IBM Cloud Docs
Viewing root key versions

Viewing root key versions

View the versions that are associated with a root key by using IBM Cloud® Hyper Protect Crypto Services.

When you rotate a root key, Hyper Protect Crypto Services creates a new version of the key. As a security admin, you can audit the rotation history of a root key by viewing the key version history.

Key versions are available only for root keys. To learn more about how key rotation works in Hyper Protect Crypto Services, check out Comparing your key rotation options.

Viewing root key versions with the key management service API

For a high-level view, you can list the versions that are associated with a root key by making a GET call to the following endpoint.

https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/{id}/versions
  1. Retrieve your authentication credentials to work with keys in the service.

  2. Retrieve the ID of the root key that you want to inspect.

    The ID value is used to access detailed information about the key. You can find the ID for a key in your service instance by retrieving a list of your keys, or by accessing the UI.

  3. Get a list of versions that are associated with the root key by running the following cURL command.

    curl -X GET \
      'https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/versions' \
      -H 'accept: application/vnd.ibm.kms.key.version+json' \
      -H 'authorization: Bearer <IAM_token>' \
      -H 'x-kms-key-ring: <key_ring_ID>' \
      -H 'bluemix-instance: <instance_ID>'
    

    Replace the variables in the example request according to the following table.

    Table 1. Describes the variables needed to list key versions with the API
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services instance resides. For more information, see Regional service endpoints.
    key_ID Required. The unique identifier for the key that you want to inspect.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    key_ring_ID Optional. The unique identifier of the key ring that the key belongs to. If unspecified, Hyper Protect Crypto Services will search for the key in every key ring that is associated with the specified instance. Therefore, it is suggested to specify the key ring ID for a more optimized request.

    Note: The key ring ID of keys that are created without an x-kms-key-ring header is: default. For more information, see Managing key rings.

    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services instance. For more information, see Retrieving an instance ID.

    A successful GET api/v2/keys/<key_ID>/versions response returns the list of versions that are associated with the root key. The following JSON object shows an example returned value.

    {
      "metadata": {
        "collectionType": "application/vnd.ibm.kms.key.version+json",
        "collectionTotal": 2
      },
      "resources": [
        {
          "id": "02fd6835-6001-4482-a892-13bd2085f75d",
          "creationDate": "2020-03-05T16:39:25Z"
        },
        {
          "id": "12e8c9c2-a162-472d-b7d6-8b9a86b815a6",
          "creationDate": "2020-03-02T16:28:38Z"
        }
      ]
    }
    

    The resources object lists each key version, along with the ID and creation date, in reverse chronological order.