csek.md

To use Customer Supplied Encryption Keys, follow the general instructions on using RSA wrapping keys.

[TOC]

Generate a symmetric key in Eviden KMS

This is the symmetric key that will be used as the CSEK.

ckms sym keys create  --number-of-bits 256 CSEK_Sym_Key

The symmetric key was successfully generated.
          Unique identifier: CSEK_Sym_Key

Download the Google CSEK Certificate and extract the RSA wrapping key

Download the certificate

curl  https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem > test_data/cse/google-cloud-csek-ingress.pem

Import the certificates in Eviden KMS

Name it google_csek on import.

ckms certificates import --format pem test_data/cse/google-cloud-csek-ingress.pem google_csek

The certificate in the PEM file was successfully imported!
          Unique identifier: google_csek

Export the wrapped CSEK Symmetric Key

The key must be wrapped using CKM_RSA_PKCS_OAEP with a SHA1 digest.

The export function will automatically recover the wrapping public key from the certificate and perform the key wrapping.

 ckms rsa keys export --key-id CSEK_Sym_Key --wrap-key-id google_csek \
 --wrapping-algorithm rsa-oaep-sha1 --key-format raw wrapped_key.bin

The key CSEK_Sym_Key of type SymmetricKey was exported to "wrapped_key.bin"
          Unique identifier: CSEK_Sym_Key

Note 1: Make sure you use rsa-oaep-sha1 to force the SHA1 digest. Note 2: The wrapped key should be 2048 bits (256 bytes) long.

Convert the wrapped CSEK Symmetric Key to base64

cat wrapped_key.bin | base64

BtE+r06qy4isyfMR29n5uGSPj1qbOQTA42nxVJ...Hw==