IBM Cloud Docs
Key Protect CLI Reference

Key Protect CLI Reference

The latest version of the IBM® Key Protect for IBM Cloud® CLI plug-in provides a safe and efficient way to manage keys in your instance of Key Protect.

When you log in to the IBM Cloud CLI, you're notified when updates are available. Be sure to keep your CLI up-to-date so that you can use the commands and flags that are available for the Key Protect CLI plug-in.

Notes

To install and configure the Key Protect CLI plug-in, see the topic on Setting up the CLI.

The example showing how to use region-set outlines a critical step in configuration.

Previous versions

This documentation for version 0.8 does not include deprecated commands.

All deprecated commands work in versions 0.4.0 and 0.5.2. That is, version 0.5.2 is backwards compatible with versions 0.3.9 and 0.4.0.

Examples

All commands have an Example section, which shows how to use the command in the context of a workflow.

The examples assume you have openssl and jq installed.

Many examples take advantage of an environment variable set for the session regarding the Key Protect Instance ID instead of the -i parameter. Variables set in this manner will be automatically used by the plug-in where appropriate and when needed.

# export the Key Protect instance id in the command line
$ export KP_INSTANCE_ID=<INSTANCE_ID>

ibmcloud kp command summary

ibmcloud kp supports the commands listed here.

kp import-token command

The kp import-token command prepares a root key for secure import.

Table 1. Sub-commands for managing import tokens
Sub-command Status v0.8 Description
create Create an import token
key-encrypt Encrypt the key that you import into the service
nonce-encrypt Encrypt the nonce that is generated by kp import-token create
show Retrieve an import token

kp instance command

The kp instance command manages policies for a Key Protect instance.

Table 2. Sub-commands for managing keys
Sub-command Status v0.8 Description
policies List policies associated with an instance
policy-update allowed-network Update the instance policy for "allowed network"
policy-update dual-auth-delete Update the instance policy for "dual auth delete"
policy-update rotation Update the instance policy for "rotation"

kp key command

The kp key command manages individual keys.

Table 3. Sub-commands for managing keys
Sub-command Status v0.8 Description
alias-create Create an alias for a unique and convenient reference to a key
cancel-delete Cancel a previously scheduled request to delete a key
create Create a key or import your own key
delete Delete a key
disable Disable a key
enable Enable a key
policies Retrieve a list of policies
policy-update dual-auth-delete Update the key policy for "dual auth delete"
policy-update rotation Update the key policy for "rotation"
purge Purge a deleted key
restore Restore a root key that was previously deleted
rotate Rotate a root key
schedule-delete Authorize a key, with a dual-auth-delete policy, to be deleted
show Retrieve a key
sync Synchronize a key's associated resources
unwrap Unwrap a data encryption key
update Update a key, transferring it to a new key ring
versions updated List all key versions
wrap Wrap a data encryption key

kp key-ring command

Key Ring support allows for managing groups of keys for best practices using kp key-ring.

Table 4. Sub-commands for managing key-rings
Sub-command Status v0.8 Description
create Creates a key ring within a kp instance
delete Deletes a key ring within a kp instance

Other kp commands

More commands for managing Key Protect resources could support best practices.

Table 5. Commands for managing other resources
Command Status v0.8 Description
kp keys List the keys that are available in your Key Protect instance
kp key-rings Lists the key rings associated with the kp instance
kp region-set Target a different regional endpoint
kp registrations List associations between root keys and other cloud resources
kp kmip Create and manage KMIP adapters and associated resources.

Key aliases can be used as identifiers for methods as shown in examples for key create, key disable, and anywhere you see 'Key ID or Alias' supported here.

Viewing help

These are examples of kp help information.

  • ibmcloud kp -h
  • ibmcloud kp import-token -h
  • ibmcloud kp key -h
  • ibmcloud kp keys -h

The kp import-token and kp key commands have sub-commands. These examples show help for some sub-commands.

  • ibmcloud kp import-token create -h
  • ibmcloud kp key delete -h

kp import-token create

Create an import token that you can use to encrypt and import a root key to the Key Protect instance. By default, the import token expires after 10 minutes (600 seconds).

ibmcloud kp import-token create
     -i, --instance-id    INSTANCE_ID
    [-e, --expiration     EXPIRATION_TIME_SECONDS]
    [-m, --max-retrievals MAX_RETRIEVALS]

Example

This example creates a import token. The import token consists of a nonce and a public key.

A nonce is an arbitrary number that can be used just once in a cryptographic communication. 

# create an import token that expires in 5 minutes and allows 3 retrievals
$ ibmcloud kp import-token create --expiration 300 --max-retrievals 3

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-05-04 19:12:07 +0000 UTC   2020-05-04 19:17:07 +0000 UTC   3                3

# show the created token
$ ibmcloud kp import-token show

{
    "nonce": "8rf2ldP/zWm1Tjrb",
    "payload":
        "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo="
}

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -e, --expiration

    Specify an expiration time (in seconds) for an import token. This value determines how long the import token and its associated public key remain valid for operations.

    The minimum value is 300 seconds (5 minutes), and the maximum value is 86400 seconds (24 hours). The default value is 600 seconds (10 minutes).

  • -m, --max-retrievals

    Set the use count for the import token. This value determines the number of times that the import token can be retrieved within its expiration time before it is no longer accessible. The default value is 1.

kp import-token key-encrypt

Encrypt the key material that you import into Key Protect by using the public key that's associated with your Key Protect instance.

Then, provide the retrieved encrypted key when you run ibmcloud kp key create to import the key to the service.

ibmcloud kp import-token key-encrypt
        -i, --instance-id INSTANCE_ID
        -k, --key         KEY_MATERIAL
        -p, --pubkey      PUBLIC_KEY
       [-a, --hash        HASH_ALGORITHM]

Example

This example encrypts a key material using the public key created by kp import-token create.

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
Ela33aTdDiKVUNryLeM/xwUEaKWvzY+u ...<redacted>... Asv7bZxvyZn9KNU=

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

  • -k, --key

    The base64-encoded key material that you store and manage in the service.

    -p, --pubkey

    The base64-encoded public encryption key that was distributed by Key Protect. To create new public key, use ibmcloud kp import-token create. To retrieve a public key, use ibmcloud kp import-token show.

Optional parameters

  • -a, --hash

    The hash algorithm used to wrap the key. SHA1 and SHA256 are supported. The default is SHA256. SHA1 is only supported by HPCS.

    This option is used to generate an encrypted key that can only be used in a request with the HPCS API. Do not use this option to create Key Protect root keys.

    Hyper Protect Crypto Services (HPCS) is a dedicated key management service and hardware security module (HSM). HPCS integrates with Key Protect to generate and encrypt keys. The Keep Your Own Key (KYOK) function is also enabled by HPCS.

Notes

For more information about HPCS, see Getting started with IBM Cloud Hyper Protect Crypto Services.

kp import-token nonce-encrypt

Encrypt the nonce that is distributed by Key Protect with the key material that you import into to the service.

Then, provide the retrieved encrypted nonce and IV values when you run ibmcloud kp key create to import the key.

ibmcloud kp import-token nonce-encrypt
        -i, --instance-id INSTANCE_ID
        -k, --key         KEY_MATERIAL
        -n, --nonce       NONCE
    [-c, --cbc]

Example

This example encrypts the nonce using the key material.

A nonce is an arbitrary number that can be used just once in a cryptographic communication. 

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
mWQad1RHdWoFXFw/D9h8z43t/+0vIZc55VBBQg==   6nvOwUvQdowoD+3v

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

  • -k, --key

    The base64-encoded key material that you store and manage in the service.

    -n, --nonce

    The nonce that is used to verify a request to import a key. The value is base64-encoded. To retrieve a nonce, use ibmcloud kp import-token show.

Optional parameters

  • -c, --cbc

    Encrypt the nonce using the AES-CBC encryption algorithm. This algorithm method is only supported for HPCS. The default encryption algorithm is AES-GCM.

    This option is used to generate an encrypted nonce that can only be used in a request with the HPCS API. Do not use this option to create Key Protect root keys.

    Hyper Protect Crypto Services (HPCS) is a dedicated key management service and hardware security module (HSM). HPCS integrates with Key Protect to generate and encrypt keys. The Keep Your Own Key (KYOK) function is also enabled by HPCS.

Notes

For more information about HPCS, see Getting started with IBM Cloud Hyper Protect Crypto Services.

kp import-token show

Retrieve the import token that is associated with your Key Protect instance.

The import token contains a public encryption key and a nonce. Provide the retrieved public key and nonce as arguments for ibmcloud kp import-token nonce-encrypt and ibmcloud kp import-token key-encrypt.

ibmcloud kp import-token show
    -i, --instance-id INSTANCE_ID

Example

This example creates an import token and shows the results.

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

# show the created token
$ ibmcloud kp import-token show

{
    "nonce": "8rf2ldP/zWm1Tjrb",
    "payload":
        "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo="
}

# extract the nonce that was created by the "kp import-token create" command
$ ibmcloud kp import-token show | jq -r '.["nonce"]'

8rf2ldP/zWm1Tjrb

# extract the public key that was created by the "kp import-token create" command
$ ibmcloud kp import-token show | jq -r '.["payload"]'

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo=

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

kp instance policies

Retrieve details about instance policies, such as allowed networks (public-and-private or private-only), allowed IP policies, key create import access, metrics, and dual-authorization delete (deleting a key requires an authorization from two users).

ibmcloud kp instance policies
    [-i, --instance-id     INSTANCE_ID]
    [-p, --allowed-ip]
    [-a, --allowed-network]
    [-d, --dual-auth-delete]
    [-k, --key-create-import-access]
    [-m, --metrics]
    [-o, --output          OUTPUT]
    [-r, --rotation]

Example

The example shows how to use the command and the results. If the service has no results to the query, an empty array ([]) will be returned.,

# update the instance policy and set the allowed network to public-and-private
$ ibmcloud kp instance policy-update allowed-network --enable --network-type public-and-private

Updating instance policy...
OK

# list the instance policies
$ ibmcloud kp instance policies

Retrieving policy details for instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
OK
Created By        user id ...<redacted>...
Creation Date     2020-06-22T16:17:52Z
Last Updated      2020-06-22T16:17:52Z
Updated By        user id ...<redacted>...
Policy Type       allowedNetwork
Enabled           true
Network Allowed   public-and-private

# disable the instance allowed-network policy
$ ibmcloud kp instance policy-update allowed-network --disable

Updating instance policy...
OK

# list the instance policies - the policy exists and it's disabled
$ ibmcloud kp instance policies

Retrieving policy details for instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
OK
Created By        user id ...<redacted>...
Creation Date     2020-06-22T16:17:52Z
Last Updated      2020-06-22T16:20:08Z
Updated By        user id ...<redacted>...
Policy Type       allowedNetwork
Enabled           false
Network Allowed   public-and-private

# list the instance policies and show the output as JSON
$ ibmcloud kp instance policies --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T16:17:52Z",
    "lastUpdated": "2020-06-22T16:20:08Z",
    "updatedBy": "user id ...<redacted>...",
    "policy_type": "allowedNetwork",
    "policy_data": { "enabled": false, "attributes": {   "allowed_network": "public-and-private" }
    }
  }
]

Required parameters

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -p, --allowed-ip

    Show the instance policy for "allowed ip".

  • -a, --allowed-network

    Show the instance policy for "allowed network".

  • -d, --dual-auth-delete

    Show the instance policy for "dual authorization delete".

  • -k, --key-create-import-access

    Retrieves the key create import access policy details of the instance.

  • -m, --metrics

    Retrieves the metrics policy details of the instance.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -r, --rotation

    Retrieves rotation policy details of the instance.

kp instance policy-update allowed-network

Update the policy for an instance and set the allowed network to public-and-private or private-only.

The allowed-network policy blocks an instance from getting requests from public or private networks.

For existing instances the network access policy is enforced after it is set.

For more information, see managing network access policies.

ibmcloud kp instance policy-update allowed-network
    -i, --instance-id  INSTANCE_ID
    -d, --disable OR
    -e, --enable
    -t, --network-type NETWORK_TYPE

Example

This example sets the "allowed network" policy to "public-and-private".

# update the instance policy and set the allowed network to public-and-private
$ ibmcloud kp instance policy-update allowed-network --enable --network-type public-and-private

Updating instance policy...
OK

# list the instance policies
$ ibmcloud kp instance policies

Retrieving policy details for instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
OK
Created By        user id ...<redacted>...
Creation Date     2020-06-22T16:17:52Z
Last Updated      2020-06-22T18:17:32Z
Updated By        user id ...<redacted>...
Policy Type       allowedNetwork
Enabled           true
Network Allowed   public-and-private

Required parameters

  • -d, --disable

  • -e, --enable

    Disable or enable the network access policy. One option is required.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

  • -t, --network-type

    Specify the type of network access allowed. Options are public-and-private or private-only.

kp instance policy-update dual-auth-delete

Use the dual-auth-delete policy to safely delete encryption keys. When you delete a key, you shred its contents and associated data. Any data that is encrypted by the key becomes inaccessible.

Deleting a key that has a dual authorization policy requires an authorization from two users.

For more information, see deleting keys using dual authorization and setting dual authorization policies for keys.

Notes

Dual authorization delete for an instance is different than dual authorization delete for keys.

Once you enable dual-auth-delete for a key you cannot disable it or remove it. You must wait 7 days for the policy to expire.

Dual authorization delete for an instance can be enabled or disabled anytime.

If a key has a dual-auth-delete policy, changing the instance policy does not change any existing key policies.

When you change the instance policy, new keys are enforced with the instance policy. 

ibmcloud kp instance policy-update dual-auth-delete
    -i, --instance-id INSTANCE_ID
    -d, --disable OR
    -e, --enable

Examples

These are examples of kp instance policy-update dual-auth-delete.

Example 1

This example enables the dual authorization delete policy.

# enable the instance dual authorization policy
$ ibmcloud kp instance policy-update dual-auth-delete --enable

Updating instance policy...
OK

# list the instance policies
$ ibmcloud kp instance policies --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T18:45:14Z",
    "lastUpdated": "2020-06-22T18:45:14Z",
    "updatedBy": "user id ...<redacted>...",
    "policy_type": "dualAuthDelete",
    "policy_data": { "enabled": true
    }
  }
]

# disable the instance dual authorization policy
$ ibmcloud kp instance policy-update dual-auth-delete --disable

Updating instance policy...
OK

# list the instance policies
$ ibmcloud kp instance policies --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T18:45:14Z",
    "lastUpdated": "2020-06-22T18:51:33Z",
    "updatedBy": "user id ...<redacted>...",
    "policy_type": "dualAuthDelete",
    "policy_data": { "enabled": false
    }
  }
]

Example 2

This example enables the dual authorization delete policy and creates a new key to show how a new key inherits the instance policy.

