Adding KEKs to the file

After you have generated your KEKs, encrypted or not, add them manually to the keks.json file.

The same file can include all types of KEKs: encrypted/not encrypted and symmetric/asymmetric.

Parameter	Description	Optional/ mandatory
tenant_id	UUID v4 of your tenant, the same that you have specified for the External key service.	Mandatory
active_kek_id	ID of the active KEK that will be used to encrypt keys for symmetric encryption.	Mandatory
keks: JSON object array containing the definition of non encrypted KEKs for symmetric encryption.
id	Unique ID generated in UUID v4 format.	Mandatory
kek_b64	Value of the KEK.
encrypted_keks: JSON object array containing the definition of the MKEK-encrypted KEKs for symmetric encryption.
id	Unique ID generated in UUID v4 format.	Mandatory
encrypted_kek_b64	Value of the encrypted KEK. It must imperatively be generated using the aes-256-gcm encryption algorithm.
crypto_material	crypto_context: object containing the following fields, generated while encrypting the KEK with the MKEK: - iv: initialization vector - tag: authentication tag
	encryption_algorithm: must be aes-256-gcm
	m_kek_location: information about the location of the MKEK used to encrypt the KEK - key_name: name of the environment variable containing the MKEK value - type: must be env
keys: JSON object array containing the definition of the asymmetric KEKs used for KAS rewrap.
kid	Unique ID generated in UUID v4 format.	Mandatory
private	Value of the private key (PEM format in base64).	Mandatory
public	Value of the public key (PEM format in base64).	Mandatory
active	Indicates if the key is currently enabled.	Mandatory
dke_keys: JSON object array containing the definition of the asymmetric KEKs used for the DKE module. Note that the server does not check at startup if the public key matches the private key.
kid	Unique ID generated in UUID v4 format.	Mandatory
label	Key display name.	Mandatory
created_at	Date the key was created.	Mandatory
versions	Object array containing information about the keys: version_id: Version identifier (UUID), private: Value of the private key in PEM format, base64 encoded, PKCS#8 type, RSA 2048, public: Value of the public key in PEM format, base64, RSA 2048, created_at: timestamp (number)	Mandatory

Generate v4 UUIDs with any tools of your choice (e.g., UUID Generator).

EXAMPLES
The file contents below are given simply as examples and must not be used as such in your Stormshield KMaaS configuration.

Copy

{
   "tenants": [
      {
         "tenant_id": "3a5f06fe-bee2-444b-bf76-b5ead30327c0",
         "active_kek_id": "fd7e4c16-6199-40a3-9bce-3c82a9e31e66",
         "keks": [
         {
            "id": "fd7e2c15-6199-40a3-9bce-3c82a9e31e66",
            "kek_b64": "9i6NnOFeABODElB+ujySsqK74PPVlW6dhy6mvQt+RaQ="
         }
      ],
      "encrypted_keks": [],
      "keys": [
      {
         "kid": "96b2f83d-df4e-4d49-b662-bcde91a8764f",
         "private": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJSktBSUJBQUtDQWd[...]
         "public": "LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXlsWDNE[...]
         "active": true
      }
      ],
      dke_keys : [{
        created_at: 1763975729,
        kid: 'df77f9d6-052a-4a01-9228-7ad1883d4a50',
        label: 'dke keys',
        status: JsonDkeKeyStatus.Enabled,
        versions: [
          {
           created_at: 1763975729,
           version_id: 'f6bec63f-c5a3-4932-94da-d6a34eb69066',
           private: 'LS0tLS1CRUdJTiBSU0EgU...',
           public: 'LS0tLS1CRUdJTiBQVUJMS...',
         },
       ]}
      ]  
   }
   ]
}