IBM Cloud Docs
Wrapping keys

Wrapping keys

You can manage and protect your encryption keys with a root key by using the IBM® Key Protect API and Console.

When you wrap a data encryption keyA cryptographic key used to encrypt data that is stored in an application. with a root keyA symmetric wrapping key that is used for encrypting and decrypting other keys that are stored in a data service. (DEK), Key Protect combines the strength of multiple algorithms to protect the privacy and the integrity of your encrypted data.

To learn how key wrapping helps you control the security of at rest data in the cloud, see Protecting data with envelope encryption.

Wrapping a key using the console

If you already have an instance of Key Protect and wish to encrypt your DEK by using a graphical interface, you can use the IBM Cloud console.

After you import or create your own keys, complete the following steps to wrap your data using the key:

  1. Log in to the IBM Cloud console.

  2. From the Menu, choose the Resource List to view a list of your resources.

  3. From your IBM Cloud resource list, select your provisioned instance of Key Protect.

  4. Choose the Root key from the list of your keys that you want to use to wrap your data.

  5. Click the icon and then click the Envelope encryption option to open the side panel. Make sure the "Wrap key" option is selected.

  6. You have a choice of whether to allow Key Protect to wrap your data or whether you want to provide your own base64 encoded plaintext and additional authentication data (AAD), as needed, to wrap the data. Note that if you choose to provide your own plaintext and AAD, you will have to provide it when unwrapping your data. If you do not have experience creating AAD and base 64 encoded plaintext, the recommended practice is to allow Key Protect to wrap your data by leaving the Wrap key for me option selected.

  7. Click Wrap Key button.

Wrapping keys by using the API

You can protect a specified data encryption key (DEK) with a root key that you manage in Key Protect.

After you designate a root key in the service, you can wrap a DEK with advanced encryption by making a POST call to the following endpoint.

https://<region>.kms.cloud.ibm.com/api/v2/keys/<keyID_or_alias>/actions/wrap

  1. Retrieve your authentication credentials to work with keys in the service.

  2. Copy the key material of the DEK that you want to manage and protect.

    If you have manager or writer privileges for your Key Protect instance, you can retrieve the key material for a specific key by making a GET /v2/keys/<keyID_or_alias> request.

  3. Copy the ID of the root key that you want to use for wrapping.

  4. Run the following curl command to protect the key with a wrap operation.

    $ curl -X POST \
    "https://<region>.kms.cloud.ibm.com/api/v2/keys/<keyID_or_alias>/actions/wrap" \
    -H "accept: application/vnd.ibm.kms.key_action+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -H "x-kms-key-ring: <key_ring_ID>" \
    -H "correlation-id: <correlation_ID>" \
    -d '{
            "plaintext": "<data_key>",
            "aad": [
                "<additional_data>",
                "<additional_data>"
            ]
        }'

Replace the variables in the example request according to the following table.

Table 1. Describes the variables that are needed to wrap a specified key in Key Protect.
Variable Description
region Required. The region abbreviation, such as us-south or eu-gb, that represents the geographic area where your Key Protect instance resides. For more information, see Regional service endpoints.
keyID_or_alias Required. The unique identifier or alias for the root key that you want to use for wrapping.
IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request. For more information, see Retrieving an access token.
instance_ID Required. The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving an instance ID.
key_ring_ID Optional. The unique identifier of the key ring that the key is a part of. If unspecified, Key Protect will search for the key in every key ring associated with the specified instance. It is recommended to specify the key ring ID for a more optimized request. Note: The key ring ID of keys that are created without an x-kms-key-ring header is: default. or more information, see Grouping keys.
correlation_ID Optional.The unique identifier that is used to track and correlate transactions.
data_key Optional.The key material of the DEK that you want to manage and protect. The plaintext value must be base64 encoded. For more information on encoding your key material, see Encoding your key material. To generate a new DEK, omit the plaintext attribute. The service generates a random plaintext (32 bytes), wraps that value, and then returns both the generated and wrapped values in the response. The generated and wrapped values are base64 encoded and you will need to decode them in order to decrypt the keys.
additional_data Optional.The additional authentication data (AAD) that is used to further secure the key. Each string can hold up to 255 characters. If you supply AAD when you make a wrap call to the service, you must specify the same AAD during the subsequent unwrap call.Important: The Key Protect service does not save additional authentication data. If you supply AAD, save the data to a secure location to ensure that you can access and provide the same AAD during subsequent unwrap requests.

Your wrapped data encryption key, containing the base64 encoded key material, is returned in the response entity-body. The response body also contains the ID of the key version that was used to wrap the supplied plaintext. The following JSON object shows an example returned value.

{
    "ciphertext": "eyJjaXBoZXJ0ZXh0IjoiYmFzZTY0LWtleS1nb2VzLWhlcmUiLCJpdiI6IjRCSDlKREVmYU1RM3NHTGkiLCJ2ZXJzaW9uIjoiNC4wLjAiLCJoYW5kbGUiOiJ1dWlkLWdvZXMtaGVyZSJ9",
    "keyVersion": {
        "id": "02fd6835-6001-4482-a892-13bd2085f75d"
    }
}

If you omit the plaintext attribute when you make the wrap request, the service returns both the generated data encryption key (DEK) and the wrapped DEK in base64 encoded format.

{
    "plaintext": "Rm91ciBzY29yZSBhbmQgc2V2ZW4geWVhcnMgYWdv",
    "ciphertext": "eyJjaXBoZXJ0ZXh0IjoiYmFzZTY0LWtleS1nb2VzLWhlcmUiLCJpdiI6IjRCSDlKREVmYU1RM3NHTGkiLCJ2ZXJzaW9uIjoiNC4wLjAiLCJoYW5kbGUiOiJ1dWlkLWdvZXMtaGVyZSJ9",
    "keyVersion": {
        "id": "12e8c9c2-a162-472d-b7d6-8b9a86b815a6"
    }
}

The plaintext value represents the unwrapped DEK, and the ciphertext value represents the wrapped DEK and are both base64 encoded. The keyVersion.id value represents the version of the root key that was used for wrapping.

If you want Key Protect to generate a new data encryption key (DEK) on your behalf, you can also pass in an empty body on a wrap request. Your generated DEK, containing the base64 encoded key material, is returned in the response entity-body, along with the wrapped DEK.