Disabling the dual authorization policy for an instance does not change the policy for existing keys. The instance policy applies to new keys created after the policy is updated.

# enable the instance dual authorization policy
$ ibmcloud kp instance policy-update dual-auth-delete --enable

Updating instance policy...
OK

# create a new key
$ ibmcloud kp key create my-protected-key

Creating key: 'my-protected-key', in instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK
Key ID                                 Key Name
6a8a129b-0cd4-4667-ba57-b355a125a7ca   my-protected-key

# list the policies for the key - dual-auth-delete is
# enabled because the key inherits the instance policy
$ ibmcloud kp key policies 6a8a129b-0cd4-4667-ba57-b355a125a7ca --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T19:13:00Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:2427dbde-6cff-41eb-8b5a-ff26b038cafc",
    "lastUpdateDate": "2020-06-22T19:13:00Z",
    "updatedBy": "user id ...<redacted>...",
    "dualAuthDelete": { "enabled": true
    }
  }
]

# attempt to delete the key - this fails
$ ibmcloud kp key delete 6a8a129b-0cd4-4667-ba57-b355a125a7ca

Deleting key: 6a8a129b-0cd4-4667-ba57-b355a125a7ca, from instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
FAILED
kp.Error:
    correlation_id='8ad33eb2-7bbf-4b7a-a02e-221959920342',
    msg='Conflict: 1 prior authorization(s) are required for deletion: Key could not be deleted. Please see "reasons" for more details.',
    reasons='[AUTHORIZATIONS_NOT_MET: Number of authorizations required to delete is not met -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# disable the instance dual authorization policy
$ ibmcloud kp instance policy-update dual-auth-delete --disable

Updating instance policy...
OK

# attempt to delete the key - this fails because the key policy
# does not change when the instance policy is updated
$ ibmcloud kp key delete 6a8a129b-0cd4-4667-ba57-b355a125a7ca

Deleting key: 6a8a129b-0cd4-4667-ba57-b355a125a7ca, from instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
FAILED
kp.Error:
    correlation_id='cbc0d18b-a816-45ab-af6a-b8e18dc3e628',
    msg='Conflict: 1 prior authorization(s) are required for deletion: Key could not be deleted. Please see "reasons" for more details.',
    reasons='[AUTHORIZATIONS_NOT_MET: Number of authorizations required to delete is not met -
    FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

Required parameters

  • -d, --disable

  • -e, --enable

    Disable or enable the dual authorization policy. One option is required.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

kp key alias-create

Creates an alias for a key and displays the output in JSON format. Aliases can be used as reference in methods that accept a key ID. Each alias is unique only within the given instance and is not reserved across the Key Protect service. Each key can have up to five aliases. There is no limit to the number of aliases per instance. The length of the alias can be between 2 - 90 characters, inclusive.

An alias must be alphanumeric and cannot contain spaces or special characters other than '-' or '_'. Also, the alias cannot be a version 4 UUID and must not be a Key Protect reserved name: allowed_ip, key, keys, metadata, policy, policies, registration, registrations, ring, rings, rotate, wrap, unwrap, rewrap, version, versions.

ibmcloud kp key alias-create KEY_ID -a KEY_ALIAS
    -i, --instance-id     INSTANCE_ID
    -a, --alias           KEY_ALIAS
    [-o, --output         OUTPUT]

Examples

This is an example of kp key alias-create.

Example

Create a key alias.

# create a key alias
$ ibmcloud kp key alias-create 24203f96-b134-440e-981a-a24f2d432256 my-alias

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Alias
24203f96-b134-440e-981a-a24f2d432256   my-alias

Required parameters

  • KEY_ID

    The ID of the key that you want to modify. To retrieve a list of your available keys, run the kp keys command.

  • KEY_ALIAS

    The alias, or alternate identifier, of the key that you want to modify. The identifier must be: alphanumeric, and no spaces or special characters other than '-' or '_', and can not be a version 4 UUID.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

kp key cancel-delete

A key with a dual-auth-delete policy requires authorization from two administrative users to delete the key.

This command (kp key cancel-delete) cancels, or removes, a prior authorization.

The kp key schedule-delete command is the "authorization" to delete the key.

Follow this process to delete a key with a dual-auth-delete policy.

  1. Create a key and enable the dual-auth-delete policy

  2. User 1 schedules (authorizes) a key deletion with the kp key schedule-delete command

  3. User 2 schedules (authorizes) a key deletion

  4. The key is deleted after the second schedule-delete is performed, which is supported in the user interface, API, and CLI

  5. If a second authorization does not occur within 7 days, the key returns to its default status

There are two ways to enable the dual-auth-delete policy:

  • Set the policy for a single key using kp key policy-update dual-auth-delete
  • Set the policy for the instance using kp instance policy-update dual-auth-delete; all keys created after the instance policy is enabled inherit the instance policy setting
ibmcloud kp key cancel-delete KEY_ID_OR_ALIAS
    -i, --instance-id INSTANCE_ID

Example

This is an example of canceling a previously scheduled key delete.

# this key has a dual-auth-delete policy
$ ibmcloud kp key policies $KEY_ID --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T19:13:00Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:2427dbde-6cff-41eb-8b5a-ff26b038cafc",
    "lastUpdateDate": "2020-06-22T21:29:10Z",
    "updatedBy": "user id ...<redacted>...",
    "dualAuthDelete": { "enabled": true
    }
  }
]

# cancel a previously scheduled key delete
$ ibmcloud kp key cancel-delete $KEY_ID

Cancelling key for deletion...
OK

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to delete. To retrieve a list of your available keys, run the kp keys command.

kp key create

Create a root key in the Key Protect instance that you specify or import your own key

Root keys must be 16, 24, or 32 bytes long; corresponding to 128, 192, or 256 bits. 

ibmcloud kp key create KEY_NAME
        -i, --instance-id     INSTANCE_ID
    [--key-ring                KEY_RING_ID]
    [-k, --key-material    KEY_MATERIAL]
    [-n, --encrypted-nonce NONCE]
    [-o, --output          OUTPUT]
    [-s, --standard-key]
    [-v, --iv              IV]
    [-D, --description     DESCRIPTION]

Examples

These are examples of kp key create.

Example 1

Create a root key.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
24203f96-b134-440e-981a-a24f2d432256   my-root-key

Example 2

Create a root key and show the JSON output.

# create a root key
$ ibmcloud kp key create my-root-key --output json

{
    "id": "24203f96-b134-440e-981a-a24f2d432256",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:24203f96-b134-440e-981a-a24f2d432256"
}

Example 3

Create a root key from a base64-encoded value.

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

# create a root key from a base64-encoded value
$ ibmcloud kp key create my-base64-root-key -k $KEY_MATERIAL

Creating key: 'my-base64-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
5f9eef2d-53b4-42e8-8b56-c2970255210a   my-base64-root-key

Example 4

Create a root key using an import token.

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
qT1pyiS1Sivbmmt4doTtfZC4XuLazk7u ...<redacted>... +a/6EqeAamo/9vo=

# capture the encrypted key material
$ ENCRYPTED_KEY=qT1pyiS1Sivbmmt4doTtfZC4XuLazk7u ...<redacted>... +a/6EqeAamo/9vo=

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
fR8uRvbrKIm9y/LCq9p6pwFBXbF864q/bw5meQ==   efQgA8xBeyuBy39D

# capture the encrypted nonce and the initialization vector (IV)
$ ENCRYPTED_NONCE=fR8uRvbrKIm9y/LCq9p6pwFBXbF864q/bw5meQ==
$ IV=efQgA8xBeyuBy39D

# create a root key using an import token, provide an encrypted key, nonce, and initialization vector (IV)
$ ibmcloud kp key create my-imported-root-key -k $ENCRYPTED_KEY -n $ENCRYPTED_NONCE -v $IV

Creating key: 'my-imported-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
4241a9b3-0ee0-4cfd-b0f3-fd80505fb675   my-imported-root-key

Example 5

Create a standard key.

# create a standard key
$ ibmcloud kp key create my-standard-key -s

Creating key: 'my-standard-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
12d3f3a4-aea5-4832-8339-fa14dbffd935   my-standard-key

Example 6

Create a standard key, which is used as a vault for credentials.

Any base64-encoded string can be imported as a standard key. This example shows how to store credentials, not just encryption keys, in Key Protect.

Standard keys can be up to 7,500 bytes in size before base64-encoding.

# create a file with your credentials
$ cat credentials.json

{
    "host": "localhost",
    "database": "dev-backup",
    "username": "my-username",
    "password": "my-password"
}

# encode the credentials (or any string) to a base64 string
$ ENCODED=$(base64 -i credentials.json)

$ echo $ENCODED

ewoJImhvc3QiOiAibG9jYWxob3N0IiwK...<redacted>...cGFzc3dvcmQiCn0K

# create a new key that contains the base64-encoded credentials
$ ibmcloud kp key create credentials-key -i $KP_INSTANCE_ID --key-material $ENCODED --standard-key --output json

# OR... CAPTURE THE KEY_ID
$ KEY_ID=$(ibmcloud kp key create credentials-key -i $KP_INSTANCE_ID --key-material $ENCODED --standard-key --output json | jq -r '.["id"]')

{
    "id": "8480e26f-3add-4fff-bca7-8cf908894b7c",
    "name": "credentials-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": true,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:8480e26f-3add-4fff-bca7-8cf908894b7c",
    "deleted": false
}

# retrieve the base64-encoded payload
$ ibmcloud kp key show $KEY_ID --output json

# OR... CAPTURE THE PAYLOAD
$ PAYLOAD=$(ibmcloud kp key show $KEY_ID --output json | jq -r '.["payload"]')

{
    "id": "8480e26f-3add-4fff-bca7-8cf908894b7c",
    "name": "credentials-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-08-18T16:13:08Z",
    "lastUpdateDate": "2020-08-18T16:13:08Z",
    "extractable": true,
    "payload": "ewoJImhvc3QiOiAibG9jYWxob3N0IiwKCSJkYXRhYmFzZSI6ICJkZXYtYmFja3VwIiwKCSJ1c2VybmFtZSI6ICJteS11c2VybmFtZSIsCgkicGFzc3dvcmQiOiAibXktcGFzc3dvcmQiCn0=",
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:8480e26f-3add-4fff-bca7-8cf908894b7c",
    "deleted": false,
    "dualAuthDelete": {
        "enabled": false
      }
}

# decode the payload to get the original string (credentials)
$ echo $PAYLOAD | base64 -d

{
    "host": "localhost",
    "database": "dev-backup",
    "username": "my-username",
    "password": "my-password"
}

Example 7

Create a root key with an alias, then use that alias to identify the key to show the key details.

# create a root key with an alias
$ ibmcloud kp key create root-key-with-alias -a example-alias --output json

{
    "id": "b3660416-4186-4587-b528-484886a4731b",
    "name": "root-key-with-alias",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "aliases": [
        "example-alias"
    ],
    "keyRingID": "default",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:b3660416-4186-4587-b528-484886a4731b",
    "deleted": false
}

# show key details using the alias as identifier
$ ibmcloud kp key show example-alias --output json

{
    "id": "b3660416-4186-4587-b528-484886a4731b",
    "name": "root-key-with-alias",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2022-06-09T21:21:55Z",
    "lastUpdateDate": "2022-06-09T21:21:55Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2022-06-09T21:21:55Z"
    },
    "aliases": [
        "example-alias"
    ],
    "keyRingID": "default",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:b3660416-4186-4587-b528-484886a4731b",
    "deleted": false,
    "dualAuthDelete": {
        "enabled": false
    }
}

Example 8

Add a description to a key. For example, a short phrase used to describe the intended purpose of the key.

ibmcloud kp key create KEY_NAME -i 40f2a13c-780e-4641-bea5-e166e5bb5a9f -D ""description of the key""

Required parameters

  • KEY_NAME

    A unique, human-readable identifier to assign to your key.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -k, --key-material

    If you generated a key then this is the base64-encoded key material that you store and manage in the service.

    Root keys must be 16, 24, or 32 bytes long; corresponding to 128, 192, or 256 bits. The key must be base64-encoded.

    Standard keys can be up to 7,500 bytes in size. The key must be base64-encoded.

    If you are creating a key using an import token then this is the encrypted key from the kp import-token key-encrypt process.

    To generate a new key, omit the -k, --key-material parameter.

  • -n, --encrypted-nonce

    Used with import tokens. The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key material that you import into the service. See ibmcloud kp import-token --help.

    To retrieve a nonce, use ibmcloud kp import-token show. Then, encrypt the value by running ibmcloud kp import-token nonce-encrypt.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -s, --standard-key

    Set the parameter only if you want to create a standard key. To create a root key, omit the --standard-key parameter.

  • -v, --iv

    Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service.

    To generate an IV, encrypt the nonce by running ibmcloud kp import-token nonce-encrypt.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

  • -D, --description

    Allows a description to be added to the key. For example, a short phrase used to describe the intended purpose of the key.

kp key create-key-with-policy-overrides

Create a key with policies for only the named key that will override any applicable instance policies.

ibmcloud kp key create-key-with-policy-overrides KEY_NAME
    -i, --instance-id                         INSTANCE_ID
    [-a, --aliases                            ALIAS]
    [-d, --dual-auth-delete-policy-enabled    KEY_RING_ID]
    [--key-ring                               KEY_RING_ID]
    [-k, --key-material                       KEY_MATERIAL]
    [-m, --rotation-interval-month            VALUE]
    [-n, --encrypted-nonce                    NONCE]
    [-o, --output                             OUTPUT]
    [-s, --standard-key]
    [-v, --iv                                 IV]

Example

Create a root key that enables a rotation policy with an interval of 2 months (each "month" is valued at 30 days, resulting in a 60-day rotation interval).

% ibmcloud kp key create-key-with-policy-overrides test-key -m 2 -r
Creating key with policy overrides: 'test-key', in instance: '47377f07-8721-2O47-f396-ef1982c1e96e'...

