IBM Cloud Docs
Viewing details about a root key or a standard key

Viewing details about a root key or a standard key

You can retrieve the general characteristics of a single encryption key by using IBM Cloud® Hyper Protect Crypto Services.

Retrieving a root key or a standard key requires a Writer or Manager access policy, but you might need a way to view only the details about a root key or a standard key, such as the transition history or configuration, without retrieving the key itself. If you have Reader access permissions, you can use the Hyper Protect Crypto Services key management API to retrieve only metadata about a root key or a standard key.

Viewing key details with the UI

You can view details about a specific key with the UI by completing the following steps:

  1. Log in to the UI.
  2. Go to Menu > Resource list to view a list of your resources.
  3. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services.
  4. On the KMS keys page, use the Keys table to browse the keys in your service.
  5. Click the Actions icon Actions icon to open a list of options for a specific key.
  6. From the options menu, click View key details to view the details of the key.

Viewing key details with the key management service API

To view detailed information about a specific root key or a standard key, you can make a GET call to the following endpoint.

https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID_or_alias>/metadata
  1. Retrieve your authentication credentials to work with keys in the service.

  2. Retrieve the ID of the key that you would like to inspect.

    The ID value is used to access detailed information about the key. You can find the ID for a key in your service instance by retrieving a list of your keys, or by accessing the UI.

  3. Get details about the key by running the following cURL command.

    curl -X GET \
      'https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID_or_alias>/metadata' \
      -H 'accept: application/vnd.ibm.kms.key+json' \
      -H 'authorization: Bearer <IAM_token>' \
      -H 'bluemix-instance: <instance_ID>' \
      -H 'x-kms-key-ring: <key_ring_ID>' \
      -H 'correlation-id: <correlation_ID>'
    

    Replace the variables in the example request according to the following table.

    Table 1. Describes the variables needed to view details about a key with the API
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services instance resides. For more information, see Regional service endpoints.
    key_ID_or_alias Required. The identifier or alias for the key that you want to inspect.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services instance. For more information, see Retrieving an instance ID.
    key_ring_ID Optional. The unique identifier of the key ring that the key belongs to. If unspecified, Hyper Protect Crypto Services will search for the key in every key ring that is associated with the specified instance. Therefore, it is suggested to specify the key ring ID for a more optimized request.

    Note: The key ring ID of keys that are created without an x-kms-key-ring header is: default. For more information, see Managing key rings.

    correlation_ID The unique identifier that is used to track and correlate transactions.

    A successful GET api/v2/keys/<key_ID_or_alias>/metadata response returns details about your key. The following JSON object shows an example returned value for a standard key.

    {
      "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 1
      },
      "resources": [
        {
          "type": "application/vnd.ibm.kms.key+json",
          "id": "02fd6835-6001-4482-a892-13bd2085f75d",
          "name": "test-standard-key",
          "state": 1,
          "extractable": true,
          "crn": "crn:v1:bluemix:public:hs-crypto:us-south:a/f047b55a3362ac06afad8a3f2f5586ea:12e8c9c2-a162-472d-b7d6-8b9a86b815a6:key:02fd6835-6001-4482-a892-13bd2085f75d",
          "imported": false,
          "creationDate": "2020-03-12T03:50:12Z",
          "createdBy": "...",
          "algorithmType": "AES",
          "algorithmMetadata": {
            "bitLength": "256",
            "mode": "CBC_PAD"
          },
          "algorithmBitSize": 256,
          "algorithmMode": "CBC_PAD",
          "lastUpdateDate": "2020-03-12T03:50:12Z",
          "dualAuthDelete": {
            "enabled": false
          },
          "deleted": false
        }
      ]
    }
    

    Need to retrieve the payload value for a standard key? To learn more, see Retrieving a root key or a standard key.

    For a detailed description of the response parameters, see the Hyper Protect Crypto Services key management REST API reference doc.