsWlZRSFVpSVNNNWRqdmRfTU5GeVhqTTUycDRNbDd3NlNlQndnSmxRYjdQRldiX19pZGhFRFNWY0FEdHNiLWt1UEZMOFE3T05adGc5ZkxZRzNxX3pROG4xWERIR2xjdjJDell0MnY0WUVDQ00yZ1lkelhyVktmdHJrRWxFRDZCZDNwWkdOb21lVjI1cG5VcnVxekxnamh3U1BmMmlhamgzeUd6X0NwdmRtQVEwdTY5eGNMZEhtNEpQdTZyaEh2eWRBb2lvUktOVkZqT1NwTDBRMXZPaWNuUVR0Wi1XN20xdm85N0tGZEN2OVZtS005cjRidUZLa2xvMjRac0JXaHRCYmxvQktkUmE0eE9sZTVMTHdiOUM1MnY4dm81cWxITkNKem9fTGNHcFBNM1JKNkVrdmlNRFA3cEJ3cE95ZHZRSzJDT1lSaDdBbmZYcEtMOEM0YTBKWHlueWpYRDJWdXNONWhSTVN2bDM0ZW55b09EVmRwam40bFFNRzMtZWtZOEFDV1ZnVUJLYVdueGx1SDBROHdKS19YVTJFdWZ4aDRGMEhucXN5R2oyTEphaU82dWRqdnRjTkFGTS0tN2hmQzNMMGstMFJmWVE0blNHcVpaclp6MzE0c0R2bmF1NV8wWXhPVXVBLThRZmJGZTZiWXFpeWxoU2Rza21kaGlBbzg3NW5DZXhjZnlrSVpCdnlIYXlaYVo0VXkwZDhvSE9RblNsR1p2Zm4wcVlHaV81TVhCMmFFZXp0ZmprUmYyVHVheHlYenhvYkh1LTJwT1JraTFZa2Q1TFAzX1ZTbzlnbXp3cERjdWdycHM5cHZPeFdZOGY0bU1KMThiWVM0TzBvQ0ZLa29ieFkxc0xnLWxCYmxFMU1zbllfR1cwSm14M2RLSzJUYlNoRmNGTUJPNUh1WURvcVdyM0JILUJIS0lPbHk5U0xnS25sTkZGSFUyTTFEV3pCTWhLb0pkM1hTSzZ0bndEWkpGby51dVRVYXZaQndQbHJ0VWNGWHc5LWdoZm9kaDE5b2pPbmJkX1gtUFlHMzBn\",\n\"lastused_at\": \"19700101T000000Z\",\n\"group_id\": \"929a4dab-363d-4f1c-a197-46fc8c0c1251\",\n\"kid\": \"037bef5e-9a2d-4820-b120-02b9b036996d\",\n\"never_exportable\": false,\n\"name\": \"B7E2D3C7D1041342\",\n\"state\": \"Active\",\n\"creator\": {\n\"plugin\": \"bef7866f-194b-452d-83c9-1c2bffe01a3b\"\n}\n}\n}\n```\n\n### Delete Key operation\n\nThis operation will delete a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `delete`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"delete\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"scheduledPurgeDate\": 1601363625,\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"deletedDate\": 1593587625,\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"recoveryId\": \"https://test-keyvault.vault.azure.net/deletedkeys/test-key\"\n}\n}\n```\n\n### Recover Key operation\n\nThis operation will recover a deleted key of Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `recover`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"recover\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n[\n{\n\"attributes\": {\n\"created\": 1593587492,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587492\n},\n\"tags\": {\n\"KeyType\": \"BYOK\",\n\"KMS\": \"SDKMS\"\n},\n\"key\": {\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\"\n}\n}\n]\n```\n\n### Restore Key operation\n\nThis operation will restore a key in Azure key vault from its backup blob value.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `restore`.\n* `kid`: Response `kid` of `backup` operation\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"restore\",\n\"backup_key_name\": \"backup_key_name\",\n\"key_name\": \"key_name\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"key\": {\n\"kid\": \"https://kv-sdk-test.vault-int.azure-int.net/keys/KeyBackupRestoreTest/d7a019f5da8843aea30722a7edcc37f7\",\n\"kty\": \"RSA\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"n\": \"v6XXEveP0G4tVvtszozRrSSo6zYDOScH8YBVBBY1CR2MCXBk-iMnKgzUyePi9_ofP3AmOxXx-2AsLC8rxi6n3jQNbGtIvQ4oMdUEhWVcVkmwdl0XyOouofEmIHeSxRg6wXFG4tYAKLmKsO9HqmU5n7ebdDlYngcobc1xHsP0u8e0ltntlgWBlSthmY8AMKW9Sb_teEYhilbkvt_ALr00G_4XHmfq7hSOZePWbGSWQW6yC7__9MrlDfzaSlHyBIyLppPEB7u6Zewrl_eNJWoUVrouIGA32qNETIOr_wxXRVGKoerTt-wFC-CXPn30W_6CmKSxoFBNvnzijg5hAU9V0w\",\n\"e\": \"AQAB\"\n},\n\"attributes\": {\n\"enabled\": false,\n\"nbf\": 1262332800,\n\"exp\": 1893484800,\n\"created\": 1493938217,\n\"updated\": 1493938217,\n\"recoveryLevel\": \"Recoverable+Purgeable\"\n}\n}\n```\n\n### Purge Key operation\n\nThis operation will purge a key in Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `purge`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"purge\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n\n```\n{\n\"body\": \"\",\n\"headers\": {\n\"X-Content-Type-Options\": \"nosniff\",\n\"Date\": \"Fri, 14 Aug 2020 08:01:39 GMT\",\n\"Strict-Transport-Security\": \"max-age=31536000;includeSubDomains\",\n\"x-ms-request-id\": \"e9851042-6210-474d-b9b0-706f600aa5d4\",\n\"Pragma\": \"no-cache\",\n\"x-ms-keyvault-service-version\": \"1.1.31.4\",\n\"Expires\": \"-1\",\n\"Cache-Control\": \"no-cache\",\n\"x-ms-keyvault-network-info\": \"conn_type=Ipv4;addr=216.218.139.205;act_addr_fam=InterNetwork;\",\n\"X-AspNet-Version\": \"4.0.30319\",\n\"X-Powered-By\": \"ASP.NET\",\n\"x-ms-keyvault-region\": \"eastus\"\n},\n\"status\": 204\n}\n```\n\n### References\n- [Azure BYOK](https://docs.microsoft.com/en-us/azure/information-protection/byok-price-restrictions)\n\n### Release Notes\n- Initial release",
"commit": "f9183a901ccc38ecac44ecf3bcb2d2778f90e014"
},
"2.0": {
"path": "azure/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for Azure cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of Azure key vault.\n### ## Introduction\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the Azure cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in Azure key vault\n- List Azure BYOK key\n- Rotate key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n- Delete key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n- Backup Azure key vault key\n- Recover Azure key vault key\n- Restore Azure key vault key\n- Purge Azure key vault key\n\n## Setup\n\n- Log in to https://portal.azure.com/\n- Register an app in Azure cloud (Note down the Application (client) ID, Directory (tenant) ID, and client secret of this app). We will configure this information in Fortanix Self-Defending KMS.\n- Create a Key vault in Azure\n- Add the above app in the `Access Policy` of the above key vault\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures Azure app credential in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `tenant_id`: Azure tenant ID\n* `client_id`: Azure app ID or client ID\n* `client_secret`: Azure app secret\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"tenant_id\": \"de7becae...88ae6\",\n\"client_id\": \"f8d7741...6abb6\",\n\"client_secret\": \"SvU...5\"\n}\n```\n\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### Create Key operation\n\nThis operation will create an RSA key in Fortanix Self-Defending KMS and in Azure key vault and return a key ID.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `exp`: Key expiration time. Accepted format is Unix time.\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"create\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"exp\": 1596240000,\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"updated\": 1593587162,\n\"exp\": 1596240000,\n\"enabled\": true,\n\"created\": 1593587161\n},\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/12860b1156e448dda3a5a3fba9b19a4d\",\n\"key_ops\": [\n\"sign\",\n\"verify\"\n],\n\"n\": \"AOWMCffn25U5JFX7M8zW-ncjOOaVuVPBFSI6Ae_N6Nl9Uzn_2Y_DfJX4gjaPRNcercZ8Fib7WzF_UwZPU486D7lqB8_YxP8F9WyM8cOYgT1KL4KdRh-6-dstQ9MmVp06FmvV2E8T7njY-Ds218gHW4eXA4UWeu2GXrClKmD7ADkD\",\n\"e\": \"AQAB\",\n\"kty\": \"RSA\"\n}\n}\n}\n```\n\n### List Key operation\n\nThis operation will list all the BYOK keys from azure.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"list\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"value\": [\n{\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587162,\n\"created\": 1593587161,\n\"exp\": 1596240000\n},\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key\",\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n],\n\"nextLink\": null\n}\n}\n```\n\n### Rotate Key operation\n\nThis operation will rotate a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `rotate`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"rotate\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"e\": \"AQAB\",\n\"kty\": \"RSA\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n}\n```\n\n\n### Backup Key operation\n\nThis operation will return encrypted Azure key vault key.