OK
Key ID                                 Key Name   
076df396-4c90-e008-bf20-f1bb672d465b   test-key

# List policies
% ibmcloud kp key policies 076df396-4c90-e008-bf20-f1bb672d465b
Retrieving policy details for key ID: 076df396-4c90-e008-bf20-f1bb672d465b...
OK
                   
Created By      IBMid-xxxxnnnnnxxx   
Creation Date   2022-10-27T17:48:20Z   
Last Updated    2022-10-27T17:48:20Z   
Updated By      IBMid-xxxxnnnnnxxx   
Policy Type     Rotation   
Interval        2   
Enabled         true

Required parameters

  • KEY_NAME

    A unique, human-readable identifier to assign to your key.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -a, --aliases

    Alphanumeric human-readable alias names ranging 2-90 characters assigned to your key. Alias cannot contain spaces or special characters other than underscores and dashes. A maximum of 5 aliases are allowed per key.

  • -d, --dual-auth-delete-policy-enabled

Enables the dual auth delete policy for a key.

  • -k, --key-material

    If you generated a key then this is the base64-encoded key material that you store and manage in the service.

    Root keys must be 16, 24, or 32 bytes long; corresponding to 128, 192, or 256 bits. The key must be base64-encoded.

    Standard keys can be up to 7,500 bytes in size. The key must be base64-encoded.

    If you are creating a key using an import token then this is the encrypted key from the kp import-token key-encrypt process.

    To generate a new key, omit the -k, --key-material parameter.

  • -n, --encrypted-nonce

    Used with import tokens. The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key material that you import into the service. See ibmcloud kp import-token --help.

    To retrieve a nonce, use ibmcloud kp import-token show. Then, encrypt the value by running ibmcloud kp import-token nonce-encrypt.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -m, --rotation-interval-month

Specify the rotation time interval (in months) for a key. The default value is -1.

  • -s, --standard-key

    Set the parameter only if you want to create a standard key. To create a root key, omit the --standard-key parameter.

  • -v, --iv

    Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service.

    To generate an IV, encrypt the nonce by running ibmcloud kp import-token nonce-encrypt.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key delete

Delete a key that is stored in your Key Protect service.

ibmcloud kp key delete KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [--key-ring          KEY_RING_ID]
    [-f, --force]
    [-o, --output      OUTPUT]

Examples

These are examples of kp key delete.

Example 1

Delete a root key.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
8635b804-9966-4918-a16b-d561fdbf181f   my-root-key

# show key details
$ ibmcloud kp key show 8635b804-9966-4918-a16b-d561fdbf181f

Grabbing info for key id: 8635b804-9966-4918-a16b-d561fdbf181f...
OK
Key ID                                 Key Name      Description   Creation Date                   Expiration Date
8635b804-9966-4918-a16b-d561fdbf181f   my-root-key                 2020-05-05 19:58:02 +0000 UTC   Key does not expire

# delete the key
$ ibmcloud kp key delete 8635b804-9966-4918-a16b-d561fdbf181f

Deleting key: 8635b804-9966-4918-a16b-d561fdbf181f, from instance: 390086ac-76fa-4094-8cf3-c0829bd69526...
OK
Deleted Key
8635b804-9966-4918-a16b-d561fdbf181f

Example 2

Delete a root key and show the JSON output.

# create a root key
$ ibmcloud kp key create my-root-key --output json

{
    "id": "9cca88c9-019e-4f0a-9e76-8e657c6b9720",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb145:390086ac-76fa-4094-8cf3-c0829bd69526:key:9cca88c9-019e-4f0a-9e76-8e657c6b9720"
}

# show key details
$ ibmcloud kp key show 9cca88c9-019e-4f0a-9e76-8e657c6b9720 --output json

{
    "id": "9cca88c9-019e-4f0a-9e76-8e657c6b9720",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-05-05T20:03:00Z",
    "lastUpdateDate": "2020-05-05T20:03:00Z",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb145:390086ac-76fa-4094-8cf3-c0829bd69526:key:9cca88c9-019e-4f0a-9e76-8e657c6b9720"
}

# delete the key
$ ibmcloud kp key delete 9cca88c9-019e-4f0a-9e76-8e657c6b9720 --output json

{
    "id": "9cca88c9-019e-4f0a-9e76-8e657c6b9720"
}

Example 3

Delete a root key that is registered with another cloud resource.

# create a Cloud Object Storage (COS) instance
# "lite" is the pricing plan and "global" is the region
$ COS_NAME=my-cos-1

$ ibmcloud resource service-instance-create $COS_NAME cloud-object-storage lite global

# capture the COS instance id (GUID)
$ COS_INSTANCE_ID=9d4353d8-6b85-4689-90dd-1ccfb4a275ab

# create a Key Management Service (KMS) instance
# "tiered-pricing" is the pricing plan and "us-south" is the region
$ KMS_NAME=my-kms-1

$ ibmcloud resource service-instance-create $KMS_NAME kms tiered-pricing us-south

# capture the Key Protect (KP) instance id (GUID)
$ KP_INSTANCE_ID=b0d84b32-09d0-4314-8049-da78e3b9ab6f

# create a policy for COS to read KMS; source is COS, target is KMS (Key Protect)
$ ibmcloud iam authorization-policy-create cloud-object-storage kms Reader \
  --source-service-instance-id $COS_INSTANCE_ID \
  --target-service-instance-id $KP_INSTANCE_ID

# capture the COS-to-KMS authorization policy id
$ COS_KMS_AUTHORIZATION=79375168-2d74-49df-98aa-3e727410fa71

# create a KP root key that COS uses to encrypt data
$ ibmcloud kp key create my-cos-key --output json

{
    "id": "52a9d772-8982-4620-bfb4-b070dd812a0c",
    "name": "my-cos-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:b0d84b32-09d0-4314-8049-da78e3b9ab6f:key:52a9d772-8982-4620-bfb4-b070dd812a0c"
}

# capture the KP root key id
$ MY_COS_KEY_ID=52a9d772-8982-4620-bfb4-b070dd812a0c

# create a COS bucket and set KP encryption
#   must be done in the console user interface (UI) because
#   there is no API or CLI support at this time

# capture the name of the COS bucket that was created
$ COS_BUCKET=my-cos-kms-bucket

# view the KP registration; it's a result of creating the COS bucket
$ ibmcloud kp registrations --output json

[
  {
    "keyId": "52a9d772-8982-4620-bfb4-b070dd812a0c",
    "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:9d4353d8-6b85-4689-90dd-1ccfb4a275ab:bucket:my-cos-kms-bucket",
    "createdBy": "crn-crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:9d4353d8-6b85-4689-90dd-1ccfb4a275ab::",
    "creationDate": "2020-06-15T20:41:23Z",
    "lastUpdated": "2020-06-15T20:41:23Z",
    "keyVersion": { "id": "52a9d772-8982-4620-bfb4-b070dd812a0c", "creationDate": "2020-06-15T20:36:46Z"
    }
  }
]

# delete the authorization policy between COS AND KMS - this breaks everything
$ ibmcloud iam authorization-policy-delete $COS_KMS_AUTHORIZATION --force

# delete the KP root key - this fails because the registration was not deleted
$ ibmcloud kp key delete $MY_COS_KEY_ID

Deleting key: 52a9d772-8982-4620-bfb4-b070dd812a0c, from instance: b0d84b32-09d0-4314-8049-da78e3b9ab6f...
FAILED
kp.Error:
    correlation_id='c27b7948-4a1f-4cbd-8770-cb3616888e27',
    msg='Conflict: Key could not be deleted. Please see "reasons" for more details.',
    reasons='[PROTECTED_RESOURCE_ERR: Key is protecting one or more cloud resources -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/docs/key-protect?topic=key-protect-troubleshooting#unable-to-delete-keys]'

# delete the KP root key; use --force because the registration between COS and KMS still exists
$ ibmcloud kp key delete $MY_COS_KEY_ID --force --output json

{
    "id": "52a9d772-8982-4620-bfb4-b070dd812a0c"
}

# delete the KMS instance
$ ibmcloud resource service-instance-delete $KMS_NAME --force

# delete the COS instance
$ ibmcloud resource service-instance-delete $COS_NAME --force

# view resources (COS and KMS should no longer exist)
$ ibmcloud resource service-instances

Retrieving instances with type service_instance in resource group Default in all locations under account <account name> as <email address>...
OK
No service instance found.

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to delete. To retrieve a list of your available keys, run the kp keys command.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -f, --force

    Delete a key, with force, which is used to delete a key that has "registrations." Registrations are associations between root keys and other cloud resources, such as Cloud Object Storage (COS) buckets or Cloud Databases deployments.

    For more information, see kp registrations

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key disable

The kp key disable command disables a root key and temporarily revokes access to the key's associated data in the cloud.

As an admin, you might need to temporarily disable a root key if you suspect a possible security exposure, compromise, or breach with your data.

Disabling a root key suspends its encrypt and decrypt operations. After confirming that a security risk is no longer active, you can restore access to your data by enabling the disabled root key.

When you disable a root key that was previously enabled, the key transitions from the Active (value is 1) to the Suspended (value is 2) key state.

To disable a root key, you must be assigned a Manager service access role for the instance or key. To learn how IAM roles map to Key Protect service actions, check out Service access roles.

If you're using an integrated Cloud Service that supports revoking access to a disabled root key, the service may take up to a maximum of 4 hours before access to the root key's associated data is revoked.

After access to the associated data is revoked, a corresponding disable event is displayed in the IBM Cloud Activity Tracker web UI. The disable event indicates the key has been revoked (and is now disabled) and the key can not be used for encrypt and decrypt operations.

ibmcloud kp key disable KEY_ID_OR_ALIAS
    -i, --instance-id INSTANCE_ID
    [--key-ring         KEY_RING_ID]

Examples

These are examples of kp key disable.

Example 1

Create a root key, disable it, verify the key state (suspended), enable the root key, and verify the key state (active).

# create a root key
$ ibmcloud kp key create my-root-key --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# show key details - a state of "1" is "active"
$ ibmcloud kp key show 264fadc3-7667-4b25-916e-5825fe70de0b --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:21:55Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# disable the root key
$ ibmcloud kp key disable 264fadc3-7667-4b25-916e-5825fe70de0b

Disabling key: '264fadc3-7667-4b25-916e-5825fe70de0b', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK

# show key details - a state of "2" is "suspended"
$ ibmcloud kp key show 264fadc3-7667-4b25-916e-5825fe70de0b --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:23:26Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 2,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

Example 2

Create a root key, disable it, and attempt to use the root key to wrap another key. 

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

63d044d9-b38b-4803-85ef-ed9a1e5087c2

# disable the root key
$ ibmcloud kp key disable $KEY_ID

Disabling key: '63d044d9-b38b-4803-85ef-ed9a1e5087c2', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK

# create a random, base64-encoded, 32-byte data encryption key (DEK)
$ PLAINTEXT=$(openssl rand -base64 32)

$ echo $PLAINTEXT

BNxtU9B4kXOZA45Cnyz3wOh4J77TakTXI1n2rj0ZiMc=

# wrap the plaintext key with the root key, creating a DEK (this is the ciphertext)
# this should fail (the root key is disables)
$ ibmcloud kp key wrap $KEY_ID -p $PLAINTEXT --output json

FAILED
kp.Error:
    correlation_id='c2edbdad-7e62-4690-8fcc-10515ade9913',
    msg='Conflict: Action could not be performed on key. Please see "reasons" for more details.',
    reasons='[KEY_ACTION_INVALID_STATE_ERR: Key is not in a valid state -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

Example 3

Create a root key with an alias, use that alias to identify the key to be disabled, verify the key state (suspended), then enable the root key and verify the new key state (active).

# create a root key
$ ibmcloud kp key create root-key-with-alias -a example-alias-1 --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "root-key-with-alias",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "aliases": [
        "example-alias"
    ],
    "deleted": false,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# show key details using the alias as identifier - a state of "1" is "active"
$ ibmcloud kp key show example-alias-1 --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "root-key-with-alias",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:21:55Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 1,
    ...
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# disable the root key identified by alias
$ ibmcloud kp key disable example-alias-1

Disabling key: '264fadc3-7667-4b25-916e-5825fe70de0b', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK

# show key details - a state of "2" is "suspended"
$ ibmcloud kp key show example-alias-1 --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "root-key-with-alias",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:23:26Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 2,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to delete. To retrieve a list of your available keys, run the kp keys command.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key enable

When you enable a root key that was previously disabled, the key transitions from the Suspended (value is 2) to the Active (value is 1) key state. This action restores the key's encrypt and decrypt operations.

If you're using an integrated Cloud Service that supports restoring access to a disabled root key, the service may take up to a maximum of 4 hours before access to the root key's associated data is restored.

After access to the associated data is restored, a corresponding enable event is displayed in the IBM Cloud Activity Tracker web UI. The enable event indicates the key has been restored (and is now enabled) and the key can be used for encrypt and decrypt operations, such as wrap, unwrap, and rewrap.

ibmcloud kp key enable <KEY_ID_OR_ALIAS> -i <INSTANCE_ID> [ --key-ring KEY_RING_ID]

Examples

This is an example of kp key enable.

# create a root key
$ ibmcloud kp key create my-root-key --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# show key details - a state of "1" is "active"
$ ibmcloud kp key show 264fadc3-7667-4b25-916e-5825fe70de0b --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:21:55Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# disable the root key
$ ibmcloud kp key disable 264fadc3-7667-4b25-916e-5825fe70de0b

Disabling key: '264fadc3-7667-4b25-916e-5825fe70de0b', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK

# show key details - a state of "2" is "suspended"
$ ibmcloud kp key show 264fadc3-7667-4b25-916e-5825fe70de0b --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:23:26Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 2,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

# enable the key
$ ibmcloud kp key enable 264fadc3-7667-4b25-916e-5825fe70de0b

Enabling key: '264fadc3-7667-4b25-916e-5825fe70de0b', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK

# show key details - a state of "1" is "active"
$ ibmcloud kp key show 264fadc3-7667-4b25-916e-5825fe70de0b --output json

{
    "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-09T21:21:55Z",
    "lastUpdateDate": "2020-06-09T21:31:44Z",
    "keyVersion": {
        "id": "264fadc3-7667-4b25-916e-5825fe70de0b",
    "creationDate": "2020-06-09T21:21:55Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:264fadc3-7667-4b25-916e-5825fe70de0b"
}

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to delete. To retrieve a list of your available keys, run the kp keys command.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key policies

Retrieve details about a key policy, such as the key's automatic rotation interval. 

ibmcloud kp key policies KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [--key-ring          KEY_RING_ID]
    [-d, --dual-auth]
    [-o, --output      OUTPUT]
    [-r, --rotation]

Example

This example lists the policies for a root key.

