CSEK (Customer Supplied Encryption Keys)
To use Customer Supplied Encryption Keys, follow the general instructions on using RSA wrapping keys.
- Generate a symmetric key in Cosmian KMS
- Download the Google CSEK Certificate and extract the RSA wrapping key
- Import the certificates in Cosmian KMS
- Export the wrapped CSEK Symmetric Key
- Convert the wrapped CSEK Symmetric Key to base64
Generate a symmetric key in Cosmian KMS¶
This is the symmetric key that will be used as the CSEK.
cosmian kms sym keys create --number-of-bits 256 CSEK_Sym_Key
The symmetric key was successfully generated.
Unique identifier: CSEK_Sym_Key
Download the Google CSEK Certificate and extract the RSA wrapping key¶
Download the certificate
curl https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem > test_data/cse/google-cloud-csek-ingress.pem
Import the certificates in Cosmian KMS¶
Name it google_csek on import.
cosmian -- kms certificates import --format pem test_data/cse/google-cloud-csek-ingress.pem google_csek
The certificate in the PEM file was successfully imported!
Unique identifier: google_csek
````
## Export the wrapped CSEK Symmetric Key
The key must be wrapped using CKM_RSA_PKCS_OAEP with a SHA1 digest.
The export function will automatically recover the wrapping public key from the certificate and perform the key
wrapping.
```shell
cosmian kms rsa keys export --key-id CSEK_Sym_Key --wrap-key-id google_csek \
--wrapping-algorithm rsa-oaep-sha1 --key-format raw wrapped_key.bin
The key CSEK_Sym_Key of type SymmetricKey was exported to "wrapped_key.bin"
Unique identifier: CSEK_Sym_Key
Note 1: Make sure you use rsa-oaep-sha1 to force the SHA1 digest.
Note 2: The wrapped key should be 2048 bits (256 bytes) long.