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `backup`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"backup\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"activation_date\": \"20200814T075259Z\",\n\"key_ops\": [\n\"EXPORT\"\n],\n\"created_at\": \"20200814T075259Z\",\n\"acct_id\": \"d97b7540-052d-422b-a6a9-017517f221e9\",\n\"origin\": \"External\",\n\"key_size\": 75000,\n\"compliant_with_policies\": true,\n\"public_only\": false,\n\"enabled\": true,\n\"obj_type\": \"OPAQUE\",\n\"value\": \"JkF6dXJlS2V5VmF1bHRLZXlCYWNrdXBWMS5taWNyb3NvZnQuY29tZXlKcmFXUWlPaUkwTXpnMVlqQTNZaTFrTlRRM0xUUXlaVFV0WVdVNVpTMDJNVEJrWXpNNVpHWmhaamdpTENKaGJHY2lPaUpTVTBFdFQwRkZVQ0lzSW1WdVl5STZJa0V5TlRaRFFrTXRTRk0xTVRJaWZRLnVHUzdEaWtOa1BzZ3dqb1lmYnltYl9NVnM1elpOZERzR1E2STdJVEx1Uy1IbHd1UXpoYkw5NjBfRzV6a1o5MkY0NnppV1FSWVJDS2ZCY3IyRWpoXzFkRGlkOTFQN3M5QVdNNlZsNlVHSEk2bjJ0Q3R0djlDRkw1U2trSm5YeDNkZllHcEVBY1c4amlrYUlVendBMjc3OFVBa1NlZDY1S2VYUXhWR0poenlOX1hPZVgwRWZtSlZnaUZrSmRrM1k2SmFmRzBjWTdTZnItajZXZzd1UHVOT1NPZW1Lb25pTW1nWDRjeUNpSnRvQzFVNG96eDk0UUdQblhETXl4T2VYVlFOeXl6cUotZndyQldMUUZUdFN5bmNlYnJGRGdwc2plcGVuWVhQbnkxUU1qVXN6MXlEOUpqRjgxdXcxUDZnNVl3LThyckg5ckVhY3phQUNpUzRKNzVIQS5PbHhKakZTZDdIWXRtX0dUdnFPY1N3LkNQVThTRjZUZDI1Q0oxNnZEQ3dQOVdJczF1bTNKYkpadTQwRFdPZE1ibzJDdEM4aVVzdk9FSE9BemI3WHFkOXJTSThSNERuTG5maEVnSHRfMnZkcUV6OXBUY2pldlhuRnBkbGdfMDdsc2xScDdJNGZEcm94LVhlOU9nMXhWRjZkd3JqUjdpWE9URTVFZjVvYnk2Ums0NkJSZG1TNHV3S3U1Wk9KLWVKQnR0WmFNckgzVmdqbkowUFpnaThFQ1NWOEN1ZFE5R3dvX1Z3R1FhTHZjYVhnNWR6SkNYdlk4dkY0eU5wZnloYWY5RnVtLVFLYzNrYnNsTjhKR19vMFNjZFdKdWh2d2JIc0VRQW9zZ3JFQlJHQ2tjcG12U0xJd1Fja3pUTmVmemJOTGwzZXVXY3JJZzgwSmM1VkdfSFRGN3VDNXV1Ry13UnVfblhUZ0hPNFFWVnVPempZMmgwZ3djdjk3TVZSWjg5OXA0NFM2ZDhZNUJZNXJmbkhvUXh4U0Q2cGJtbThxcGdwdDV6cmd6VUtKaFNNRWZ1X2xpOE5nM0ctVXFLSlZ6alFmUmw5OHlLbGdPUi05VW5DbnZGUEtKYzN3RmFhWlVhV09hR01USEoyeXkyWGJJcEwycGJCUTEtRURHNmFkZERwYi1sNEU5Z0RpVlZvQkVGVVVwbzNwQWNES3N0bEloSWQxNzlBMUhjQ0h3cFFYeEVTb3E3aUpOUkJvbmg3cmtoU2hVQjFfR050U3RaemtBOXF1Q3B5U0twNXhOcEFZdlJaOXlod2JhZzZfSkJMZXRiT3ZIVmtQT1lqSTFheFlVWm9YMGhaRHZFc2lFcHVoNjJGUDNqc3ZDMGFQRUFNdjhhb0ZXQ1h0UF9VYlp6NE1xZC1mbnA2S09YYlNBeDVDTDR1emloTHI4RndUZkxCMXhxSlEwR0cxNG9qSnlCQ2M5WjhmN3NrcmFOWlpXNU5wRkRSdU0zTWZCUmQxU3N5Z0xuNXZkZnlRajFtXy0xTUtpY0lQSDJROWQ3eVhNWnE4N0lJMDBlNnczVVFIUGxUd25WUnNWSDFkRGg0TWhvdGdkakRqWC0tbGhGMmhCZTVFbHgycURkN3FEM05TTGNnVFRnSW9JRXhWMkg5OHNpUVBjeHc2RDIyYzZfTndtYlNtLU9XeGhaLUVZSkJ4c25NQjV0UFNWTkUxY2dGZnBRSE5KN1R3bVA0T2JCV1dmR2VDZjlEbU1DOXJuVi1GX2k1RTMzWUhpXzNVbWdEM29aZXhDOHJjVmFPbGdtc3pWQnUySVR2aEJabXc0S3ZKc2MzeTYwSDB3N1RSbzNFWXpTbnpmWVc0ajQtOU9GRmljMjU1SzFzdURVbmpkLU81alJkd3NaNk4yOU16MWFFeS1uTTdiTm1aNl9TQ0NxMFJLdi14MVhfVW5TQUNIVGJNVUFNTFhHNkhRaVlYZGtqUHNtMk9YTUF1cXB1VDBqWUJsTWVmMEIweEJQVE5QWXlxcG5DRXRxcmRIWTBxdER5TzRQTmU2dHpOYWxUSTBPVk1qN2NZTmhxQ3pqQW14OEk0QTd2TkcwMlR2TE9sSVlTZXVTN2R4dHFUemtPNVEwaVJxMVVwdUFJemJjOElwV1EzZkU4eDZva1ZJOHBWZFpocGcwbF8xakxCNE5FZExMMlFOVEVSZUtyUzc0SDlONE1hTFlEY0VtU2JScTFVM3JZQTNhZy1JNGxaQXEzVmNjdHp2WVZnY1l3MGM3U1E3NEo0eWd4OERYZDA5S00yMmpiZHdvYkRyWms4Y3I5aTJkd3lfRzlEU2d3XzZOSS1wbklDVGtkVU9IdlN3b0w4R01JYmd5LTl0UGtwSE9CRXBDaHFzaUpVRXU1VG05b0lwM0wtR0FzeTVjZ0ZHMmxUV1R3dGlzRUU4aXZsNlNXWjVVSHMzZ2JKTjcxUExMbkw5cUlneW5Zem1YckdvSkdkT1lkZnVqVWthT3RCNmJSWWpnZnVJSlZoN3lSUVlfOVpJVGczVEZTMTlFYzFNOVR1WVlaZzU3ZjhHWEJUXzFMSkZDd09JMmJ1SEh1cDNiYU9XbWhLWEswVm1NNGF0OXp5SzJiS21oSHRVLWNLb3VudEtUTVVtTmFNU05ObnJGRzlmZ0FiLVNMTjJROHBwZnpGOFJYajlTM0lIVmJfSldFNmY4dng0MDRvY1R2VEpUZFpvWGxwamtKdjd1d3Q0QVZldVhmZ1VqT0c0dkk2SmZMTnJMNEVhU0pEQmViR2Fnc0xXOHlkR2F0dnRnem9zYXpRUUhydWdKS2U2a2IxRWNtSEZCcDh2azlqWGtSY1JsekVZSktCMVdGejRvYmhPTllLbEp1YlF3Y3Z1Q0xqM1NmVDBVMldYSFhJWjNMQU5UczJkekFabWNXaEwtbTVUdWpsR1BQUXg3aVgtVXlSZWhPc1BEVXA5WnFYVmdQV1ZWOVdNOHlXeVpRTmx2MGxkdml3aHljd0hSTElEX25lcEg3NlBSeThiWUlGWUZGRHh0dXNadjlqRXA2d19YQWZiQzNRNzctaWRGQ24yaUxLbHZGbkdiVGxCajd3RlFJaDVLaWFEX0JDOW9hVGJTZE5jajVPNmRtMG5QVFB4T3pNTEt3clNxSHF3dWY4Um9SZVg5d1VDR3hmWE5jNkF3UjhheHJwWXlQUmhZZUJxdWtRSFFaYVFQclhMYkNWNUZxblRNM2tsUm8zNHJ5R1hHMnBweDFKNldBWmRFc084d2x2U3NUUjU5S3h4Q2FKMEExckJQblFxUUNsR1ZnZ0dsM3VjRjBDdTItdXBGTWtleGRTOWJ3T3gxZDN6SFJncmtWVks4eE9XRGNvMl80OWpHVnlGT1hQQkI2a0hPcWR2d28tYXRKTDFZUmFTSUEtbkxPbmF5bXBsMlZzZDhrd2lnQ21SV2R4a1FUME9kSFBSQUtZbFBKNkREU3RubVBIeWFpWDlCbUZ0TVh2cWNMeG1mdE4yTzBaZ09mdUV3bkRXZFNUdGhCVUxSNjd6czJkZExwXzYwSVlNSEpRZDFsSHQxbl93akV6TFlOU253T2NGdG1xQkQ0T05ib3lmWGNtVEhwc0c5T1l1SC1uODVNMWF3UEFRaGRZWURWY2lOdTJhRlRPYXcyM0FSbXNYQTNtQlpjNU1LcS1rZ2N6R1VnMlIyTjQzbUVVZFpoWXV6Y3NMSEhkdXA5Z092N19iZk5rcmxMWEl6Z3NoMERRMjZHTnhVNHd4aUZGRms3a09xYV8tR1NOcWRDejdfUUl1QUFiaXhZd29MZU1rRXllVHVzZnN2b2tjMURUTUJGT2otSkx3VGdiVzZFcHhZeldZTDVNZzFhc1ZjRTBncVhUSnlSSHJhWE85RjRMMTNNclQ3TThSTnJEQy1Td2pkLUhzdWVpamVYbmVLSTREOTlEUUhGUnpVVmFWNUNuT3BHSktYOUtELTR0T0g5eS1HdHIzQ3VTWkhXRjRxeFFPYURTWFBrYm1idTJ5NGoxcHQ0VnIyWERJd2IxeGphdVVtLXVvUDJickg0a0Rkbm9wS0MyZmNfdVpwR1VCcEpfMDJNM0NSajVGQ1F5UFpQUTMwdlpybFllaE9RZnNSOHJ0c0phSnUzWDRNUTFRX0JLeGotNWlXbGNjMHJEVDUwYWNkN096elZtREI4RDg0QlNKdmwxNjFQeUxUN0FjcURRODNOZUFoX2RCeE5MQV80WklPMUlTc2Z0d0VjMlRNNDlMWXJ3NDhia2hTTU1qWjF0T0lrMEs4R3JOYzVPM2V6VDYtTUVPWnZralctV2F5N215aHJ5V0Rxc2ZCaTc1bTQwbm1qUUFMeEVBZ3ZMRUs5M29GbmJpY1l3NlpNNmJ5V0ptUkpucmxjNldpOW9DbWkxTFhCTlRIQndhMFFJSURvcXFHSTlmdGE5Qld4WE81VWQ5RXVlZkE5blNNUWw5WVZQa0szejVJeTd4TEQtY2NReHZyYUFrYi0ybHNkUVpJbDVGYzJFRjBUTVlBT3RSMWJBMXZXU2tEblkxNXg4bnpoZVFLTmUzdk5FMHhvWXp2Nnh0TldrV0pjU3NzUkw3Mmp0UnAtajh4OEZIaGhGQ0VvVGRsVTB5RnUxcXdmQjdfXzkzeTMyWUhSZ1V3dTFVUWZIMklLYnZVbjhZN2pkTDNSX0xUUEQ2d1JIS3l4SzNQajFNbi1YaFEzTW9SZFJIQ09xN2w3djVoVllhZF95SnpjMUhVcGxjSTVvb0VBUkU1TW1rSl9abm9sbmZ3aEVPZFB6TTFXVXRYMl84SzFoNHlGRUNaNThWdHRyaG42NTVrXy1MTHNoYk1KUVNKT2tkLTd2YS1od1R1eFliRHd6NElwVTZqRUo5eU5fSHdYQy1wemdCTkRkbXNYOTJndnI2MjFtZ1p6UTgyQmRjWHM1MWhNMHhfWUl4WkkyUVctTk5nNVNWNG1KNVdsbWFjcEYwNUFxUnFST2JLbndpNEthMmhFUWg4TWhDcDB5VDVCc0Y1V1pCOVNRWW5vVERCcHEyamYtNGRIeUIzUkFFNktwODdKbE9STE5TaFFqcEwyVzgzRV93RWRuOVdDaGpyTG96bnhVbUttRXp1alE1VG9rNE1yZ1VwdjZHdlBVbm9PWVdHV2pEZ3BGZTlxYmtWcUpQZGpiUkNIUkczTEQ1OXZOMFVIaml5U0FxcXJzQ2RMSXVJdzRWcVZNa3ZjQS1ROEhfNjBwMDBfNWZld29EeWc4NHpkVlNqeW95cjZ1ZlZWa3kyMjBLQnhnQ3h0OFhRUlNONDN1Yk1ZV3lmUXFXTUN2MmxKQkhIMklJblZPQTY2QVAyX1ktZ2NwcTBqQzJNLUE0YUx0LWVDLU4wazRTdWRZQUFxejhHWDVvMUZnVkZXbjFLQXB6N1RwaTJQcnUzOEY5aFJGaHRacTRHVWpCeVp5M1E2QlpEVkxBNG5UN09Ka19DUFVOZ1pXY25RdTFIUW1za2JQczRiRkk5Mnh0Z2R4N1hfZlNQajB1RnAxNzBzYlBHTk1Db0NBQlRXSFBfRjNLMlJObjdrS3ZDRWVqMnRLMGZRcUZjWWVLa1piWGxpUzVGN2d3dWFkLWhxdFg4SmlNNmVqcnlTeEFGRGREYTNwWG8zX3NBbVhIaHZqUDlfbzBNNVNoV0k3OFVMUTY0V0pIVTAyZWhuTVFDdGlIUDg5RkZWRE5QaXhJRm9wdEdrY2FnNkl5QjFHbDZaMGVtOUdURVU0YndZODZ3Z2l0dThEaER0ZmhxemJUSXpKeENkTGxwTWVjQk9EVEFNTmZmUXR2am15STBSR3NXLTFzZDBKNzBKcmR4aldQSVNhN3h3V0E1cVZreEllMzZlQ3Jkb0JDQTlTeThDWEVIaFJXS3J4QXNwb2k5UWc5WjRnR0RsdDVlTGdpYk9UNnNDWTdpcFlZT29NVlI3RS15Vk9ydUJDemF1d1BBMXhqRFRsNTRwNGo2ZFhoTkZNVmJhQlRseGtyUmJUeGlYSkNEYlA0ZWpxWHpkTmEzOFU1LXRQdW5Bb3p4TFRwZnBrQ3pReUF0SnZfM3liZ19QeTV0d015MHhzLVE5c3pMUXpQS010VHZsNjc4VXJ5VUhwVFgxUmp5RFVKN2p3R3NNdEt5ZXVIdWlpaEx3N2VieDF1QUxNeUxQV2Zmc3FhcjBCRnpGdS1lMTlPM0d4R0ozMm9iNFBDd3VUVWROYVRtWUJmaTdqMmNHNGY1LWk0SlQ5UDQwNmd3cTUzcWdwSUtGSWlTME1SLTJ1MzRXXzRVdjNVVTUtSGNkekg5bjlIMVpxTGdINlVmSW5pTDU4b2RMX0dxc3dEUFE5SGdUZDRyemxHLWFqOWMyUHI3XzJYbGptSjdQcWlzck5TYklmVzBESFliZ05vY1ctRm00X3lUcUpMMkpJc0NCWFVwcV9nZUlObTFpalIyRW5mMmJUaThyUG1SVXk4cEtfcXdOTkhrVk9OWl9tQjBfYTBCOFpLOHcyZ1VwbTk0ZWxPTHloWFhKb1pmQ2hiM3I4QnNvZDRzc2twQVVlYXUtTGZMSDRFOVBzTjRNd1ZhWXpycHItTGtlYy1XUVlWLXpxOG1rN0xsd3dTdnVhNnliWHBJWGRmM0ZpVDVqT3c4WlVZN2ZSSG5nU1dBNGdPSC1jQ3pxdVRveS1SLVBZZnE4WktHWUZjWE1XVWlBVzRXbTZidkhZemFXMUN2RVlITkt5SVpfZGJzNjBRY2pTUmdDMzhfdmw4emNIU1I5NEJUYUlES3hBcm5ncy05RVUxVC1KaG9zODJMV3NsN0I2dlV2dGlsZXZEOXI5bnRpM2IzY3BlM3hHYXliWkxYLTRaa3BFSXJraWV2TC0zcnBNSzBhQk4wbWE2dGViOUJlNldWSVJqSFdRa0x4dkNFc2xSVlItWTVSR0VjUUdPN0h6bmRxT2dKSE1ncEZjUXI2QW4yMHZBc2FmZ1ltYVFNdi13REZlZWlNZWdGUFloNENpcU1STmcyUXRuSzJHdDlLTmFYZFQ0NnU2LTBBanlpLXlmLVg5Y1d0U0ZsSUVaU2JOcWJldHptUGZ0OHNXTEV1OWZoZzZLZzdwRDdiZlYzNVZxdE1McENGYndQZHoybHREZUQ1Yl9uMFdKYnozRUlXZ095ck5zNFptdTBlU3YxOXRoMklGVmlsZ0czZmtZNklYMlBQbkxKa2dWSHNpZTRrMDdpcUFteUI5SFM1WExzbnkzZmUtTzF0cmFFRU0tS1FoRTlrdkJaYlNmWnBmQ3B0aHIxYkdLaXZZdjg3R190WlB3R3ZySTJKTG9NaHJIcURzSmhNZjNma25aTFRoZTVUQzdPbnhOdTMtbkpRa0lrR3NJLVNJZFZzTDRyV25NYW4xNWowZ0Exbmd5Z0VPQkJqUU9hR2ZtLUxYOUREVVJFYnNjQmJheGNwZHBtOHZCMU5KRTRza3psbVI3NV9yb2wwMFdDeTJ1RXZscV9pTGF1dkp0RzZoYUhjbm5oVC1XSjdNMUJZZHdpbFp6VHdkUE5PVkhBMlRjQ3U4MEhrTkZPcVMwemhha29CU09VOTBPTDBfSkltbTdHcko2V3AyRmFGTDVvQWNYUVhOTEtKc2E4dXRpcHR2SG1IbGhNYkRQRHBiMDVEWGw4cXNKMGx4TmN0NUpwclpFdDgwaWMzdC1xYWNHR0U4UFd3ZENpczUwd2pHRXZCeVgwT1dXUmt1TE5hMVAyOW9KVl9FYlFZcEMzV0hkaFNxMnFBZnRtU1FmTDlzY2k1emdCZnBBdXRsQlpWS2xJQ0UxM0FoeVdnX1RGby05bTBLVVp2cmh3ZncxWlpobWZZNlJsTk9aUTJ1SWl3WFpRZ0t6bnpEZFY0UnZuSjhZM2sydjNFY2wxQnBPbllGZUpyT2ZJTVhoMnFVZEdZVmxCY1RkdGFaTDROeTNzY3k1dkhHN2l5bWI3N1Z5bjdUU3RscTg3U0c2c2ZvcXdqUVRqdFVHVzh1ODhfYUpTNmpsQ3loeTFnUVNZTU5keGhvUHowV0tJU29SUW1ZWG1aVDJVTGJtUjZZZ1RJUU9YZUpUMkEzZ2RLb3NOZjZqNERCYUVFTmdwODZGVk1DQ1c2Z2h5TS1VRmZuSU54WVhqZHZoQmZfOXJTRDI5bFRWRzNGeEktdkR4cHhKd094dmFxNUpMUjVrdmpuRXE1Z29zYzM2eGZKakFyU2NNTng0ajFmajUxNEdtNnZBcVhoMXBsb2lXS3NoVkNwaW1OSS1nQWxJVEJidGlDc2lINWFURVltdEp4U0ZrSUhhaHJzOG1GZWY4Nmhjc2tCc3N2UWhmazlRaFhPbGpJalpETzBJbm5EUUpEcnhnZzZqUzc3UlhGNUM4eGpZNGtEMVFiV2o2bUJweS1HMi1RU0pqcmtWZURYUkFHSDdsU3QxUHM5ajlLZGF1NWtfQ2ZPSEFvbkU0dFBadVV0ZDBxTzY3a2ZoNmozN1lweHV1MU16VnJQem9aS2tpenZuS2pTNmRZZThPZnExZlZHU01qbWd6R1hyRENFeDhjZEIwc1B2Qnh3VHVWczRPc3ZNNWlteEg5X0FyQnRNTGY0ckJoZUJkOVRiVkpjZ1Y3aVlWMlhDTi1wdVRSTVkwRzJmUDd0azR3a1J1OUdhLUkyd2JVcHFhcTdBdkhXSnpYa3FNZlM3N3B1ODM3RGJZWWtWODE2U2FIU2lnMEdPX0RhcEFrZG1PMzFrWHYxbTlYWExxMU4wMDN1NW9TTHAwSTJMcXI0NF9sLTJBZjJOQWFBbWhiYXllVzZLWms4MldpWTZnNUJGY3BPdl8ta0J6ZGJmSi1CeWU2X1lUcER3dkk0emtuZkp1M2J0RjNfckVQM3ROVFhkZ0xyMEFHay1SZklJejJ0SkR0bWE3NzNZSm9OQjJ0X1VEMGV6RXgtaTQ4QW9jbF9yLXVnOXlPbEp1bGFSVnNZQVIwOF9yMXdfVThVRjNrOXBJc3hVU1NsNUswWmEyS3FmYnJZVXlwVW40QkZuWlpQQl9QNGlWaXctTWVFTWt5c1cxR3BYamtOblhWVzc4SWFxd0ZPWWpybUJzdGszcDREM3ZUMS1MdE1hRDliUTBoTFExUWVvQ2kzQXF5amt5ejdXUlVJTmZRa2U0M2t1R09YQTBfbVhXWkFndHlwd01qY05lR3NZVDI1Y1N6cHFwMzR4eDktNnU3UjdoTGxOWElieTdZTHdoa2NlSTV1T3NmNlNpcFBwTVYtQVhQdmM3UTdQSjlZOXY3TEVUY2V6T2xyMldvdE43WHFfUjF2N0MtQjhlSFVhTjQxQTZVbkVNV2M3dEtza1gxSFBuaVNWblBFZ0dsYktRYkFibU4wdmxLZUVCQWdQQ0diZ0dCUlhQcG9kaEJpcUUtYkd0eFBkNURYMmRxakRpcnMxOFg2ZXlNanpaM3JGNU5xUFJ4aVp1TlQ3TEV0a2VaNFd3TjdRUWtrM3ZIQ1MzbkJiZUNjd1hlWHptZk4zRmVSWGxyWjBhRDVCdmNXZVllaG5aYXFQc0tEZHVxSDNhZ1F3Uk9qSXd4ckxkN2xwbkpKZk91OXFDRFl4VVhOaVdxS3BZcHk4NURrOGFqcUt5XzN3c1NRVGJQVmFmZng2R2o5cUVTc0g5QUd5dTNBVndSdXpSaElHVm5BQkF4VDBSY3lLNlVEWV8xd01vRnhyNHdVUjhPejVldUJUSTBycEtnQ1lUcG00NlhVTVA2OWFncDdXRU83QkZkNWNzOHd0SFJsbzhvVmtDN0FQTjJvak5GRXZ5NWpaX0tPbmdRYk5wUXZaZ0ZBcGFNZVI1MVRwMkRXRWp1UnZUTEVWc0xMbFV1ZVdVSVVwbTFuaDhBdkVVUkpUYzZaZjBxUExva0p5UVZ0TDFUXzRmRnlHTHlUaHphTDFiMUVkOWRqZE55YXV2WDdhT0IyMF9ONThlazNXakVfcEtaNk9paVY1bTBqMS1RenZrdDZNVWlxeXM2cnZYRlFIb2xodEYyc0JEMFRxSGhGMlE0Y3ZJWEZEdHo2dzZrNENaMmZyMVlCaThFS0xOZzRoUUIwNjZfWGtyUUM4bmE0T0VUakhxMlI5Z2xMZGVvNWZlZ2paTzk0eVJiUXpsQnRIM3Y0TG0tOS1TYXJ6Rm1fYVhlbmFZajFtTUhwMFNjZWlidy1oeHVkZkc4b0tJTk5EN2ViUG9RbnRNQ1dPbnR3LXZRWW5uUjRZQU55ZEk3aW5wY2NJNVJQUENtVmh1UFBuSVBoX2VUWFp0N1hORVY0bldyRUFmRlBGbUUzR2JYakwxV3RKZ3hxQ1E0Rk55dWFaa1ZtMnFXeVp6dlA1aUpVY3BpNExrLUhJTU1iZUQ2X25FaGJ0NHNYS096dFZ2ZDUwVUx1Wnp6M1Bsa1NBUktIUXVoQmI4US1NSzQwMFpaX1NhZkZKdEZ5QkpIckUxLVp1Z3JpbjYtX1pabk1zLUZWanJKTEtMUGNoOVg3Q2R6dGhLYXJqOEhKaTNNMTF5Z3BBU25TM3NndDRvMURtTDhCRGpnTUx6Ul9kekNPeHpRRFJhU192Nk5jbzRGbXZPUzliSS1xSHlIRWVEOGQ2cTZMbER3WlVkZFZhcE81ajl2RklHT3BSRWowLUZrbXFncVBMSkNESXBTQldQU18xVExPYkFLVnlBb1NzcXdvODlnY2ltTHhLQkFiN1EzaWNIalNrV3gwbDBGSDBwOU5hUDJoczZVT3pxUERJYXhDZjIwRFZLNGRQeVlhT3FFY2V2NVkwTmtXUU03dlNkTHJhVXVYZ2tiM3Y2NlRBZFV2cTAtZ2NGR2l6d2RrX2tldzN3am92MFloMy1PY0thdzJtTW5kSVJoWnBpRG9UcjdIX3ZQSWs5Q1Q5TlFyMDViVm5TOERaQU4xVHU3QzJORDU4ZzEwa21tTEFWZEhQT1FFMFYwLVFlOTNVNTdDX1hQSjZ5UlpwOV9UbTlaajlBWFRQNHZUN05sejY3clZ5SmlqUml1aVdib09VckdPWFRubjBHUmxrN0V2UlJvUHNuNXFmSU54OVNVczUybW1JaG9hTGVPWnduV3FYWjd4bmhoT0dxQldFRzNaQVpURm5kN1MzV3QtNjgwWGhoWVZCSHBIdUZfRFhrTVlkbXJhSDRUVXNaMDVJVUthOGxPbHVLWFVnT09TX2N5OWphN1F3VDUxNm1RQUFtcUI4NDdEc29ldUx6elBLdFFkckl0UkpxRHJNbHdWREtTYUV4eDItbzkwZU16RURDNTNFdzRJb1d0N3hOVks3MVEtbWpSQUY0d295WDh3TWJsWlZRSFVpSVNNNWRqdmRfTU5GeVhqTTUycDRNbDd3NlNlQndnSmxRYjdQRldiX19pZGhFRFNWY0FEdHNiLWt1UEZMOFE3T05adGc5ZkxZRzNxX3pROG4xWERIR2xjdjJDell0MnY0WUVDQ00yZ1lkelhyVktmdHJrRWxFRDZCZDNwWkdOb21lVjI1cG5VcnVxekxnamh3U1BmMmlhamgzeUd6X0NwdmRtQVEwdTY5eGNMZEhtNEpQdTZyaEh2eWRBb2lvUktOVkZqT1NwTDBRMXZPaWNuUVR0Wi1XN20xdm85N0tGZEN2OVZtS005cjRidUZLa2xvMjRac0JXaHRCYmxvQktkUmE0eE9sZTVMTHdiOUM1MnY4dm81cWxITkNKem9fTGNHcFBNM1JKNkVrdmlNRFA3cEJ3cE95ZHZRSzJDT1lSaDdBbmZYcEtMOEM0YTBKWHlueWpYRDJWdXNONWhSTVN2bDM0ZW55b09EVmRwam40bFFNRzMtZWtZOEFDV1ZnVUJLYVdueGx1SDBROHdKS19YVTJFdWZ4aDRGMEhucXN5R2oyTEphaU82dWRqdnRjTkFGTS0tN2hmQzNMMGstMFJmWVE0blNHcVpaclp6MzE0c0R2bmF1NV8wWXhPVXVBLThRZmJGZTZiWXFpeWxoU2Rza21kaGlBbzg3NW5DZXhjZnlrSVpCdnlIYXlaYVo0VXkwZDhvSE9RblNsR1p2Zm4wcVlHaV81TVhCMmFFZXp0ZmprUmYyVHVheHlYenhvYkh1LTJwT1JraTFZa2Q1TFAzX1ZTbzlnbXp3cERjdWdycHM5cHZPeFdZOGY0bU1KMThiWVM0TzBvQ0ZLa29ieFkxc0xnLWxCYmxFMU1zbllfR1cwSm14M2RLSzJUYlNoRmNGTUJPNUh1WURvcVdyM0JILUJIS0lPbHk5U0xnS25sTkZGSFUyTTFEV3pCTWhLb0pkM1hTSzZ0bndEWkpGby51dVRVYXZaQndQbHJ0VWNGWHc5LWdoZm9kaDE5b2pPbmJkX1gtUFlHMzBn\",\n\"lastused_at\": \"19700101T000000Z\",\n\"group_id\": \"929a4dab-363d-4f1c-a197-46fc8c0c1251\",\n\"kid\": \"037bef5e-9a2d-4820-b120-02b9b036996d\",\n\"never_exportable\": false,\n\"name\": \"B7E2D3C7D1041342\",\n\"state\": \"Active\",\n\"creator\": {\n\"plugin\": \"bef7866f-194b-452d-83c9-1c2bffe01a3b\"\n}\n}\n}\n```\n\n### Delete Key operation\n\nThis operation will delete a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `delete`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"delete\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"scheduledPurgeDate\": 1601363625,\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"deletedDate\": 1593587625,\n\"key\": {\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"recoveryId\": \"https://test-keyvault.vault.azure.net/deletedkeys/test-key\"\n}\n}\n```\n\n### Recover Key operation\n\nThis operation will recover a deleted key of Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `recover`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"recover\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n[\n{\n\"attributes\": {\n\"created\": 1593587492,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587492\n},\n\"tags\": {\n\"KeyType\": \"BYOK\",\n\"KMS\": \"SDKMS\"\n},\n\"key\": {\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kid\": \"https://test-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\"\n}\n}\n]\n```\n\n### Restore Key operation\n\nThis operation will restore a key in Azure key vault from its backup blob value.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `restore`.\n* `kid`: Response `kid` of `backup` operation\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"restore\",\n\"backup_key_name\": \"backup_key_name\",\n\"key_name\": \"key_name\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"key\": {\n\"kid\": \"https://kv-sdk-test.vault-int.azure-int.net/keys/KeyBackupRestoreTest/d7a019f5da8843aea30722a7edcc37f7\",\n\"kty\": \"RSA\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"n\": \"v6XXEveP0G4tVvtszozRrSSo6zYDOScH8YBVBBY1CR2MCXBk-iMnKgzUyePi9_ofP3AmOxXx-2AsLC8rxi6n3jQNbGtIvQ4oMdUEhWVcVkmwdl0XyOouofEmIHeSxRg6wXFG4tYAKLmKsO9HqmU5n7ebdDlYngcobc1xHsP0u8e0ltntlgWBlSthmY8AMKW9Sb_teEYhilbkvt_ALr00G_4XHmfq7hSOZePWbGSWQW6yC7__9MrlDfzaSlHyBIyLppPEB7u6Zewrl_eNJWoUVrouIGA32qNETIOr_wxXRVGKoerTt-wFC-CXPn30W_6CmKSxoFBNvnzijg5hAU9V0w\",\n\"e\": \"AQAB\"\n},\n\"attributes\": {\n\"enabled\": false,\n\"nbf\": 1262332800,\n\"exp\": 1893484800,\n\"created\": 1493938217,\n\"updated\": 1493938217,\n\"recoveryLevel\": \"Recoverable+Purgeable\"\n}\n}\n```\n\n### Purge Key operation\n\nThis operation will purge a key in Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `purge`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"purge\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n\n```\n{\n\"body\": \"\",\n\"headers\": {\n\"X-Content-Type-Options\": \"nosniff\",\n\"Date\": \"Fri, 14 Aug 2020 08:01:39 GMT\",\n\"Strict-Transport-Security\": \"max-age=31536000;includeSubDomains\",\n\"x-ms-request-id\": \"e9851042-6210-474d-b9b0-706f600aa5d4\",\n\"Pragma\": \"no-cache\",\n\"x-ms-keyvault-service-version\": \"1.1.31.4\",\n\"Expires\": \"-1\",\n\"Cache-Control\": \"no-cache\",\n\"x-ms-keyvault-network-info\": \"conn_type=Ipv4;addr=216.218.139.205;act_addr_fam=InterNetwork;\",\n\"X-AspNet-Version\": \"4.0.30319\",\n\"X-Powered-By\": \"ASP.NET\",\n\"x-ms-keyvault-region\": \"eastus\"\n},\n\"status\": 204\n}\n```\n\n### References\n- [Azure BYOK](https://docs.microsoft.com/en-us/azure/information-protection/byok-price-restrictions)\n\n### Release Notes\nAdded key_size parameter to import (previously set to 1024 only)\nImproved the pem_to_jwk conversion",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Self-Defending KMS-Azure Bring Your Own Key (BYOK) HSM",