Key policies are dual authorization delete and rotation.

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

c024c2b3-2093-46e5-aabb-fdf8cbc14e44

# show key details
$ ibmcloud kp key show $KEY_ID --output json

{
    "id": "c024c2b3-2093-46e5-aabb-fdf8cbc14e44",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-18T20:34:39Z",
    "lastUpdateDate": "2020-06-18T20:34:39Z",
    "keyVersion": {
        "id": "c024c2b3-2093-46e5-aabb-fdf8cbc14e44",
    "creationDate": "2020-06-18T20:34:39Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:c024c2b3-2093-46e5-aabb-fdf8cbc14e44"
}

# update the policy and rotate the key every 2 months
$ ibmcloud kp key policy-update rotation $KEY_ID -m 2 --output json

{
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-18T20:35:41Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:06a40fd6-6fd7-460a-87d7-8388fc1be057",
    "lastUpdateDate": "2020-06-18T20:35:41Z",
    "updatedBy": "user id ...<redacted>...",
    "rotation": {
        "interval_month": 2
      }
}

# list the policies
$ ibmcloud kp key policies $KEY_ID --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-18T20:35:41Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:06a40fd6-6fd7-460a-87d7-8388fc1be057",
    "lastUpdateDate": "2020-06-18T20:35:41Z",
    "updatedBy": "user id ...<redacted>...",
    "rotation": { "interval_month": 2
    }
  }
]

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to query. To retrieve a list of your available keys, run the kp keys command.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -d, --dual-auth

    Show policies that have a dual-auth-delete policy.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -r, --rotation

    Show policies that have a rotation policy.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key policy-update dual-auth-delete

You can use Key Protect to safely delete encryption keys by using a dual authorization process. When you delete a key, you shred its contents and associated data. Any data that is encrypted by the key becomes inaccessible.

Deleting a key that has a dual authorization policy requires an authorization from two users. With the Key Protect API, you can provide the first authorization by setting the key for deletion. Then, a different user provides a second authorization by using the GUI or API to delete the key.

ibmcloud kp key policy-update dual-auth-delete KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
        -e, --enable
    [--key-ring          KEY_RING_ID]
    [-o, --output      OUTPUT]

Example

This example enables the dual authorization delete policy.

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

d887bfe8-5166-4dad-af32-7e3055ca1873

# show key details
$ ibmcloud kp key show $KEY_ID --output json

{
    "id": "d887bfe8-5166-4dad-af32-7e3055ca1873",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-19T16:07:50Z",
    "lastUpdateDate": "2020-06-19T16:07:50Z",
    "keyVersion": {
        "id": "d887bfe8-5166-4dad-af32-7e3055ca1873",
    "creationDate": "2020-06-19T16:07:50Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:d887bfe8-5166-4dad-af32-7e3055ca1873"
}

# enable the dual authorization policy
$ ibmcloud kp key policy-update dual-auth-delete $KEY_ID --enable --output json

{
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-19T16:08:59Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:0aab763d-b650-43a2-86ad-bdfe2c35c94c",
    "lastUpdateDate": "2020-06-19T16:08:59Z",
    "updatedBy": "user id ...<redacted>...",
    "dualAuthDelete": {
        "enabled": true
      }
}

# list the policies
$ ibmcloud kp key policies $KEY_ID --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-19T16:08:59Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:0aab763d-b650-43a2-86ad-bdfe2c35c94c",
    "lastUpdateDate": "2020-06-19T16:08:59Z",
    "updatedBy": "user id ...<redacted>...",
    "dualAuthDelete": { "enabled": true
    }
  }
]

# this should fail (the key has a dual authorization policy)
$ ibmcloud kp key delete $KEY_ID_OR_ALIAS

Deleting key: d887bfe8-5166-4dad-af32-7e3055ca1873, from instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
FAILED
kp.Error:
    correlation_id='fe0db627-1726-4827-a9d2-c21d728e1c92',
    msg='Conflict: 1 prior authorization(s) are required for deletion: Key could not be deleted.
        Please see "reasons" for more details.',
    reasons='[AUTHORIZATIONS_NOT_MET: Number of authorizations required to delete is not met -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to query. To retrieve a list of your available keys, run the kp keys command.

  • -e, --enable

    Once you enable the dual-auth-delete policy you cannot disable it. You cannot delete a key without two (dual) authorizations. The process must be completed within 7 days, otherwise the dual authorization policy is automatically canceled, which means the key can be deleted by anyone that has authorization (two authorizations are not needed).

    If you enabled the dual authorization policy accidentally and you want to delete the key, you can disable the key (using the kp key disable command) and wait 7 days for the dual authorization policy to expire. At which time you can delete the key.

    You cannot delete the Key Protect instance as long as their active keys. A key with a dual authorization policy is an active key.

Optional parameters

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key policy-update rotation

When you set an automatic rotation policy for a root key, you shorten the lifetime of the key at regular intervals, and you limit the amount of information that is protected by that key. Users can also enable or disable the key rotation policy on a key.

You can only create a rotation policy for root keys that are generated in Key Protect. If you imported the root key initially, you must provide a new base64-encoded key material to rotate the key. For more information, see Rotating root keys on-demand.

ibmcloud kp key policy-update rotation KEY_ID|KEY_ALIAS 
[--enable | --disable] [-m MONTHLY_INTERVAL] [-o FORMAT]
[--key-ring KEY_RING_ID]

Examples

Rotation policies can be applied at key creation time or after a key has been created. In the first example, we simply create the key without a rotation policy:

# create a root key

ibmcloud kp key create rotateKeyEnableDisableDemo

Creating key: 'rotateKeyEnableDisableDemo', in instance: '5ecfe306-d4at-48c0-ab07-b5c5bc751534'...
OK
Key ID                                 Key Name   
4d5540bd-3235-4a46-a8af-974f7ed6558a   rotateKeyEnableDisableDemo   
---------------------------------------------------------------------------------------------------------------------------------------------------

# set a rotation policy of three months

ibmcloud kp key policy-update rotation 4d5540bd-3235-4a46-a8af-974f7ed6558a -m 3 -e --output json

{
        "createdBy": "user id ...<redacted>...",
        "creationDate": "2022-12-02T00:50:11Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/e3e8fd14a61a49cda102faad15b06c09:5ecfe306-d4af-48c0-ab07-b5c5bc751534:policy:0ec7ad62-982d-45bb-895f-986d95015f5b",
        "lastUpdateDate": "2022-12-02T00:51:38Z",
        "updatedBy": "user id ...<redacted>...",
        "rotation": {
                "enabled": true,
                "interval_month": 3
        }
}
---------------------------------------------------------------------------------------------------------------------------------------------------

# show the rotation policy for this key

ibmcloud kp key policies 4d5540bd-3235-4a46-a8af-974f7ed6558a -r --output json

{
        "createdBy": "user id ...<redacted>...",
        "creationDate": "2022-12-02T00:50:11Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/e3e8fd14a61a49cda102faad15b06c09:5ecfe306-d4af-48c0-ab07-b5c5bc751534:policy:0ec7ad62-982d-45bb-895f-986d95015f5b",
        "lastUpdateDate": "2022-12-02T00:51:38Z",
        "updatedBy": "user id ...<redacted>...",
        "rotation": {
                "enabled": true,
                "interval_month": 2
        }
}
---------------------------------------------------------------------------------------------------------------------------------------------------

# update the policy to three months

ibmcloud kp key policy-update rotation 4d5540bd-3235-4a46-a8af-974f7ed6558a -m 3 -e --output json

{
        "createdBy": "user id ...<redacted>...",
        "creationDate": "2022-12-02T00:50:11Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/e3e8fd14a61a49cda102faad15b06c09:5ecfe306-d4af-48c0-ab07-b5c5bc751534:policy:0ec7ad62-982d-45bb-895f-986d95015f5b",
        "lastUpdateDate": "2022-12-02T00:51:38Z",
        "updatedBy": "user id ...<redacted>...",
        "rotation": {
                "enabled": true,
                "interval_month": 3
        }
}
---------------------------------------------------------------------------------------------------------------------------------------------------

# disable the policy for this key

ibmcloud kp key policy-update rotation 4d5540bd-3235-4a46-a8af-974f7ed6558a -d --output json

{
        "createdBy": "user id ...<redacted>...",
        "creationDate": "2022-12-02T00:50:11Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/e3e8fd14a61a49cda102faad15b06c09:5ecfe306-d4af-48c0-ab07-b5c5bc751534:policy:0ec7ad62-982d-45bb-895f-986d95015f5b",
        "lastUpdateDate": "2022-12-02T00:52:52Z",
        "updatedBy": "user id ...<redacted>...",
        "rotation": {
                "enabled": false,
                "interval_month": 3
        }
}
---------------------------------------------------------------------------------------------------------------------------------------------------

# show that the policy has been disabled

ibmcloud kp key policies 4d5540bd-3235-4a46-a8af-974f7ed6558a -r --output json

{
        "createdBy": "user id ...<redacted>...",
        "creationDate": "2022-12-02T00:50:11Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/e3e8fd14a61a49cda102faad15b06c09:5ecfe306-d4af-48c0-ab07-b5c5bc751534:policy:0ec7ad62-982d-45bb-895f-986d95015f5b",
        "lastUpdateDate": "2022-12-02T00:52:52Z",
        "updatedBy": "user id ...<redacted>...",
        "rotation": {
                "enabled": false,
                "interval_month": 3
        }
}
---------------------------------------------------------------------------------------------------------------------------------------------------

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to query. To retrieve a list of your available keys, run the kp keys command.

Optional parameters

  • -m, --monthly-interval

    Set the key rotation interval in months. The rotation interval must be 1 to 12 months.

  • -e, --enable or -d, --disable

    By default, key rotation policy is enabled. If user wants to disable or enable the policy, they can use -d(--disable) or -e(--enable) respectively.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key restore

Key Protect can restore a previously deleted root key, which restores access to its associated data in the cloud.

As an admin, you might need to restore a root key that was imported into Key Protect to access data the key previously protected.

When you restore a key, you move the key from the Destroyed (value is 5) to the Active (value is 1) key state, and you restore access to any data that was previously encrypted with the key.

You can restore a deleted key within 30 days of its deletion. This capability is available only for root keys that were created with a key material.

You can only restore root keys that were created with a key material, using kp key create with the -k, --key-material option. You cannot restore a root key if the --key-material option was not specified.

If you want to restore a deleted root key then you must save the key material that was used to create the root key. You cannot restore a deleted key without provided the original key material.

ibmcloud kp key restore KEY_ID_OR_ALIAS
        -i, --instance-id     INSTANCE_ID
        -k, --key-material    KEY_MATERIAL
    [--key-ring          KEY_RING_ID]
    [-n, --encrypted-nonce ENCRYPTED_NONCE]
    [-v, --iv              IV]

Examples

These are examples of kp key restore.

Example 1

This example creates a root key using a key material, deletes the key, then restores the key.

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

4EZBMBMkZ87z4nvYsQH21DC5+wslgWhHRiU8bmqJ4CY=

# create a root key from a base64-encoded value
$ KEY_ID=$(ibmcloud kp key create my-base64-root-key -k $KEY_MATERIAL --output json | jq -r '.["id"]')

$ echo $KEY_ID

62ad0cd5-70a4-4c4d-9d87-5f4db620b120

# delete the root key
$ ibmcloud kp key delete $KEY_ID

Deleting key: 62ad0cd5-70a4-4c4d-9d87-5f4db620b120, from instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
OK
Deleted Key
62ad0cd5-70a4-4c4d-9d87-5f4db620b120

# list keys - verify the key was deleted
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID   Key Name

# restore the deleted key
$ ibmcloud kp key restore $KEY_ID -k $KEY_MATERIAL --output json

{
    "id": "62ad0cd5-70a4-4c4d-9d87-5f4db620b120",
    "name": "my-base64-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:62ad0cd5-70a4-4c4d-9d87-5f4db620b120"
}

# list keys - verify the key was restored
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID                                 Key Name
62ad0cd5-70a4-4c4d-9d87-5f4db620b120   my-base64-root-key

Example 2

This workflow creates a root key using an import token, deletes the key, then restores the key.

This is a two-step process.

  1. Create a root key using an import token and then delete the key

  2. Create an import token, which is required to restore the key, and restore the key

Creating a root key using an import token has a time limit (the -e, --expiration option). When you restore a key you need an import token. Which is why you need to go through an import token process to restore a key.

Step 1 - create a root key using an import token and then delete the key

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-06-18 12:21:59 +0000 UTC   2020-06-18 12:26:59 +0000 UTC   10               10

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

sADDNDE3pcJlbYXu2z5QFORvsxV1PosRiAPERrhYJdk=

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

$ echo $NONCE

/QhqOsqlVPC+ZPWz

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

$ echo $PUBLIC_KEY

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo=

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
C+/puHn1v5p7aohitM4r6N4ohiVkCecP ...<redacted>... eWmJRuvsSxDg/OY=

# capture the encrypted key material
$ ENCRYPTED_KEY=C+/puHn1v5p7aohitM4r6N4ohiVkCecP ...<redacted>... eWmJRuvsSxDg/OY=

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
TxrgdayWnM5OB3JoYuQR97oulxvREptk8TzciQ==   7BiIpcbGxXBzuXZP

# capture the encrypted nonce and the initialization vector (IV)
$ ENCRYPTED_NONCE=TxrgdayWnM5OB3JoYuQR97oulxvREptk8TzciQ==
$ IV=7BiIpcbGxXBzuXZP

# create a root key using an import token, provide an encrypted key, nonce, and initialization vector (IV)
$ KEY_ID=$(ibmcloud kp key create my-imported-root-key -k $ENCRYPTED_KEY -n $ENCRYPTED_NONCE -v $IV --output json | jq -r '.["id"]')

$ echo $KEY_ID

c42c6f2c-8b67-4016-b2c3-99fba9490f5d

# list keys - verify the key was created
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID                                 Key Name
c42c6f2c-8b67-4016-b2c3-99fba9490f5d   my-imported-root-key

# delete the root key
$ ibmcloud kp key delete $KEY_ID

Deleting key: c42c6f2c-8b67-4016-b2c3-99fba9490f5d, from instance: a192d603-0b8d-452f-aac3-f9e1f95e7411...
OK
Deleted Key
c42c6f2c-8b67-4016-b2c3-99fba9490f5d

# list keys - verify the key was deleted
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID   Key Name

Step 2 - create an import token, which is required to restore the key, and restore the key

# NOTE: "kp key restore" requires an import token to complete the process,
# if you follow this example, the previously created import token may still
# exist and the example works; otherwise, if the import token has expired then
# you need to create a new import token prior to restoring the key

# create an import token that expires in 5 minutes and allows 10 retrievals
$ ibmcloud kp import-token create -e 300 -m 10

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-06-18 12:30:54 +0000 UTC   2020-06-18 12:35:54 +0000 UTC   10               10

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

$ echo $NONCE

N3x8F0ihAZ51nj6M

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

$ echo $PUBLIC_KEY

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo=

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
Ch7hcsT1EOfSdghjOHKAemBZuzDoqJoH ...<redacted>... F4p/mkGT/EQJS5o=

# capture the encrypted key material
$ ENCRYPTED_KEY=Ch7hcsT1EOfSdghjOHKAemBZuzDoqJoH ...<redacted>... F4p/mkGT/EQJS5o=

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
nrrCczvYXvc6T7J2G+EOLjHZO1cpPyu/nhsIlA==   N6oLJnUqaKF3v5Sd

# capture the encrypted nonce and the initialization vector (IV)
$ ENCRYPTED_NONCE=nrrCczvYXvc6T7J2G+EOLjHZO1cpPyu/nhsIlA==
$ IV=N6oLJnUqaKF3v5Sd

# restore the deleted key
$ ibmcloud kp key restore $KEY_ID -k $ENCRYPTED_KEY -n $ENCRYPTED_NONCE -v $IV --output json

{
    "id": "c42c6f2c-8b67-4016-b2c3-99fba9490f5d",
    "name": "my-imported-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:c42c6f2c-8b67-4016-b2c3-99fba9490f5d"
}

# list keys - verify the key was restored
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID                                 Key Name
c42c6f2c-8b67-4016-b2c3-99fba9490f5d   my-imported-root-key

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to restore.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -k, --key-material

    Deprecated The key material from a previously imported base64-encoded key.

    If you created the root key using an import token, then the value of the -k, --key-material option is the encrypted material key. See example 2, which uses an import token to create the root key and it uses an import token to restore the root key.

  • -n, --encrypted-nonce

    Deprecated Verify a request to import a key by providing an encrypted nonce.

    For more information, see kp import-token nonce-encrypt.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -v, --iv

    Deprecated Provide the initialization vector (IV) that is generated after you encrypt a nonce.

    For more information, see kp import-token nonce-encrypt.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key-rings

List the key rings associated with the kp instance.

Example

The example shows the use of the CLI plugin to list key rings appropriate to the given instance.

ibmcloud kp key-rings -i <INSTANCE_ID>

Required parameters

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

kp key-ring create

Create a key ring within a kp instance.

Example

The example shows the use of the CLI plugin to create a key ring in the given instance.

ibmcloud kp key-ring create KEY_RING_ID -i <INSTANCE_ID>

Required parameters

  • KEY_RING_ID

    The alphanumeric reference longer than or equal to 2 characters and fewer than or equal to 100 for the key ring.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

kp key-ring delete

Delete a key ring within a kp instance.

Example

The example shows the use of the CLI plugin to delete a key ring in the given instance. Note that the force (-f) has been added.

ibmcloud kp key-ring delete KEY_RING_ID -i <INSTANCE_ID> -f

Required parameters

  • KEY_RING_ID

    The alphanumeric reference longer than or equal to 2 characters and fewer than or equal to 100 for the key ring.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -f, --force

    Force deletes a key ring that still has keys in the Destroyed state. Does not delete key rings that have keys in any other state. If a key ring contains keys in the Destroyed state and this flag is not added, the key ring delete fails.

kp key rotate

Rotate a root key that is stored in your Key Protect service.

When you rotate your root key, you replace the key with a new key material.

If Key Protect created the key (the key was not created with the -k parameter) then Key Protect creates a new key. You cannot specify kp key rotate with the -k parameter.

If you created a key and provided the key material ( kp key create key-name -k $KEY_MATERIAL) then you must provide a new key material when you rotate the key (kp key rotate $KEY_ID_OR_ALIAS -k $NEW_KEY_MATERIAL)

You cannot rotate a standard key, that is, a key created using the kp create key-name --standard-key command.

ibmcloud kp key rotate KEY_ID_OR_ALIAS
        -i, --instance-id  INSTANCE_ID
    [--key-ring           KEY_RING_ID]
    [-k, --key-material KEY_MATERIAL]

Examples

These are examples of kp key rotate.

Example 1

Rotate a root key.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad   my-root-key

# rotate the key
$ ibmcloud kp key rotate 1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad

Rotating root key...
OK

# show key details
$ ibmcloud kp key show 1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad

Grabbing info for key id: 1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad...
OK
Key ID                                 Key Name      Description   Creation Date                   Expiration Date
1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad   my-root-key                 2020-05-06 17:25:22 +0000 UTC   Key does not expire

# create a new key material
$ NEW_KEY_MATERIAL=$(openssl rand -base64 32)

# Key Protect created the root key, providing a new key material will fail
$ ibmcloud kp key rotate 1a6d5be8-287c-4eb3-9c44-cf0c2b0d67ad -k $NEW_KEY_MATERIAL

Rotating root key...
FAILED

Example 2

Rotate a base64-encoded or an imported token key.

First, create a root key from a base64 value or an imported token.

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

# create a root key from a base64-encoded value
$ ibmcloud kp key create my-base64-root-key -k $KEY_MATERIAL

Creating key: 'my-base64-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
e55f86ab-6984-4594-ad23-3024f6440a58   my-base64-root-key

# create a new key material
$ NEW_KEY_MATERIAL=$(openssl rand -base64 32)

# rotate the key
$ ibmcloud kp key rotate e55f86ab-6984-4594-ad23-3024f6440a58 -k $NEW_KEY_MATERIAL

Rotating root key...
OK

# the key was created from a key material, NOT providing a new key material will fail
$ ibmcloud kp key rotate e55f86ab-6984-4594-ad23-3024f6440a58

Rotating root key...
FAILED

Example 3

This examples shows how to...

  1. Create a root key

  2. Create a data encryption key (DEK), this is the plaintext

  3. Wrap the DEK with the root key, this creates a ciphertext

  4. Rotate the root key

  5. Unwrap the ciphertext to reveal the original DEK (plaintext) and a new ciphertext (the new ciphertext is the plaintext wrapped with the new rotated root key)

  6. Unwrap the new ciphertext to reveal the original DEK (plaintext)

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

5b976173-7804-4f82-acfa-bb98098bc528

# create a random, base64-encoded, 32-byte data encryption key (DEK)
$ PLAINTEXT=$(openssl rand -base64 32)

$ echo $PLAINTEXT

UPJ4YDwbQMjQG/aqlHsPhHV1CBkpIXngLHFS5+i4UZ4=

# wrap the plaintext key with the root key, creating a DEK (this is the ciphertext)
$ CIPHERTEXT=$(ibmcloud kp key wrap $KEY_ID -p $PLAINTEXT --output json | jq -r '.["Ciphertext"]')

$ echo $CIPHERTEXT

eyJjaXBoZXJ0ZXh0IjoiQkFrTlJrS2Q0 ...<redacted>... ODA5OGJjNTI4In0=

# rotate the root key
$ ibmcloud kp key rotate $KEY_ID

Rotating root key...
OK

# show key details
$ ibmcloud kp key show $KEY_ID --output json

{
    "id": "5b976173-7804-4f82-acfa-bb98098bc528",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-10T18:09:27Z",
    "lastUpdateDate": "2020-06-10T18:13:31Z",
    "lastRotateDate": "2020-06-10T18:13:31Z",
    "keyVersion": {
        "id": "4330715a-918b-4718-b5ca-9475a214067e",
    "creationDate": "2020-06-10T18:13:31Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:5b976173-7804-4f82-acfa-bb98098bc528"
}

# unwrap the ciphertext, reveal the original DEK (plaintext),
# and see the new ciphertext (the plaintext wrapped with the rotated root key)
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT --output json

{
    "Plaintext": "UPJ4YDwbQMjQG/aqlHsPhHV1CBkpIXngLHFS5+i4UZ4=",
    "Rewrapped Plaintext": "eyJjaXBoZXJ0ZXh0IjoiS0FITEFRWjdh ...<redacted>... NWEyMTQwNjdlIn0="
}

# capture the new (rewrapped) plaintext
$ NEWCIPHERTEXT=eyJjaXBoZXJ0ZXh0IjoiS0FITEFRWjdh ...<redacted>... NWEyMTQwNjdlIn0=

# unwrap the ciphertext and reveal the original DEK (plaintext)
$ ibmcloud kp key unwrap $KEY_ID $NEWCIPHERTEXT --output json

{
    "Plaintext": "UPJ4YDwbQMjQG/aqlHsPhHV1CBkpIXngLHFS5+i4UZ4=",
    "Rewrapped Plaintext": ""
}

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you want to rotate.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -k, --key-material

    To rotate a key that was initially generated without a --key-material parameter, that is kp key create my-key, omit the --key-material parameter.

    If a key was created with the --key-material parameter then specify the new base64-encoded key material that you use for rotating an existing root key.

    To rotate a key that was initially imported into the service, provide a new 32-byte (256-bit) key.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key schedule-delete

A key with a dual-auth-delete policy requires authorization from two administrative users to delete the key.

Follow this process to delete a key with a dual-auth-delete policy.

  1. Create a key and enable the dual-auth-delete policy

  2. User 1 schedules (authorizes) a key deletion with the kp key schedule-delete command

  3. User 2 schedules (authorizes) a key deletion

  4. The key is deleted after the second schedule-delete is performed, which is supported in the user interface, API, and CLI

  5. If a second authorization does not occur within 7 days, the key returns to its default status

There are two ways to enable the dual-auth-delete policy:

  • Set the policy for a single key using kp key policy-update dual-auth-delete
  • Set the policy for the instance using kp instance policy-update dual-auth-delete; all keys created after the instance policy is enabled inherit the instance policy setting

The kp key cancel-delete command cancels, or removes, a prior authorization.

ibmcloud kp key schedule-delete KEY_ID_OR_ALIAS
    -i, --instance-id INSTANCE_ID
    [--key-ring         KEY_RING_ID]

Example

This is an example of scheduling a key to be deleted.

# schedule this key to be deleted
$ ibmcloud kp key schedule-delete $KEY_ID_OR_ALIAS

Scheduling key for deletion...
OK

# this key has a dual-auth-delete policy
$ ibmcloud kp key policies $KEY_ID_OR_ALIAS --output json

[
  {
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-06-22T19:13:00Z",
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:2427dbde-6cff-41eb-8b5a-ff26b038cafc",
    "lastUpdateDate": "2020-06-22T21:36:16Z",
    "updatedBy": "user id ...<redacted>...",
    "dualAuthDelete": { "enabled": true
    }
  }
]

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to delete. To retrieve a list of your available keys, run the kp keys command.

Optional parameters

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key show

Retrieve details about a key, such as the key metadata and key material.

If the key was designated as a root key, the system cannot return the key material for that key.

ibmcloud kp key show KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [--key-ring          KEY_RING_ID]
    [-o, --output      OUTPUT]

Examples

These are examples of kp key show.

Example 1

Create a root key and show the details.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
8635b804-9966-4918-a16b-d561fdbf181f   my-root-key

# show key details
$ ibmcloud kp key show 8635b804-9966-4918-a16b-d561fdbf181f

Grabbing info for key id: 8635b804-9966-4918-a16b-d561fdbf181f...
OK
Key ID                                 Key Name      Description   Creation Date                   Expiration Date
8635b804-9966-4918-a16b-d561fdbf181f   my-root-key                 2020-05-05 19:58:02 +0000 UTC   Key does not expire

Example 2

This is an explanation of the JSON keys and values from the kp key show command. In this example the key was rotated to ensure all JSON key/value pairs are shown.

$ ibmcloud kp key show 8635b804-9966-4918-a16b-d561fdbf181f --output json

{
    "id": "8635b804-9966-4918-a16b-d561fdbf181f",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-05-05T19:58:02Z",
    "lastUpdateDate": "2020-05-05T19:58:24Z",
    "lastRotateDate": "2020-05-05T19:58:24Z",
    "keyVersion": {
        "id": "85b65b20-4165-4da3-8ba9-880e72390461",
        "creationDate": "2020-05-05T19:58:24Z"
    },
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:8635b804-9966-4918-a16b-d561fdbf181f"
}
Key Description
id This is the KEY_ID, it is unique and is used whenever the CLI specifies a KEY_ID
name The name provided when the key was created
type Used by the API to set the content-type in a REST call
algorithmType Algorithm types are advanced encryption standard (AES) or cipher block chaining (CBC)
createdBy The user id that created the key
creationDate Date and time the key was created
lastUpdateDate Date and time the key was last updated
lastRotateDate Date and time the key was last rotated; this entry only exists if the key has been rotated
keyVersion / id This identifies the latest version of the root key
keyVersion / creationDate Date and time the key material was last updated
extractable A boolean that determines whether the key material can leave the service. If set to false, Key Protect designates the key as a nonextractable root key used for wrap and unwrap actions. If set to true, Key Protect designates the key as a standard key that you can store in your apps and services. Once set to false it cannot be changed to true.
state 1 - the key is active; 2 - the key is suspended; see key states
crn The cloud resource name (CRN)

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you want to show.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key sync

This subcommand synchronizes the associated resources for a key.

ibmcloud kp key sync KEY_ID
     -i, --instance-id INSTANCE_ID
    [--key-ring             KEY_RING_ID]
    [-o, --output      FORMAT]

Examples

This is an example of kp key sync.

Example

Synchronize a key and show the results.

# synchronize the associated resources for a given key
$ ibmcloud kp key sync 94c06f9c-a07a-4961-8548-553cf7431f18

Synchronizing key...
OK
Key's associated resources are synchronized successfully

Required parameters

  • KEY_ID

    The ID of the key that you want to sync.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key update

Update a key with an existing key ring or a new key ring in your Key Protect instance.

ibmcloud kp key update KEY_ID_OR_ALIAS
        -i, --instance-id         INSTANCE_ID
        -r, --new-key-ring        KEY_RING_ID
    [-o, --output              OUTPUT]

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you want to show.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

  • -r, --new-key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

Optional parameters

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

Examples

Note that the key ring must already be created, either as part of creating a key, or by itself.