"versions": {
"1.0": {
"path": "azure-hsm/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) HSM model for Azure cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of Azure key vault.\n\n## Introduction\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the Azure cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in Azure HSM key vault\n- List Azure BYOK key\n- Delete key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n\n## Setup\n\n- Log in to https://portal.azure.com/\n- Register an app in Azure cloud (Note down the Application (client) ID, Directory (tenant) ID, and client secret of this app). We will configure this information in Fortanix Self-Defending KMS\n- Create a premium Azure key vault\n- Add the above app in the `Access Policy` of the above key vault\n- Create KEK key in Azure key vault\n\n```\naz keyvault key create --kty RSA-HSM --size 2048 --name <KEY-NAME> --ops import --vault-name <KEY-VAULT-NAME>\n```\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures Azure app credential in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `tenant_id`: Azure tenant ID\n* `client_id`: Azure app ID or client ID\n* `client_secret`: Azure app secret\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"tenant_id\": \"de7becae...88ae6\",\n\"client_id\": \"f8d7741...6abb6\",\n\"client_secret\": \"SvU...5\"\n}\n```\n\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### create operation\n\nThis operation will create an RSA key in Fortanix Self-Defending KMS and impot it in Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `kek_key_kid`: Azure Key Exchange Key (KEK) ID\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"create\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-hsm-keyvault\",\n\"kek_key_kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-kek-key/0ffc59a57f664b9fbde6455bd0ed5dd5\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"key\": {\n\"n\": \"5FshKQ_5peJfFcer18EylSxbK94UErV0we_Z-v2EsTjcH_HZBWAUbAF0QJ_q0Qzy6nHA-u0DkAf63YTe3BhuUEU80Qek_pmZjfek4rgE53eSbrEqH7bYVxUEKSye3J_7oR-MMs4YkNqvyenBuLSv7QXZIcPu17zsNhIQrsv0MBdwV_QlewW9QQUeTPLbHUBV7m-r1gdffiINoRcGY9QvHb6dJphoOaNSzddUXm6Y21R7pwI2Lzo3MuEe2nwtOC-z_MW8jdsDNYxua4CipiGOe2Cqqg_wXsZcjpefzYqSGky2y3j7OoG1uHsafRqWatWTj_CHUPr-oII_r2_sGcxBrw\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"e\": \"AAEAAQ\",\n\"kty\": \"RSA-HSM\",\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key/21dc7692b9184c1ba8e643db8b142356\"\n},\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593584773,\n\"created\": 1593584773\n}\n}\n```\n\n### List Key operation\n\nThis operation will list all the BYOK keys from azure.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"list\",\n\"key_vault\": \"test-hsm-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"value\": [\n{\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587162,\n\"created\": 1593587161,\n\"exp\": 1596240000\n},\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key\",\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n],\n\"nextLink\": null\n}\n}\n```\n\n### Delete Key operation\n\nThis operation will delete a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `delete`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"delete\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-hsm-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"scheduledPurgeDate\": 1601363625,\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"deletedDate\": 1593587625,\n\"key\": {\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"recoveryId\": \"https://test-hsm-keyvault.vault.azure.net/deletedkeys/test-key\"\n}\n}\n```\n\n## References\n- [Azure HSM BYOK](https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys)\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Cache-only BYOK for Salesforce Cloud",
"versions": {
"1.0": {
"path": "salesforce/plugin.lua",
"description": "## Short Description\nFortanix Self-Defending KMS can be used as HSM backed Software-as-a-service(SAAS) for Fortanix - Salesforce Cache only BYOK solution. This plugin can be used to securely generate encryption keys and configure in Salesforce\u2019s Shield Platform.\n### ## Introduction\nSalesforce's Shield Platform Encryption is introducing a new pilot feature called Cache-Only Keys. This capability enhances the existing Bring Your Own Key (BYOK) capability by allowing customers to host their key material in a wrapped format which Salesforce will fetch as required. While this will be cached in an encrypted form, Salesforce will not retain or persist the key material in any system of record or backups.\n\n## Use cases\n\n1. Generate encryption keys\n2. use Fortanix Self-Defending KMS key in Salesforce as Cache-only Key at runtime\n\n## Fortanix Self-Defending KMS Setup\n\n1. Log in to Fortanix Self-Defending KMS (https://sdkms.fortanix.com)\n2. Create an account in Fortanix Self-Defending KMS\n3. Create a group in Fortanix Self-Defending KMS\n4. Create an app in Fortanix Self-Defending KMS. Copy the value of App username and password. This would be required while setting up Named Credential in Salesforce.\n5. Create a plugin in Fortanix Self-Defending KMS\n\n## Configure Salesforce import Certificate in Fortanix Self-Defending KMS\n\nGenerate and Download a Self Signed Certificate in Salesforce and import it in fortanix Self-Defending KMS\n\n1. Log in to Salesforce. Go to \"Setup\"\n2. Create a (Self Signed) certificate under Security >> Certificate and Key Management with key size 4096.\n3. Disable the check box \"Exportable Private Key\"\n4. Select the check box to \"Use Platform Encryption\"\n5. Once the certificate is created, please download it\n\nImport the Certificate to Fortanix Self-Defending KMS.\n\n1. Log in to Fortanix Self-Defending KMS\n2. Select an account and Click the left navigation bar to navigate to the \"Security Objects\" tab\n3. Click the IMPORT button\n4. Choose value format as \u201cBASE 64\u201d.\n5. Choose Security Object type as \u201cCertificate\u201d.\n6. Click the Upload a file button to upload the converted certificate at Step 5.\n7. Click the IMPORT button to import the certificate into Fortanix Self-Defending KMS as a security object.\n\n## Salesforce Setup\n\nDefine Named Credential in Salesforce.\n\n1. Log in to Salesforce. Go to \"Setup\"\n2. Click the \u201cNamed Credentials\u201d item under the Security menu in the left navigation bar\n3. Click the button New Named Credential. It will open a screen to create a Named Credential\n4. Enter the details for named credential\n4.1 Enter Label & Name of your choice\n4.2 Enter the plugin URL as in example (UUID: UUID of the plugin created in the section Fortanix Self-Defending KMS Setup Step 3 ). Example: https://www.sdkms.fortanix.com/sys/v1/plugins/invoke/<plugin-uuid>\n4.3 Select the Identity Type as \u201cNamed Principal\u201d and Authentication Protocol as \u201cPassword Authentication\u201d\n4.4 Enter the username and password of Fortanix Self-Defending KMS app and then click Save\n\n## Steps to generate encryption keys and import to Salesforce\n\nGenerate JWE Token (BYOK Cache only KEY) using the plugin.