This is an example of kp key update.

ic kp key update 5f2cc155-fe16-492c-845c-4d1f0688c7ba -r TestRing

Executing the command has a typical result:

Updating key...
OK
Key ID                                 Key Name             Key Ring ID   
5f2cc155-fe16-492c-845c-4d1f0688c7ba   TestKey                           TestRing

kp key unwrap

Unwrap a data encryption key using a root key that is stored in your Key Protect instance.

ibmcloud kp key unwrap KEY_ID_OR_ALIAS CIPHERTEXT_FROM_WRAP
        -i, --instance-id INSTANCE_ID
    [-a, --aad         ADDITIONAL_DATA]
    [--key-ring           KEY_RING_ID]
    [-o, --output      OUTPUT]

Examples

These are examples of kp key unwrap.

Example 1

Unwrap a ciphertext to reveal the plaintext data encryption key (DEK).

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# create a data encryption key (DEK), wrapped with the root key
$ ibmcloud kp key wrap 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Wrapping key...
OK
Ciphertext
eyJjaXBoZXJ0ZXh0IjoiKzhjbHVqcUNP ...<redacted>... NmY3MTJjNGViIn0=

# capture the ciphertext
$ CIPHERTEXT=eyJjaXBoZXJ0ZXh0IjoiKzhjbHVqcUNP ...<redacted>... NmY3MTJjNGViIn0=

# unwrap the ciphertext to reveal the plaintext data encryption key (DEK)
$ ibmcloud kp key unwrap 807eb0a6-cc10-4bfe-8331-41a6f712c4ea $CIPHERTEXT

Unwrapping key...
OK
Plaintext                                      Rewrapped Plaintext
mXW4GmBhkRG1+Dzkx1D6dMX99a4KyYwtwbghaaLEQZ0=

Example 2

Unwrap a ciphertext and provide AAD information.

One use case for supplying additional authentication data (AAD) is to "password protect" the ciphertext to make it more difficult to unwrap.

The ciphertext and the AAD is required to unwrap the ciphertext and reveal the plaintext data encryption key (DEK).

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

5f2cc155-fe16-492c-845c-4d1f0688c7ba

# create a random, base64-encoded, 32-byte data encryption key (DEK)
$ PLAINTEXT=$(openssl rand -base64 32)

$ echo $PLAINTEXT

H4ZfQe66aKcxirfCdNZ/3Na0JECP6HsAM3yclKmIfPQ=

# set the additional authentication data (AAD)
$ AAD1=My-Secret-Password
$ AAD2=My-Verification-Phrase

# wrap the plaintext with the root key and AAD
$ CIPHERTEXT=$(ibmcloud kp key wrap $KEY_ID -a "$AAD1,$AAD2" -p $PLAINTEXT --output json | jq -r '.["Ciphertext"]')

$ echo $CIPHERTEXT

eyJjaXBoZXJ0ZXh0IjoiL1pQUzRLbUxQ ...<redacted>... ZjA2ODhjN2JiIn0=

# unwrap the ciphertext and reveal the original plaintext DEK
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD1,$AAD2

Unwrapping key...
OK
Plaintext                                      Rewrapped Plaintext
H4ZfQe66aKcxirfCdNZ/3Na0JECP6HsAM3yclKmIfPQ=

# this should fail (missing some of the AAD)
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD1

Unwrapping key...
FAILED

# this should fail (AAD is in a different order)
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD2,$AAD1

Unwrapping key...
FAILED

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you used for the initial wrap request.

  • CIPHERTEXT_FROM_WRAP

    The encrypted data key that was returned during the initial wrap operation.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -a, --aad

    The additional authentication data (AAD) that was used to further secure a key. You can provide up to 255 strings, each delimited by a comma. If you supplied AAD on wrap, you must specify the same AAD, in the same order, on unwrap.

    The Key Protect service does not save additional authentication data. If you supply AAD, save the data to a secure location to ensure that you can access and provide the same AAD during subsequent unwrap requests.

-o, --output

Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use `--output json`.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp key versions

When you rotate a root key, Key Protect creates a new version of the key. List all key versions that are available for a KeyID or Key Alias in your Key Protect instance.

ibmcloud kp key versions KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [-r, --key-ring                KEY_RING_ID]
    [-n, --number-of-key-versions  VERSION_LIMIT]
    [-o, --output                  OUTPUT]
    [-s, --starting-offset         OFFSET]
    [-t, --total-count             TOTAL_COUNT]
    [-a, --all-key-states          ALL_KEY_STATES]

Examples

These are examples of kp key versions.

Example 1

One use case is auditing the rotation history of a root key as a security admin, by viewing its key version history.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# rotate the root key
$ ibmcloud kp key rotate 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Rotating root key...
OK

# Inspect the versions
$ ibmcloud kp key versions 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Retrieving key Versions...
OK
Key Version ID                         Creation Date   
21562e93-8882-420e-90a7-912c70023373   2022-07-08T17:02:10Z
390086ac-76fa-4094-8cf3-c0829bd69526   2022-07-08T17:02:40Z

Example 2

The same use case for auditing a root key as a security admin and viewing the history, with its total count in JSON output.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# rotate the root key
$ ibmcloud kp key rotate 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Rotating root key...
OK

# Inspect the versions
$ ibmcloud kp key versions 807eb0a6-cc10-4bfe-8331-41a6f712c4ea -t -o json
{
        "metadata": {
                "collectionType": "application/vnd.ibm.kms.key.version+json",
                "collectionTotal": 2,
                "totalCount": 2
        },
        "resources": [
                {
                        "id": "21562e93-8882-420e-90a7-912c70023373",
                        "creationDate": "2022-07-08T17:02:10Z"
                },
                {
                        "id": "390086ac-76fa-4094-8cf3-c0829bd69526",
                        "creationDate": "2022-07-08T17:02:40Z"
                }
        ]
}

Example 3

Another use case lists the first 12 key versions for a key set on a monthly rotation for the past year.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# rotate the root key
$ ibmcloud kp key rotate 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Rotating root key...
OK

# Inspect the versions
$ ibmcloud kp key versions 807eb0a6-cc10-4bfe-8331-41a6f712c4ea -n 12 -o json
{
        "metadata": {
                "collectionType": "application/vnd.ibm.kms.key.version+json",
                "collectionTotal": 12
        },
        "resources": [
                {
                        "id": "21562e93-8882-420e-90a7-912c70023373",
                        "creationDate": "2021-07-08T17:02:10Z"
                },
                {
                        "id": "390086ac-76fa-4094-8cf3-c0829bd69526",
                        "creationDate": "2021-08-08T17:02:40Z"
                },[...10x]
        ]
}

Example 4

Another use case lists the second 12 key versions for a key set on a monthly rotation for the past two years.

ibmcloud kp key versions $KEY_ID_OR_ALIAS -n 12 -s 12

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# rotate the root key
$ ibmcloud kp key rotate 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Rotating root key...
OK

# Inspect the versions
$ ibmcloud kp key versions 807eb0a6-cc10-4bfe-8331-41a6f712c4ea -n 12 -s 12 -o json
{
        "metadata": {
                "collectionType": "application/vnd.ibm.kms.key.version+json",
                "collectionTotal": 12
        },
        "resources": [
                {
                        "id": "21562e93-8882-420e-90a7-912c70023373",
                        "creationDate": "2021-07-08T17:02:10Z"
                },
                {
                        "id": "390086ac-76fa-4094-8cf3-c0829bd69526",
                        "creationDate": "2021-08-08T17:02:40Z"
                },[...10x]
        ]
}

Example 5

An optional flag to return the number of versions of a key that is not currently active. Previously, the command would have failed, as in the following example:

# Attempt to show version count
$ ibmcloud kp key versions af61298c-d75d-42a8-aa76-e04178cf4685 -i 99980ccc-d482-4cd0-bb41-deb4f7f1eb92 -t

Retrieving key Versions...
FAILED
KEY_ACTION_INVALID_STATE_ERR
Key is not in a valid state
Correlation-ID:a494bf49-be82-426f-88d8-17b58cc8634d

With CLI version 0.8.0 and higher, the command succeeds when adding the -a flag, as in the following example:

# Attempt to show version count
$ ibmcloud kp key versions af61298c-d75d-42a8-aa76-e04178cf4685 -i 99980ccc-d482-4cd0-bb41-deb4f7f1eb92 -t -a

Retrieving key Versions...
OK
TotalCount: 2
Key Version ID                         Creation Date
14dfde20-a751-4c3e-b6b0-e8d00a17d8d1   2023-06-22T15:16:09Z
af61298c-d75d-42a8-aa76-e04178cf4685   2023-06-22T15:10:28Z

Note that if the -a flag is not given, the KEY_ACTION_INVALID_STATE_ERR is still returned for a key in a state other than active.

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you used for the initial wrap request.

  • -i, --instance-ID

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

  • -n --number-of-key-versions

    Restricts the number of key versions to be retrieved by the supplied integer value (default: 200).

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -s --starting-offset

    Retrievies the key versions from the offset as specified by the supplied integer value.

  • -t --total-count

    Used to reterieve total number of key versions for a key by the supplied integer value.

  • -a --all-key-states

    An optional flag to return the number of versions for all key states, including keys that are not active.

kp key wrap

Wrap a data encryption key (DEK) using a root key that is stored in the Key Protect instance. A DEK is typically used to encrypt "other" pieces of information.

When you wrap a DEK with a root key, Key Protect combines the strength of multiple algorithms to protect the privacy and the integrity of your encrypted data.

You cannot wrap a standard key, that is, a key created using the -s parameter (ibmcloud kp key create my-key-name -s).

ibmcloud kp key wrap KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [--key-ring           KEY_RING_ID]
    [-a, --aad         ADDITIONAL_DATA]
    [-o, --output      OUTPUT]
    [-p, --plaintext   DATA_KEY]

Best practices

Wrapping a data encryption key (DEK) creates a ciphertext. The ciphertext is encrypted information that, when unwrapped, reveals the original DEK.

The Key Protect service does not store your DEK. Save, or persist to storage, the ciphertext to make sure you can retrieve the DEK with the kp key unwrap command.

It is recommended that you never save, or persist to storage, the plaintext DEK. In your application, load the ciphertext from storage, call Key Protect to get the plaintext DEK, and use the DEK to encrypt, or wrap, "other" pieces of information.

Do not save the DEK to persistent storage. Exposing the DEK may allow others to decrypt your data.

A new ciphertext is create each time the root key is wrapped.

Examples

These are examples of kp key wrap.

Example 1

Key Protect creates a new base64-encoded data encryption key (DEK) and wraps it with the root key.

# create a root key
$ ibmcloud kp key create my-root-key

Creating key: 'my-root-key', in instance: '390086ac-76fa-4094-8cf3-c0829bd69526'...
OK
Key ID                                 Key Name
807eb0a6-cc10-4bfe-8331-41a6f712c4ea   my-root-key

# create a new key and wrap it with the root key, creating a DEK (this is the ciphertext)
$ ibmcloud kp key wrap 807eb0a6-cc10-4bfe-8331-41a6f712c4ea

Wrapping key...
OK
Ciphertext
eyJjaXBoZXJ0ZXh0IjoiKzhjbHVqcUNP ...<redacted>... NmY3MTJjNGViIn0=

# capture the ciphertext
$ CIPHERTEXT=eyJjaXBoZXJ0ZXh0IjoiKzhjbHVqcUNP ...<redacted>... NmY3MTJjNGViIn0=

# unwrap the ciphertext to reveal the plaintext (DEK)
$ ibmcloud kp key unwrap 807eb0a6-cc10-4bfe-8331-41a6f712c4ea $CIPHERTEXT

Unwrapping key...
OK
Plaintext                                      Rewrapped Plaintext
mXW4GmBhkRG1+Dzkx1D6dMX99a4KyYwtwbghaaLEQZ0=

Example 2

Generate a base64-encoded data encryption key (DEK) and wrap it with the root key. 

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

9052d914-bebe-4177-90e9-6073a167b507

# create a random, base64-encoded, 32-byte data encryption key (DEK)
$ PLAINTEXT=$(openssl rand -base64 32)

$ echo $PLAINTEXT

tEqoiCu9CeUsbqRe6yBUkrJg80QKKG/z46OkX0YQMV8=

# wrap the plaintext key with the root key, creating a DEK (this is the ciphertext)
$ CIPHERTEXT=$(ibmcloud kp key wrap $KEY_ID -p $PLAINTEXT --output json | jq -r '.["Ciphertext"]')

$ echo $CIPHERTEXT

eyJjaXBoZXJ0ZXh0IjoiTkdQRlhCb1dT ...<redacted>... M2ExNjdiNTA3In0=

# unwrap the ciphertext and reveal the original DEK
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT

tEqoiCu9CeUsbqRe6yBUkrJg80QKKG/z46OkX0YQMV8=

Example 3

Wrap a root key and provide AAD information.

One use case for supplying additional authentication data (AAD) is to "password protect" and add a "verification phrase" to the ciphertext, which makes it more difficult to unwrap.

The ciphertext and the AAD is required to unwrap the ciphertext and reveal the plaintext DEK.

# create a root key
$ KEY_ID=$(ibmcloud kp key create my-root-key --output json | jq -r '.["id"]')

$ echo $KEY_ID

5f2cc155-fe16-492c-845c-4d1f0688c7ba

# set the additional authentication data (AAD)
$ AAD1=My-Secret-Password
$ AAD2=My-Verification-Phrase

# wrap the plaintext DEK with the root key and AAD
$ CIPHERTEXT=$(ibmcloud kp key wrap $KEY_ID -a "$AAD1,$AAD2" --output json | jq -r '.["Ciphertext"]')

$ echo $CIPHERTEXT

eyJjaXBoZXJ0ZXh0IjoiL1pQUzRLbUxQ ...<redacted>... ZjA2ODhjN2JiIn0=

# unwrap the ciphertext and reveal the original DEK
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD1,$AAD2

Unwrapping key...
OK
Plaintext                                      Rewrapped Plaintext
H4ZfQe66aKcxirfCdNZ/3Na0JECP6HsAM3yclKmIfPQ=

# this should fail (missing some of the AAD)
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD1

Unwrapping key...
FAILED

# this should fail (AAD is in a different order)
$ ibmcloud kp key unwrap $KEY_ID $CIPHERTEXT -a $AAD2,$AAD1

Unwrapping key...
FAILED

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the root key that you want to use for wrapping. You cannot wrap a standard key.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -a, --aad

    The additional authentication data (AAD) that is used to further secure a key. The AAD is an array of strings that checks the integrity of the key contents. Each string can hold up to 255 characters.