\n\n1. Go to plugin created in Step 5 of section Fortanix Self-Defending KMS Setup.\n2. Click ADD TEST INPUT on the right-hand side.\n3. Enter the following payload in the text box.\n\n```\n{\n\"cert\": <uuid of certificate imported in SDKMS>,\n\"name\": \"<unique name of key eg: salesforce_ency_key_v1>\"\n}\n```\n\n4. RUN TEST\n\nThe plugin generates security objects (AES encryption key and meta information) in Fortanix Self-Defending KMS and returns their UUID.\n\n1. dek: is UUID of AES encryption key generated by the plugin and stored securely in Fortanix Self-Defending KMS. Salesforce will use it as a data encryption key.\n2. opq_key_identifier: Fortanix Self-Defending KMS plugin also generates a security object of type \u201cOPAQUE\u201d. It contains meta-information to generate a response (JWE Token) required by Salesforce. Meta-information has the following information:\n\nCopy the value of \u201copq_key_identifier\u201d field in the response body. This would be required while setting up BYOK in Salesforce.\n\nWhen Salesforce platform calls Fortanix Self-Defending KMS plugin to fetch encryption keys. The plugin reads meta information from opaque object and processes \"dek\" key material and certificate used (while generating meta info and AES initially) to generate JWE token. The same is returned to Salesforce in the desired JSON format.\n\nRefer salesforce documentation for more info on JWE token.\n\n\"dek\u201d value is AES encryption key which is generated by the plugin and the key is stored in Fortanix Self-Defending KMS. The key material would be securely transferred to Salesforce as part of JWE token.\n\nGo to the Security Objects screen to see the newly created object.\n\n## Configure Salesforce to use Fortanix Self-Defending KMS to fetch Cache-only Key at runtime.\n\n1. Go to Setup >> Security >> Platform Encryption >> Key Management\n2. Click the Bring Your Own Key button\n3. Select the desired certificate to be used (it should be same as the one used while executing plugin to generate an encryption key and meta information)\n4. Select Use a Cache-Only Key radio button.\n5. Select Named Credential created with Fortanix Self-Defending KMS endpoint.\n6. Enter BYOK ID (opq_key_identifier) generated by the Fortanix Self-Defending KMS plugin in Step 1.\n7. Click Save.\n8. Once the configuration is saved, Salesforce will call Fortanix Self-Defending KMS to fetch JWE token and decrypt it with the private key of the certificate.\n9. You can see the newly imported key on the \u201cKey Management\u201d screen\n\nVerify the Key Import in the Fortanix Self-Defending KMS Event logs.\n\n1. Logs are generated in Fortanix Self-Defending KMS while fetching encryption keys during setup (after step 2i).\n2. Go to Event Logs in Fortanix Self-Defending KMS to verify (refer below screenshot).\n3. Logs are also generated later when Salesforce calls Fortanix Self-Defending KMS to fetch the encryption keys at runtime.\n\n## Reference\n\n- Fortanix support (https://support.fortanix.com/hc/en-us/articles/360040488931-Exporting-Fortanix-Self-Defending-KMS-keys-to-Cloud-Providers-for-BYOK-Salesforce)\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Automated BYOK for Salesforce Cloud",
"versions": {
"1.0": {
"path": "salesforce-automated/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for Salesforce. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use Shield Platform Encryption features of Salesforce.\n### ## Introduction\n## Use cases\n\nThe plugin can be used to\n\n- Upload a key from Fortanix Self-Defending KMS to Salesforce\n- Search tenant secrets (Salesforce encryption keys) using Salesforce Sobject Query Language (SSQL)\n- Check current status of any key or key version\n- Destroy the archived keys in Salesforce\n- Restore a previously destroyed key\n\n## Fortanix Self-Defending KMS Setup\n\n1. Log in to Fortanix Self-Defending KMS (https://sdkms.fortanix.com)\n2. Create an account in Fortanix Self-Defending KMS\n3. Create a group in Fortanix Self-Defending KMS\n4. Create a plugin in Fortanix Self-Defending KMS\n\n## Configure Salesforce\n\n1. Create a New Profile under Setup >> Profiles.\nNote: Select \u201cManage Encryption Keys\u201d under \u201cAdministrative Permissions\"\n2. Create a New User under Setup >> Users with these inputs \u2013\nName: arbitrarily input\nProfiles: choose the KMS role created in previous step\nNote the credentials to securely import into Self-Defending KMS secret\n3. Create a Connected App under \u201cApps >> App Manager\u201d with the following inputs \u2013\nLabel: arbitrarily input\nCheck the \u201cEnable OAuth Settings\u201d\nCheck the \u201cEnable Device Flow\u201d for automated access\nNote the credentials to securely import into Self-Defending KMS secret\n4. Whitelist the Fortanix Self-Defending KMS application IP range (CIDR)\n5. Create a Certificate under \u201cSetup >> Certificate and Key Management\u201d \u2013\nLabel: arbitrarily input, but note it for later use\nUncheck the \u201cExportable Private Key\u201d\nCheck the option to \"Use Platform Encryption\"\n6. Verify the Salesforce credentials\nClient/Consumer Key (Created in step 3)\nClient/Consumer Secret (Created in step 3)\nOAuth username (Created in step 2)\nOAuth password (Created in step 2)\nTenant URI\nAPI version (Fortanix Plugin tested against version 50.0\n\n## Input/Output JSON object format\n\n### ### Configure operation\n\nThis operation configures Salesforce credentials in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `consumer_key`: Consumer Key of the connected app\n* `consumer_secret`: Consumer Secret of the connected app\n* `username`: OAuth username\n* `password`: OAuth password\n* `tenant`: Salesforce tenant URI\n* `version`: API version (Fortanix Plugin tested against version 50.0)\n* `name`: Name of the sobject. This sobject will be created in fortanix self-Defending KMS and will have Salesforce credential information\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"consumer_key\": \"CBK...................D\",\n\"consumer_secret\": \"DMV................D\",\n\"username\" : \"ft......x@<your company domain>\",\n\"password\" : \"fy....K\",\n\"tenant\" : \"<Salesforce tenant URI>\",\n\"version\" : \"v50.0\",\n\"name\" : \"Salesforce NamedCred Dev\"\n}\n```\nOutput\n```\n\"3968218b-72c3-4ada-922a-8a917323f27d\"\n```\n\n\n### ### Check operation\n\nThis operation is to test whether plugin can import wrapping certificate from salesforce into Fortanix self-Defending KMS. (This certificate is required by plugin to authenticate itself to salesforce)\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `check`\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\": \"check\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\"\n}\n```\nOutput JSON\n```\n{\n\"group_id\": \"ff2............................c\",\n\"public_only\": true,\n\"key_ops\": [\n\"VERIFY\",\n\"ENCRYPT\",\n\"WRAPKEY\",\n\"EXPORT\"\n],\n\"enabled\": true,\n\"rsa\": {\n\"signature_policy\": [\n{\n\"padding\": null\n}\n],\n\"encryption_policy\": [\n{\n\"padding\": {\n\"OAEP\": {\n\"mgf\": null\n}\n}\n}\n],\n\"key_size\": 4096\n},\n\"state\": \"Active\",\n\"created_at\": \"20201229T183553Z\",\n\"key_size\": 