    If you supply AAD during a wrap request, you must specify the same AAD, in the same order, during the subsequent unwrap request.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

  • -p, --plaintext

    The plaintext specifies a base64-encoded data encryption key (DEK) that is wrapped by the root key (identified by the KEY_ID or ALIAS parameters).

    The base64-encoded data encryption key (DEK) that you want to manage and protect. To import an existing key, provide a 32-byte (256-bit) key.

    To generate and wrap a new DEK, omit the --plaintext parameter.

  • --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

kp keys

List the keys that are available in your Key Protect instance.

Keys are listed in key id order; see example 5.

ibmcloud kp keys
        -i, --instance-id      INSTANCE_ID
        [-b --sort-by          SORT_BY] 
        [-c, --crn]
        [-f, --key-filter      FILTERS]
        [--key-ring            KEY_RING_ID]
        [--key-states          STATES]
        [-l --key-search       KEY_SEARCH] 
        [-n, --number-of-keys  NUMBER_OF_KEYS]
        [-o, --output          OUTPUT]
        [-s, --starting-offset STARTING_OFFSET]
        [-t, --key-type        TYPE]

Examples

These are examples of kp keys.

Example 1

List keys. Note that this will only list the first 200 keys in your instance by default. To show a greater or fewer number of keys, provide a value for the --number-of-keys parameter.

# list keys
$ ibmcloud kp keys

Retrieving keys...
OK
Key ID                                 Key Name
5f2cc155-fe16-492c-845c-4d1f0688c7ba   my-root-key
c36e9f3a-feaf-4033-8603-687784dc7e51   my-root-key

Example 2

List keys and show the cloud resource name (CRN) using the --crn parameter. 

# list keys and show the cloud resource name (CRN)
$ ibmcloud kp keys -c

Retrieving keys...
OK
Key ID                                 Key Name      CRN
5f2cc155-fe16-492c-845c-4d1f0688c7ba   my-root-key   crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:5f2cc155-fe16-492c-845c-4d1f0688c7ba
c36e9f3a-feaf-4033-8603-687784dc7e51   my-root-key   crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:c36e9f3a-feaf-4033-8603-687784dc7e51

Example 3

List keys in JSON format.

The --output json parameter implies the --crn (cloud resource name) parameter. 

# list keys
$ ibmcloud kp keys --output json

[
  {
    "id": "5f2cc155-fe16-492c-845c-4d1f0688c7ba",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-05-10T18:04:01Z",
    "lastUpdateDate": "2020-05-10T18:04:01Z",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:5f2cc155-fe16-492c-845c-4d1f0688c7ba"
    },
    {
        "id": "c36e9f3a-feaf-4033-8603-687784dc7e51",
    "name": "my-root-key",
    "type": "application/vnd.ibm.kms.key+json",
    "algorithmType": "AES",
    "createdBy": "user id ...<redacted>...",
    "creationDate": "2020-05-10T17:56:37Z",
    "lastUpdateDate": "2020-05-10T17:56:37Z",
    "extractable": false,
    "state": 1,
    "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:390086ac-76fa-4094-8cf3-c0829bd69526:key:c36e9f3a-feaf-4033-8603-687784dc7e51"
  }
]

Example 4

List keys and iterate over them, showing details.

# list keys and convert to a list
$ KEYS=$(ibmcloud kp keys --output json | jq -r '.[] | .id')

$ for key in $(echo "${KEYS}"); do
    ibmcloud kp key show ${key}
done

Grabbing info for key id: 5f2cc155-fe16-492c-845c-4d1f0688c7ba...
OK
Key ID                                 Key Name      Description   Creation Date                   Expiration Date
5f2cc155-fe16-492c-845c-4d1f0688c7ba   my-root-key                 2020-05-10 18:04:01 +0000 UTC   Key does not expire

Grabbing info for key id: c36e9f3a-feaf-4033-8603-687784dc7e51...
OK
Key ID                                 Key Name      Description   Creation Date                   Expiration Date
c36e9f3a-feaf-4033-8603-687784dc7e51   my-root-key                 2020-05-10 17:56:37 +0000 UTC   Key does not expire

Example 5

Create 20 keys and show them in groups of 5 using the kp keys -n -s options.

# create 20 test keys
$ for I in {1..20}; do
    KEY_ID=$(ibmcloud kp key create my-test-key-$I --output json | jq -r '.["id"]')
    KEY_NAME=$(ibmcloud kp key show $KEY_ID --output json | jq -r '.["name"]')
    echo $KEY_ID $KEY_NAME
done

b70f62a1-4d52-4526-91a9-ce47bf14c2a5 my-test-key-1
215f592c-3e42-47b6-867c-3cc1cce8a8fd my-test-key-2
df530c55-39c0-44e8-b7db-397593f70d90 my-test-key-3
768c9ceb-368b-46f7-9b1d-be211e036fe1 my-test-key-4
f141be88-5a34-4290-8513-4f01d934e75a my-test-key-5
b8794334-eea6-4c0d-8fe1-8086300b13f7 my-test-key-6
87679194-52d0-42af-81e1-bffd64f87315 my-test-key-7
cc7faf46-43cf-43b2-be98-7d1815371639 my-test-key-8
e9b08526-3227-406c-b83f-c28844bd952b my-test-key-9
3ee0d859-2968-4444-8e4d-3d28614f055c my-test-key-10
bc459a2f-56cb-445e-b4ee-9d1866b57560 my-test-key-11
62090ba8-7363-408e-9edc-aa9fb69c09be my-test-key-12
3b4b0511-00df-48e6-ad65-fad35bb6ce17 my-test-key-13
16276369-ba81-4eb5-be92-f13512147ad4 my-test-key-14
3d683d56-d340-40cb-b8b6-605dcfded01f my-test-key-15
10954149-0217-472d-8137-42fc330dbd03 my-test-key-16
54dd2745-7718-487f-85e6-a67e758dd945 my-test-key-17
3a5a3b52-6942-463d-9f7a-5b216bbf5123 my-test-key-18
90138be5-1dd1-4eea-b7c1-73cc8609e7f7 my-test-key-19
cf0a3d8b-4856-4aa5-be6a-88cca465eab0 my-test-key-20

# this is the same list sorted in KEY_ID order
# this is the order we expect when listing keys

10954149-0217-472d-8137-42fc330dbd03 my-test-key-16
16276369-ba81-4eb5-be92-f13512147ad4 my-test-key-14
215f592c-3e42-47b6-867c-3cc1cce8a8fd my-test-key-2
3a5a3b52-6942-463d-9f7a-5b216bbf5123 my-test-key-18
3b4b0511-00df-48e6-ad65-fad35bb6ce17 my-test-key-13

3d683d56-d340-40cb-b8b6-605dcfded01f my-test-key-15
3ee0d859-2968-4444-8e4d-3d28614f055c my-test-key-10
54dd2745-7718-487f-85e6-a67e758dd945 my-test-key-17
62090ba8-7363-408e-9edc-aa9fb69c09be my-test-key-12
768c9ceb-368b-46f7-9b1d-be211e036fe1 my-test-key-4

87679194-52d0-42af-81e1-bffd64f87315 my-test-key-7
90138be5-1dd1-4eea-b7c1-73cc8609e7f7 my-test-key-19
b70f62a1-4d52-4526-91a9-ce47bf14c2a5 my-test-key-1
b8794334-eea6-4c0d-8fe1-8086300b13f7 my-test-key-6
bc459a2f-56cb-445e-b4ee-9d1866b57560 my-test-key-11

cc7faf46-43cf-43b2-be98-7d1815371639 my-test-key-8
cf0a3d8b-4856-4aa5-be6a-88cca465eab0 my-test-key-20
df530c55-39c0-44e8-b7db-397593f70d90 my-test-key-3
e9b08526-3227-406c-b83f-c28844bd952b my-test-key-9
f141be88-5a34-4290-8513-4f01d934e75a my-test-key-5

# define a function for listing keys
$ list_keys () {
    N=$1
    S=$2
    KEYS=$(ibmcloud kp keys --number-of-keys $N --starting-offset $S --output json | jq -r '.[] | .id')
    for KEY_ID in $(echo "${KEYS}"); do
        KEY_ID=$(ibmcloud kp key show $KEY_ID --output json | jq -r '.["id"]')
    KEY_NAME=$(ibmcloud kp key show $KEY_ID --output json | jq -r '.["name"]')
    echo $KEY_ID $KEY_NAME
    done
}

# list the first group of keys
$ list_keys 5 0

10954149-0217-472d-8137-42fc330dbd03 my-test-key-16
16276369-ba81-4eb5-be92-f13512147ad4 my-test-key-14
215f592c-3e42-47b6-867c-3cc1cce8a8fd my-test-key-2
3a5a3b52-6942-463d-9f7a-5b216bbf5123 my-test-key-18
3b4b0511-00df-48e6-ad65-fad35bb6ce17 my-test-key-13

# list the second group of keys
$ list_keys 5 5

3d683d56-d340-40cb-b8b6-605dcfded01f my-test-key-15
3ee0d859-2968-4444-8e4d-3d28614f055c my-test-key-10
54dd2745-7718-487f-85e6-a67e758dd945 my-test-key-17
62090ba8-7363-408e-9edc-aa9fb69c09be my-test-key-12
768c9ceb-368b-46f7-9b1d-be211e036fe1 my-test-key-4

# list the third group of keys
$ list_keys 5 10

87679194-52d0-42af-81e1-bffd64f87315 my-test-key-7
90138be5-1dd1-4eea-b7c1-73cc8609e7f7 my-test-key-19
b70f62a1-4d52-4526-91a9-ce47bf14c2a5 my-test-key-1
b8794334-eea6-4c0d-8fe1-8086300b13f7 my-test-key-6
bc459a2f-56cb-445e-b4ee-9d1866b57560 my-test-key-11

# list the last group of keys
$ list_keys 5 15

cc7faf46-43cf-43b2-be98-7d1815371639 my-test-key-8
cf0a3d8b-4856-4aa5-be6a-88cca465eab0 my-test-key-20
df530c55-39c0-44e8-b7db-397593f70d90 my-test-key-3
e9b08526-3227-406c-b83f-c28844bd952b my-test-key-9
f141be88-5a34-4290-8513-4f01d934e75a my-test-key-5

# delete the test keys
$ KEYS=$(ibmcloud kp keys --output json | jq -r '.[] | .id')

$ for KEY_ID in $(echo "${KEYS}"); do
    KEY_NAME=$(ibmcloud kp key show $KEY_ID --output json | jq -r '.["name"]')
    if [[ $KEY_NAME == *"my-test-key-"* ]]; then
        echo "Deleting... $KEY_NAME $KEY_ID"
    ibmcloud kp key delete $KEY_ID
    fi
done

(output not shown)

Example 6

Lists the keys based on key states (Active, Suspended) in the Key Protect instance.

# list active and suspended keys
$ ibmcloud kp keys --key-states active,suspended

Retrieving keys...
OK
Key ID                                 Key Name
ef2cc155-fe56-492c-845c-4d1f0688c7ba   my-active-key
636e9f3a-feaf-4033-8603-687754dc7e51   my-suspended-key

Example 7

Lists the keys based on key type (root) in the Key Protect instance.

# list root keys
$ ibmcloud kp keys -t root

Retrieving keys...
OK
Key ID                                 Key Name
2f1cb135-fa16-40dc-815c-4d1f0ee8c7ba   my-root-key

Example 8

Lists the keys in the Key Protect instance with the key name or alias exactly matching the characters in the string "TEST" without quotation marks.

# list keys with identifiers exactly matching TEST
$ ibmcloud kp keys -l exact:TEST

Retrieving keys...
OK
Key ID                                 Key Name
636e9f3a-feaf-4033-8603-687754dc7e51   TEST

Example 9

Lists the keys in the Key Protect instance and sort the keys based on their id and the date the key was created starting with the newest (the hyphen, '-', indicates sort by descending order).

# sort keys by id and descending creationDate 
$ ibmcloud kp keys -b id,-creationDate

Retrieving keys...
OK
Key ID                                 Key Name
ef2cc155-fe56-492c-845c-4d1f0688c7ba   my-last-key
2f1cb135-fa16-40dc-815c-4d1f0ee8c7ba   my-first-key

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -b, --sort-by

    Sort the keys based on the parameters. The default property for sorting results is "id." '-' before the parameter indicates sort by descending order. The supported sort parameters at this time are

    • id
    • state
    • extractable
    • imported
    • creationDate
    • lastUpdateDate
    • lastRotateDate
    • deletionDate
    • expirationDate

  • -c, --crn

    Include the cloud resource name (CRN) in the output.

  • -f, --key-filter

    Filter the keys based on the parameters. The supported key filtering parameters are

    • creationDate
    • deletionDate
    • expirationDate
    • extractable
    • lastUpdateDate
    • lastRotateDate
    • state

    The supporting operators for dates are:

    • gt (greater than)
    • gte (greater than or equal to)
    • lt (less than)
    • lte (less than or equal to)

    The results will be an exact match in case any of these operators are missing.

  • --key-states

    The state of the keys to be retrieved. List of strings containing valid states - Active, Suspended, Deactivated, Destroyed. (default: active,suspended,deactivated).

  • -l, --key-search

    List keys based on search string with prepended qualifiers (e.g. exact, not, alias, name). For more details, see the API Documentation.

  • -n, --number-of-keys

    Restricts the number of keys to be retrieved. The default is 200 and the maximum is 5000.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

    Setting the output to JSON (--output json) includes the cloud resource name (CRN) in the output.

  • -r, --key-ring

    A unique, human readable name for the key-ring. Required if the user doesn't have permissions on the default key ring.

  • -s, --starting-offset

    Retrieves keys starting at the offset specified. The offset is zero-based, meaning offset 0 (zero) is the first key.

  • -t, --key-type

    The type of keys to be retrieved. If set to standard-key, standard keys will be retrieved. If set to root-key, root keys will be retrieved.

kp region-set

Target a different Key Protect regional endpoint. 

ibmcloud kp region-set REGION
        -i, --instance-id INSTANCE_ID
        [-u, --unset]

Examples

These are examples of kp region-set.