4096,\n\"kid\": \"6de........................4\",\n\"origin\": \"External\",\n\"lastused_at\": \"19700101T000000Z\",\n\"obj_type\": \"CERTIFICATE\",\n\"name\": \"SFBYOK_FTX_Wrapper\",\n\"acct_id\": \"ec9.......................7\",\n\"compliant_with_policies\": true,\n\"creator\": {\n\"plugin\": \"654.......................1\"\n},\n\"value\": \"MII........................9\",\n\"activation_date\": \"20201229T183553Z\",\n\"pub_key\": \"MII......................8\",\n\"never_exportable\": false\n}\n```\n\n\n### ### Query operation\n\nThis operation allows you to search tenant secrets (Salesforce encryption keys) using Salesforce Sobject Query Language (SSQL)\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `query` or `search`\n* `secret_id`: The response of `configuration` operation\n* `query`: SSQL query\n* `tooling`:\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\": \"search\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"query\" : \"select Id, Status, Version from TenantSecret where Type = `Data`\",\n\"tooling\" : false,\n\"sandbox\" : false\n}\n```\nOutput JSON\n```\n{\n\"done\": true,\n\"totalSize\": 5,\n\"records\": [\n{\n\"attributes\": {\n\"type\": \"TenantSecret\",\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G..........O\"\n},\n\"Status\": \"ARCHIVED\",\n\"Id\": \"02G.............D\",\n\"Version\": 3\n},\n{\n\"Version\": 1,\n\"attributes\": {\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G...........W\",\n\"type\": \"TenantSecret\"\n},\n\"Id\": \"02G...........W\",\n\"Status\": \"ARCHIVED\"\n},\n{\n\"Version\": 2,\n\"Id\": \"02G..........O\",\n\"attributes\": {\n\"type\": \"TenantSecret\",\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G............O\"\n},\n\"Status\": \"ARCHIVED\"\n},\n{\n\"Id\": \"02G...........4\",\n\"attributes\": {\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G...........4\",\n\"type\": \"TenantSecret\"\n},\n\"Version\": 4,\n\"Status\": \"DESTROYED\"\n},\n{\n\"attributes\": {\n\"type\": \"TenantSecret\",\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G............O\"\n},\n\"Id\": \"02G..........O\",\n\"Version\": 5,\n\"Status\": \"ACTIVE\"\n}\n]\n}\n```\n\n### ### Upload operation\n\nThis operation allows you to create a key material in Fortanix self-Defending KMS and upload to salesforce\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `upload`.\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n* `type`: A valid values are `Data|EventBus|SearchIndex`\n* `mode`: Key derivation mode. It can be blank which defaults to \u201cPBKDF2\u201d or can also be \"NONE\" to disable key derivation in Salesforce.\n* `name`: Prefix of the name\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\": \"upload\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\",\n\"type\" : \"Data\",\n\"mode\" : \"\",\n\"name\" : \"Salesforce Data Key\",\n\"sandbox\" : false\n}\n\n```\nOutput JSON\n```\n{\n\"obj_type\": \"AES\",\n\"custom_metadata\": {\n\"SF_HASH\": \"ESP.......................=\",\n\"SF_UPLOAD\": \"EDF.....................=\",\n\"SF_WRAPPER\": \"SFBYOK_FTX_Wrapper\",\n\"SF_MODE\": \"\",\n\"SF_KID\": \"02G...........O\",\n\"SF_TYPE\": \"Data\"\n},\n\"acct_id\": \"ec9...................7\",\n\"creator\": {\n\"plugin\": \"654....................1\"\n},\n\"public_only\": false,\n\"origin\": \"Transient\",\n\"kid\": \"bb7................3\",\n\"lastused_at\": \"19700101T000000Z\",\n\"activation_date\": \"20201229T185549Z\",\n\"key_size\": 256,\n\"kcv\": \"b5...9\",\n\"name\": \"Salesforce Data Key 20201229T185546Z\",\n\"state\": \"Active\",\n\"enabled\": true,\n\"key_ops\": [\n\"EXPORT\"\n],\n\"compliant_with_policies\": true,\n\"created_at\": \"20201229T185549Z\",\n\"aes\": {\n\"tag_length\": null,\n\"key_sizes\": null,\n\"random_iv\": null,\n\"fpe\": null,\n\"iv_length\": null,\n\"cipher_mode\": null\n},\n\"never_exportable\": false,\n\"group_id\": \"ff2..............b\"\n}\n```\n\n### ### Status operation\n\nThis operation allows you to obtain current status of a salesforce key\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `status`.\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n* `name`: \"name of corresponding sobject in fotanix self-Defending KMS\"\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\" : \"status\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\",\n\"name\" : \"Salesforce Data Key 20201229T185546Z\",\n\"sandbox\" : false\n}\n```\nOutput JSON\n```\n{\n\"RemoteKeyIdentifier\": null,\n\"CreatedDate\": \"2020-12-29T18:55:49.000+0000\",\n\"SecretValueHash\": \"ESP........................=\",\n\"CreatedById\": \"005..........2\",\n\"KeyDerivationMode\": \"PBKDF2\",\n\"attributes\": {\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G..........O\",\n\"type\": \"TenantSecret\"\n},\n\"LastModifiedDate\": \"2020-12-29T18:55:49.000+0000\",\n\"IsDeleted\": false,\n\"SecretValue\": \"CgM.............................=\",\n\"SecretValueCertificate\": null,\n\"Type\": \"Data\",\n\"RemoteKeyServiceId\": null,\n\"Version\": 6,\n\"Id\": \"02G..........O\",\n\"Status\": \"ACTIVE\",\n\"SystemModstamp\": \"2020-12-29T18:55:49.000+0000\",\n\"RemoteKeyCertificate\": null,\n\"Source\": \"UPLOADED\",\n\"Description\": \"Salesforce Data Key 20201229T185546Z\",\n\"LastModifiedById\": \"005............2\"\n}\n```\n### ### Sync operation\n\nThis operation allows you to sync Fortanix self-Defending key object with salesforce key.\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `sync`.\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n* `name`: \"name of corresponding sobject in fotanix self-Defending KMS\"\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\" : \"sync\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\",\n\"name\" : \"Salesforce Data Key 20201229T185546Z\",\n\"sandbox\" : false\n}\n```\nOutput JSON\n```\n{\n\"RemoteKeyCertificate\": null,\n\"IsDeleted\": false,\n\"CreatedById\": \"005..............2\",\n\"Status\": \"ACTIVE\",\n\"Type\": \"Data\",\n\"LastModifiedById\": \"005............2\",\n\"CreatedDate\": \"2020-12-29T18:55:49.000+0000\",\n\"SystemModstamp\": \"2020-12-29T18:55:49.000+0000\",\n\"Source\": \"UPLOADED\",\n\"SecretValueHash\": \"ESP.................c\",\n\"LastModifiedDate\": \"2020-12-29T18:55:49.000+0000\",\n\"Version\": 6,\n\"RemoteKeyServiceId\": null,\n\"RemoteKeyIdentifier\": null,\n\"attributes\": {\n\"type\": \"TenantSecret\",\n\"url\": \"/services/data/v50.0/sobjects/TenantSecret/02G............O\"\n},\n\"KeyDerivationMode\": \"PBKDF2\",\n\"Id\": \"02G...........O\",\n\"SecretValueCertificate\": null,\n\"Description\": \"Salesforce Data Key 20201229T185546Z\",\n\"SecretValue\": \"CgM........................M\"\n}\n```\n### ### Destroy operation\n\nThis operation allows you to destroy an archived salesforce key.\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `destroy`.\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n* `name`: \"name of corresponding sobject in fotanix self-Defending KMS\"\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\" : \"destroy\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\",\n\"name\" : \"Salesforce Data Key 20201229T185546Z\",\n\"sandbox\" : false\n}\n```\nOutput\n```\noutput is empty, with http status indicating success.\n```\n### ### Restore operation\n\nThis operation allows you to restore a destroyed salesforce key.\n\n### ### parameters\n\n* `operation`: The operation which you want to perform. A valid value is `restore`.\n* `secret_id`: The response of `configuration` operation\n* `wrapper`: Name of the wrapping certificate in salesforce\n* `name`: \"name of corresponding sobject in fotanix self-Defending KMS\"\n* `sandbox`: To indicate, whether to use test or production tenant.\n\n### ### Example\n\nInput JSON\n```\n{\n\"operation\" : \"restore\",\n\"secret_id\": \"3968218b-72c3-4ada-922a-8a917323f27d\",\n\"wrapper\" : \"SFBYOK_FTX_Wrapper\",\n\"name\" : \"Salesforce Data Key 20201229T185546Z\",\n\"sandbox\" : false\n}\n```\nOutput\n```\noutput is empty, with http status indicating success.\n```\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Google Cloud BYOK",
"versions": {
"1.0": {
"path": "gcp/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) model for Google cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of Google Cloud KMS.\n### ## Introduction\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the Google cloud BYOK model.\n## Requirement\nFortanix Self-Defending KMS Version >= 3.17.1330\n## Use cases\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in Google Cloud KMS\n- List Fortanix Self-Defending KMS Google Cloud BYOK key\n- Rotate Fortanix Self-Defending KMS Google Cloud BYOK key\n- Disable Google Cloud BYOK key from Fortanix Self-Defending KMS\n- Enable Google Cloud BYOK key from Fortanix Self-Defending KMS\n- Delete Google Cloud BYOK key from Fortanix Self-Defending KMS\n- Reimport key material from Fortanix Self-Defending KMS to Google Cloud CMK\n\n\n## Setup\n\n- Log in to Google Cloud portal\n- Create Google Cloud KMS Service Account and Secret Key\n- Create Google Cloud IAM Role for Cloud KMS Admin\n- Attach IAM Role to Service Account\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures Google Cloud Service Account secret Key in Fortanix Self-Defending KMS and returns a UUID. -- You need to pass this UUID for other operations. This is a one time process.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `secret_key`: Google Cloud secret key containing the type, project, client_email and private_key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"location\": \"us-east1\",\n\"key_ring\": \"gcp-keyring\",\n\"secret_key\": {\n\"type\": \"service_account\",\n\"project_id\": \"project-id-102203\",\n\"client_email\": \"sdkms-byok@project-id-102203.iam.gserviceaccount.com\",\n\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvAIBADANBgkggSiAgEAAdIk2bywgHRaKg==\\n-----END PRIVATE KEY-----\\n\"\n}\n}\n```\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### Create operation\n\nThis operation will create an AES-256 key in Fortanix Self-Defending KMS and import it in Google Cloud KMS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`.\n* `name`: Name of the key\n* `secret_id`: The response of `configuration` operation.\n* `location`: Optional. Region or location. Example: global or us-east1.\n* `key_ring`: Optional. Name of Google Cloud KMS key ring.\n* `disable_previous`: true|false. Previous key version state change.\n\n#### Example\n\nInput JSON\n\n```\n{\n\"operation\": \"create\",\n\"name\": \"test-key\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n\"labels\": { \"source\": \"fortanix-byok\" }\n}\n```\n\nOutput JSON\n```\n{\n\"creator\": {\n\"plugin\": \"37d99d30-85cc-43fb-aa03-b12d25def766\"\n},\n\"kid\": \"c48db54f-075e-4500-9900-715eb74c5349\",\n\"acct_id\": \"0491fa2d-0c59-4daf-b293-8859c7d491d0\",\n\"custom_metadata\": {\n\"GCP_KEY_ID\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key\",\n\"GCP_CREATED\": \"2020-09-21T20:58:15.849005292Z\",\n\"GCP_KEY_VERSION\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/-- cryptoKeyVersions/1\",\n\"GCP_UPDATED\": \"2020-09-21T20:52:12.282941162Z\"\n},\n\"aes\": {\n\"random_iv\": null,\n\"key_sizes\": null,\n\"cipher_mode\": null,\n\"fpe\": null,\n\"iv_length\": null,\n\"tag_length\": null\n},\n\"kcv\": \"a90519\",\n\"activation_date\": \"20200921T215621Z\",\n\"key_size\": 256,\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"group_id\": \"0f1ffedd-9a23-4dc8-9a47-952e50bb1b71\",\n\"lastused_at\": \"19700101T000000Z\",\n\"never_exportable\": false,\n\"obj_type\": \"AES\",\n\"enabled\": true,\n\"compliant_with_policies\": true,\n\"origin\": \"FortanixHSM\",\n\"name\": \"test-key\",\n\"created_at\": \"20200921T215621Z\",\n\"public_only\": false,\n\"state\": \"Active\"\n}\n```\n\n### List operation\n\nThis operation will list all the BYOK keys from a Google Cloud KMS key ring.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `secret_id`: The response of `configuration` operation.\n\n#### Example\n\nInput JSON\n```\n\"\n{\n\"operation\": \"list\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n}\n\"\n```\n\nOutput JSON\n```\n{\n\"cryptoKeys\": [\n{\n\"createTime\": \"2020-09-21T02:26:48.718637503Z\",\n\"versionTemplate\": {\n\"protectionLevel\": \"SOFTWARE\",\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\"\n},\n\"purpose\": \"ENCRYPT_DECRYPT\",\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/Fortanix-GCP-BYOKey\",\n\"labels\": {\n\"source\": \"fortanix-byok\"\n}\n},\n{\n\"labels\": {\n\"source\": \"fortanix-byok\"\n},\n\"createTime\": \"2020-09-21T20:58:15.849005292Z\",\n\"primary\": {\n\"importTime\": \"2020-09-21T21:20:25.960522434Z\",\n\"protectionLevel\": \"SOFTWARE\",\n\"importJob\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/importJobs/-- byok-ftx-plugin-1600721534\",\n\"state\": \"ENABLED\",\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/cryptoKeyVersions/4\",\n\"createTime\": \"2020-09-21T21:20:25.935360774Z\",\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\"\n},\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key\",\n\"purpose\": \"ENCRYPT_DECRYPT\",\n\"versionTemplate\": {\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\",\n\"protectionLevel\": \"SOFTWARE\"\n}\n}\n],\n\"totalSize\": 2\n}\n```\n\n### Get operation\n\nThis operation will retrieve a specific BYOK key from Google Cloud KMS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `get`.\n* `secret_id`: The response of `configuration` operation.\n* `name`: Name of the key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"get\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n\"name\": \"test-key\",\n}\n```\n\nOutput JSON\n```\n{\n\"primary\": {\n\"protectionLevel\": \"SOFTWARE\",\n\"importTime\": \"2020-09-21T21:20:25.960522434Z\",\n\"createTime\": \"2020-09-21T21:20:25.935360774Z\",\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\",\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/cryptoKeyVersions/4\",\n\"importJob\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/importJobs/byok-ftx-plugin-1600721534\",\n\"state\": \"ENABLED\"\n},\n\"labels\": {\n\"source\": \"fortanix-byok\"\n},\n\"createTime\": \"2020-09-21T20:58:15.849005292Z\",\n\"purpose\": \"ENCRYPT_DECRYPT\",\n\"versionTemplate\": {\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\",\n\"protectionLevel\": \"SOFTWARE\"\n},\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key\"\n}\n```\n\n### Rotate operation\n\nThis operation will rotate a key in Fortanix Self-Defending KMS as well as in Google Cloud KMS.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `rotate`.\n* `secret_id`: The response of `configuration` operation.\n* `name`: Name of the key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"rotate\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n\"name\": \"test-key\",\n}\n```\n\nOutput JSON\n```\n{\n\"creator\": {\n\"plugin\": \"37d99d30-85cc-43fb-aa03-b12d25def766\"\n},\n\"kid\": \"c48db54f-075e-4500-9900-715eb74c5349\",\n\"acct_id\": \"0491fa2d-0c59-4daf-b293-8859c7d491d0\",\n\"custom_metadata\": {\n\"GCP_KEY_ID\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key\",\n\"GCP_CREATED\": \"2020-09-21T20:58:15.849005292Z\",\n\"GCP_KEY_VERSION\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/-- cryptoKeyVersions/2\",\n\"GCP_UPDATED\": \"2020-09-21T21:56:22.663641162Z\"\n},\n\"aes\": {\n\"random_iv\": null,\n\"key_sizes\": null,\n\"cipher_mode\": null,\n\"fpe\": null,\n\"iv_length\": null,\n\"tag_length\": null\n},\n\"kcv\": \"a90519\",\n\"activation_date\": \"20200921T215621Z\",\n\"key_size\": 256,\n\"key_ops\": [\n\"ENCRYPT\",\n\"DECRYPT\",\n\"EXPORT\",\n\"APPMANAGEABLE\"\n],\n\"group_id\": \"0f1ffedd-9a23-4dc8-9a47-952e50bb1b71\",\n\"lastused_at\": \"19700101T000000Z\",\n\"never_exportable\": false,\n\"obj_type\": \"AES\",\n\"enabled\": true,\n\"compliant_with_policies\": true,\n\"origin\": \"FortanixHSM\",\n\"name\": \"test-key\",\n\"created_at\": \"20200921T215621Z\",\n\"public_only\": false,\n\"state\": \"Active\"\n}\n```\n\n### Disable operation\n\nThis operation will disable a Google Cloud KMS key.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `disable`.\n* `secret_id`: The response of `configuration` operation.\n* `name`: Name of the key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"disable\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n\"name\": \"test-key\",\n}\n```\n\nOutput JSON\n```\n{\n\"protectionLevel\": \"SOFTWARE\",\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\",\n\"createTime\": \"2020-09-21T21:20:25.935360774Z\",\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/cryptoKeyVersions/4\",\n\"importJob\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/importJobs/byok-ftx-plugin-1600721534\",\n\"importTime\": \"2020-09-21T21:20:25.960522434Z\",\n\"state\": \"DISABLED\"\n}\n```\n\n### Enable operation\n\nThis operation will enable a Google Cloud KMS key that's disabled.\n\n#### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `enable`.\n* `secret_id`: The response of `configuration` operation.\n* `name`: Name of the key\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"enable\",\n\"secret_id\": \"e84f0b8c-485b-499c-87d5-d583f8716144\"\n\"name\": \"test-key\",\n}\n```\n\nOutput JSON\n```\n{\n\"importJob\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/importJobs/byok-ftx-plugin-1600721534\",\n\"protectionLevel\": \"SOFTWARE\",\n\"importTime\": \"2020-09-21T21:20:25.960522434Z\",\n\"name\": \"projects/fortanix/locations/us-east1/keyRings/gcp-keyring/cryptoKeys/test-key/cryptoKeyVersions/4\",\n\"algorithm\": \"GOOGLE_SYMMETRIC_ENCRYPTION\",\n\"createTime\": \"2020-09-21T21:20:25.935360774Z\",\n\"state\": \"ENABLED\"\n}\n```\n### Release Notes\n- Initial Release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
},
{
"name": "Self-Defending KMS-Azure Bring Your Own Key (BYOK) Managed HSM",
"versions": {
"1.0": {
"path": "azure-managed/plugin.lua",
"description": "## Short Description\nThis plugin implements the Bring your own key (BYOK) HSM model for Azure cloud. Using this plugin you can keep your key inside Fortanix Self-Defending KMS and use BYOK features of Azure key vault.\n\n## Introduction\nThe cloud services provide many advantages but the major disadvantage of cloud providers has been security because physically your data resides with the cloud provider. To keep data secure in a cloud provider environment, enterprises use encryption. So securing their encryption keys become significantly important. Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. This plugin provides an implementation to use the Azure cloud BYOK model.\n\n## Requirenment\n\n- Fortanix Self-Defending KMS Version >= 3.17.1330\n\n## Use cases\n\nThe plugin can be used to\n\n- Push Fortanix Self-Defending KMS key in Azure HSM key vault\n- List Azure BYOK key\n- Delete key in Fortanix Self-Defending KMS and corresponding key in Azure key vault\n\n## Setup\n\n- Log in to https://portal.azure.com/\n- Register an app in Azure cloud (Note down the Application (client) ID, Directory (tenant) ID, and client secret of this app). We will configure this information in Fortanix Self-Defending KMS\n- Create a premium Azure key vault\n- Add the above app in the `Access Policy` of the above key vault\n- Create KEK key in Azure key vault\n\n```\naz keyvault key create --kty RSA-HSM --size 2048 --name <KEY-NAME> --ops import --vault-name <KEY-VAULT-NAME>\n```\n\n## Input/Output JSON object format\n\n### Configure operation\n\nThis operation configures Azure app credential in Fortanix Self-Defending KMS and returns a UUID. You need to pass this UUID for other operations. This is a one time process.\n\n* `operation`: The operation which you want to perform. A valid value is `configure`.\n* `tenant_id`: Azure tenant ID\n* `client_id`: Azure app ID or client ID\n* `client_secret`: Azure app secret\n\n#### Example\n\nInput JSON\n```\n{\n\"operation\": \"configure\",\n\"tenant_id\": \"de7becae...88ae6\",\n\"client_id\": \"f8d7741...6abb6\",\n\"client_secret\": \"SvU...5\"\n}\n```\n\nOutput JSON\n```\n{\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\n### create operation\n\nThis operation will create an RSA key in Fortanix Self-Defending KMS and impot it in Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `create`\n* `key_name`: Name of the key\n* `key_type`: Can be AES or RSA\n* `key_size`: The size of the key desired\n* `key_vault`: Azure key vault name\n* `kek_key_kid`: Azure Key Exchange Key (KEK) ID\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"create\",\n\"key_name\": \"test-key\",\n\"key_type\": \"RSA\",\n\"key_size\": 2048,\n\"key_vault\": \"test-hsm-keyvault\",\n\"kek_key_kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-kek-key/0ffc59a57f664b9fbde6455bd0ed5dd5\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"key\": {\n\"n\": \"5FshKQ_5peJfFcer18EylSxbK94UErV0we_Z-v2EsTjcH_HZBWAUbAF0QJ_q0Qzy6nHA-u0DkAf63YTe3BhuUEU80Qek_pmZjfek4rgE53eSbrEqH7bYVxUEKSye3J_7oR-MMs4YkNqvyenBuLSv7QXZIcPu17zsNhIQrsv0MBdwV_QlewW9QQUeTPLbHUBV7m-r1gdffiINoRcGY9QvHb6dJphoOaNSzddUXm6Y21R7pwI2Lzo3MuEe2nwtOC-z_MW8jdsDNYxua4CipiGOe2Cqqg_wXsZcjpefzYqSGky2y3j7OoG1uHsafRqWatWTj_CHUPr-oII_r2_sGcxBrw\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n],\n\"e\": \"AAEAAQ\",\n\"kty\": \"RSA-HSM\",\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key/21dc7692b9184c1ba8e643db8b142356\"\n},\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593584773,\n\"created\": 1593584773\n}\n}\n```\n\n### List Key operation\n\nThis operation will list all the BYOK keys from azure.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `list`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\n### Example\n\nInput JSON\n```\n{\n\"operation\": \"list\",\n\"key_vault\": \"test-hsm-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"value\": [\n{\n\"attributes\": {\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"enabled\": true,\n\"updated\": 1593587162,\n\"created\": 1593587161,\n\"exp\": 1596240000\n},\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key\",\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n}\n}\n],\n\"nextLink\": null\n}\n}\n```\n\n### Delete Key operation\n\nThis operation will delete a key in Fortanix Self-Defending KMS as well as Azure key vault.\n\n### Parameters\n\n* `operation`: The operation which you want to perform. A valid value is `delete`.\n* `key_name`: Name of the key\n* `key_vault`: Azure key vault name\n* `secret_id`: The response of `configuration` operation.\n\nInput JSON\n```\n{\n\"operation\": \"delete\",\n\"key_name\": \"test-key\",\n\"key_vault\": \"test-hsm-keyvault\",\n\"secret_id\": \"90cc4fdf-db92-4c52-83a5-ffaec726b224\"\n}\n```\n\nOutput JSON\n```\n{\n\"result\": {\n\"scheduledPurgeDate\": 1601363625,\n\"tags\": {\n\"KMS\": \"SDKMS\",\n\"KeyType\": \"BYOK\"\n},\n\"deletedDate\": 1593587625,\n\"key\": {\n\"kid\": \"https://test-hsm-keyvault.vault.azure.net/keys/test-key/e71e5af81eaa4cbd85674d8b7a76d065\",\n\"n\": \"AL2b7tdZzZugFJI3mRS39h_6x9hh4XKJ3W3UrbwFtA9bZ7kEfGWIyE1IJWQX5KGkW26WkYiAABvx1bU4J7lO1TFkVjvHYRr5cC5eAySBGC1yaxrZ-3SguE7R33EF54ja3doeqapnkCM6GK2RuhIsT4Spz3cm9P0dfknz3DapON-7\",\n\"kty\": \"RSA\",\n\"e\": \"AQAB\",\n\"key_ops\": [\n\"encrypt\",\n\"decrypt\",\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\"\n]\n},\n\"attributes\": {\n\"enabled\": true,\n\"recoveryLevel\": \"Recoverable+Purgeable\",\n\"created\": 1593587492,\n\"updated\": 1593587492\n},\n\"recoveryId\": \"https://test-hsm-keyvault.vault.azure.net/deletedkeys/test-key\"\n}\n}\n```\n\n## References\n- [Azure HSM BYOK](https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys)\n\n### Release Notes\n- Initial release",
"commit": "b24b091197e704fd06c25c5f29611bb1c598ad63"
}
}
}
]