Example 1

If the REGION parameter is not specified, you are prompted to select a region.

# set the region endpoint
$ ibmcloud kp region-set

Select a Region:
1. au-syd
2. ca-tor
3. eu-de
4. eu-gb
5. jp-osa
6. jp-tok
7. us-east
8. us-south
9. br-sao
10. staging (us-south)
Enter a number: 
5
OK

Example 2

Set the region explicitly.

# set the region endpoint to "us-south"
$ ibmcloud kp region-set us-south

OK

The REGION must be a valid regional endpoint.

# this should fail (not a valid regional endpoint)
$ ibmcloud kp region-set not-a-region

FAILED

Example 3

Unset (remove) the regional endpoint.

# remove the regional endpoint
$ ibmcloud kp region-set -u

OK

Required parameters

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • REGION

    Specify a regional endpoint. This parameter is optional and if not specified, you are prompted to select a regional endpoint from a list.

  • -u, --unset

    Unset (remove) the regional endpoiont.

kp registrations

Registrations are associations between root keys and other cloud resources, such as Cloud Object Storage (COS) buckets or Cloud Databases deployments.

For example, in Key Protect you create a root key, which is used by COS to protect data at rest.

The relationship between other cloud resources and Key Protect is called a registration.

Do not delete a root key if there are resources, such as COS buckets and objects, that rely on the root key. Deleting the root key means you cannot recover those resources. This is known as "crypto shredding" and there is no recovery from this action.

ibmcloud kp registrations
        -i, --instance-id INSTANCE_ID
    [-r, --key-ring    KEY_RING_ID]
    [-c, --crn-query   CRN_PATTERN]
    [-k, --key-id      KEY_ID_OR_ALIAS]
    [-o, --output      OUTPUT]

Examples

These are examples of kp registrations.

Registration examples show numerous Cloud Resource Names (CRNs). CRNs follow this format:

crn:version:cname:ctype:service-name:location:scope:service-instance:resource-type:resource

See Cloud Resource Names for an in-depth explanation of CRN fields.

Example 1

List all registrations, which may include cloud resources such as databases, storage, compute, containers, or messaging.

This example shows the registration between Cloud Object Storage (COS) and Key Protect.

# view all registrations
$ ibmcloud kp registrations --output json

[
  {
    "keyId": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f",
    "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8:bucket:my-cos-kms-bucket",
    "createdBy": "crn-crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8::",
    "creationDate": "2020-06-15T16:07:37Z",
    "lastUpdated": "2020-06-15T16:07:37Z",
    "keyVersion": { "id": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f", "creationDate": "2020-06-15T16:05:53Z"
    }
  }
]

Example 2

This example shows the full lifecycle of two cloud resources (Cloud Object Storage and Key Protect - from creating Key Protect instances and creating a policy between them to deleting the instances.

A summary of the steps is:

Step Where Description
1 CLI Create cloud object storage (COS) and Key Protect (KP) instances
2 CLI Create a policy for COS to access KP encryption keys
3 CLI Create a KP root key that COS uses to encrypt data
4 Console UI Create a COS bucket and specify KP encryption; this is done in the console user interface (UI) because there is no API or CLI support at this time
5 CLI View the KP registration
6 CLI Upload and download an object to verify COS and KP works together
7 CLI Delete the COS bucket and the KP root key
8 CLI Delete the authorization policy between COS and KP
9 CLI Delete the COS and KP instances

These commands show COS and Key Protect service plans. The ibmcloud resource service-instance-create command requires a service plan name and a location, which is in the catalog.

# show the catalog offerings for cloud object storage (COS) and Key Protect
$ ibmcloud catalog service cloud-object-storage

$ ibmcloud catalog service kms

The example covers multiple steps and should be performed in consultation with the summary provided.

# create a Cloud Object Storage (COS) instance
# "lite" is the pricing plan and "global" is the region
$ COS_NAME=my-cos-1

$ ibmcloud resource service-instance-create $COS_NAME cloud-object-storage lite global

Creating service instance my-cos-1 in resource group Default of account <account name> as <email address>...
OK
Service instance my-cos-1 was created.
Name:             my-cos-1
ID:               crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8::
GUID:             4b636e74-f3ca-40bb-80b8-3bd21801ccb8
Location:         global
State:            active
Type:             service_instance
Sub Type:
Allow Cleanup:    false
Locked:           false
Created at:       2020-06-15T16:03:39Z
Updated at:       2020-06-15T16:03:39Z
Last Operation:             Status    create succeeded             Message   Completed create instance operation

# capture the COS instance id (GUID)
$ COS_INSTANCE_ID=4b636e74-f3ca-40bb-80b8-3bd21801ccb8

# create a Key Management Service (KMS) service instance
# "tiered-pricing" is the pricing plan and "us-south" is the region
$ KMS_NAME=my-kms-1

$ ibmcloud resource service-instance-create $KMS_NAME kms tiered-pricing us-south

Creating service instance my-kms-1 in resource group Default of account <account name> as <email address>...
OK
Service instance my-kms-1 was created.
Name:             my-kms-1
ID:               crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:b3933ab0-d579-46fc-8ed5-351aea657b9a::
GUID:             b3933ab0-d579-46fc-8ed5-351aea657b9a
Location:         us-south
State:            active
Type:             service_instance
Sub Type:         kms
Allow Cleanup:    false
Locked:           false
Created at:       2020-06-15T16:04:40Z
Updated at:       2020-06-15T16:04:40Z
Last Operation:             Status    create succeeded             Message   Completed create instance operation

# capture the Key Protect (KP) instance id (GUID)
$ KP_INSTANCE_ID=b3933ab0-d579-46fc-8ed5-351aea657b9a

# create a policy for COS to read KMS; source is COS, target is KMS
$ ibmcloud iam authorization-policy-create cloud-object-storage kms Reader \
  --source-service-instance-id $COS_INSTANCE_ID \
  --target-service-instance-id $KP_INSTANCE_ID

Creating authorization policy under account ea998d3389c3473aa0987652b46fb146 as <email address>...
OK
Authorization policy 18cfc980-4458-4313-972e-93f312cdcd81 was created.
ID:                        18cfc980-4458-4313-972e-93f312cdcd81
Source service name:       cloud-object-storage
Source service instance:   4b636e74-f3ca-40bb-80b8-3bd21801ccb8
Target service name:       kms
Target service instance:   b3933ab0-d579-46fc-8ed5-351aea657b9a
Roles:                     Reader

# capture the COS-to-KMS authorization policy id
$ COS_KMS_AUTHORIZATION=18cfc980-4458-4313-972e-93f312cdcd81

# create a KP root key that COS uses to encrypt data
$ ibmcloud kp key create my-cos-key --output json

{
  "id": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f",
  "name": "my-cos-key",
  "type": "application/vnd.ibm.kms.key+json",
  "extractable": false,
  "state": 1,
  "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:b3933ab0-d579-46fc-8ed5-351aea657b9a:key:2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f"
}

# capture the KP root key id
$ MY_COS_KEY_ID=2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f

# create a COS bucket and set KP encryption
#   must be done in the console user interface (UI) because
#   there is no API or CLI support at this time
# 1 - In the UI, go to... Resource list -> Storage -> my-cos-1
# 2 - Create bucket -> custom bucket
# 3 - Properties of a custom bucket
#   a - bucket name: my-cos-kms-bucket
#   b - location: us-south (same region as KP)
#   c - checkbox: Key Protect
#   d - instance: my-kms-1
#   e - key name: my-cos-key
#   f - button: Create bucket

# capture the name of the COS bucket that was created
$ COS_BUCKET=my-cos-kms-bucket

# view the KP registration; it's a result of creating the COS bucket
$ ibmcloud kp registrations --output json

[
  {
    "keyId": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f",
    "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8:bucket:my-cos-kms-bucket",
    "createdBy": "crn-crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8::",
    "creationDate": "2020-06-15T16:07:37Z",
    "lastUpdated": "2020-06-15T16:07:37Z",
    "keyVersion": { "id": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f", "creationDate": "2020-06-15T16:05:53Z"
    }
  }
]

# list the bucket
$ ibmcloud cos list-buckets --ibm-service-instance-id $COS_INSTANCE_ID

OK
1 bucket found in your account:
Name                Date Created
my-cos-kms-bucket   Jun 15, 2020 at 16:07:38

# upload an object to COS
$ ibmcloud cos put-object --bucket $COS_BUCKET --key '/cos-file.txt' --body cos-file-upload.txt

OK
Successfully uploaded object '/cos-file.txt' to bucket 'my-cos-kms-bucket'.

# get the object from COS
$ ibmcloud cos get-object --bucket $COS_BUCKET --key '/cos-file.txt' cos-file-download.txt

OK
Successfully downloaded '/cos-file.txt' from bucket 'my-cos-kms-bucket'
20 B downloaded.

# verify that the upload and download files are the same
$ cat cos-file-upload.txt

This is a test file

$ cat cos-file-download.txt

This is a test file

# delete the object
$ ibmcloud cos delete-object --bucket $COS_BUCKET --key '/cos-file.txt' --force

OK
Delete '/cos-file.txt' from bucket 'my-cos-kms-bucket' ran successfully.

# delete the bucket
$ ibmcloud cos delete-bucket --bucket $COS_BUCKET --force

OK
Successfully deleted bucket 'my-cos-kms-bucket'. The bucket 'my-cos-kms-bucket' will be available for reuse after 15 minutes.

# list the bucket (it should no longer exist)
$ ibmcloud cos list-buckets --ibm-service-instance-id $COS_INSTANCE_ID

OK
No buckets found in your account.

# view the KP registration (it should no longer exist)
$ ibmcloud kp registrations --output json

# delete the KP root key; COS no longer uses it
$ ibmcloud kp key delete $MY_COS_KEY_ID --output json

{
  "id": "2cbea94c-6070-4a24-b0f8-7a56e4d7cb6f"
}

# delete the authorization policy between COS AND KMS
$ ibmcloud iam authorization-policy-delete $COS_KMS_AUTHORIZATION --force

Deleting authorization policy 18cfc980-4458-4313-972e-93f312cdcd81 under account ea998d3389c3473aa0987652b46fb146...
OK
Authorization policy 18cfc980-4458-4313-972e-93f312cdcd81 is deleted successfully

# view the authorization policy (it should no longer exist)
$ ibmcloud iam authorization-policies

Getting authorization policies under account ea998d3389c3473aa0987652b46fb146 as <email address>...
OK
No policy found

# delete the KMS instance
$ ibmcloud resource service-instance-delete $KMS_NAME --force

Deleting service instance my-kms-1 in resource group Default under account <account name> as <email address>...
OK
Service instance my-kms-1 with ID crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:b3933ab0-d579-46fc-8ed5-351aea657b9a:: is deleted successfully

# delete the COS instance
$ ibmcloud resource service-instance-delete $COS_NAME --force

Deleting service instance my-cos-1 in resource group Default under account <account name> as <email address>...
OK
Service instance my-cos-1 with ID crn:v1:bluemix:public:cloud-object-storage:global:a/ea998d3389c3473aa0987652b46fb146:4b636e74-f3ca-40bb-80b8-3bd21801ccb8:: is deleted successfully

# view resources (COS and KMS should no longer exist)
$ ibmcloud resource service-instances

Retrieving instances with type service_instance in resource group Default in all locations under account <account name> as <email address>...
OK
No service instance found.

Example 3

This example shows what happens when one of the following occurs between COS and Key Protect (KP) - COS is not able to access the Key Protect root key.

  • Delete the KP root key
  • Remove the CMS/KP authorization policy

This example does not show command output except when relevant.

# create a Cloud Object Storage (COS) service instance
# "lite" is the pricing plan and "global" is the region
$ COS_NAME=my-cos-1

$ ibmcloud resource service-instance-create $COS_NAME cloud-object-storage lite global

# capture the COS instance id (GUID)
$ COS_INSTANCE_ID=c488e11a-c8a0-4688-b002-9327266ea55f

# create a Key Management Service (KMS) service instance
# "tiered-pricing" is the pricing plan and "us-south" is the region
$ KMS_NAME=my-kms-1

$ ibmcloud resource service-instance-create $KMS_NAME kms tiered-pricing us-south

# capture the Key Protect (KP) instance id (GUID)
$ KP_INSTANCE_ID=26f4b198-952a-47ab-9f44-ef69c038b3c5

# create a policy for COS to read KMS; source is COS, target is KMS (Key Protect)
$ ibmcloud iam authorization-policy-create cloud-object-storage kms Reader \
  --source-service-instance-id $COS_INSTANCE_ID \
  --target-service-instance-id $KP_INSTANCE_ID

# capture the COS-to-KMS authorization policy id
$ COS_KMS_AUTHORIZATION=594b946e-0e90-44ea-ac62-6cbb42450cd5

# create a KP root key that COS uses to encrypt data
$ ibmcloud kp key create my-cos-key --output json

# capture the KP root key id
$ MY_COS_KEY_ID=464d78c3-57dc-49a5-b932-8ebf8f8c7771

# create a COS bucket and set KP encryption
#   must be done in the console user interface (UI) because
#   there is no API or CLI support at this time

# capture the name of the COS bucket that was created
$ COS_BUCKET=my-cos-kms-bucket

# upload an object to COS
$ ibmcloud cos put-object --bucket $COS_BUCKET --key '/cos-file.txt' --body cos-file-upload.txt

# delete the authorization policy between COS AND KMS - this breaks everything
$ ibmcloud iam authorization-policy-delete $COS_KMS_AUTHORIZATION --force

# get the object from COS - this fails because COS no longer has access to KMS
$ ibmcloud cos get-object --bucket $COS_BUCKET --key '/cos-file.txt' cos-file-download.txt

FAILED
ServiceNotAuthorized: The specified COS Service Instance does not have sufficient
    permissions to access the resource provided in the ibm-sse-kp-customer-root-key-crn request header
status code: 401,
request id: a51e1da3-9bf7-4cc9-9eb0-0d074c7f9093,
host id:

# delete the object
$ ibmcloud cos delete-object --bucket $COS_BUCKET --key '/cos-file.txt' --force

# delete the bucket
$ ibmcloud cos delete-bucket --bucket $COS_BUCKET --force

# delete the KP root key - this fails because the registration was not deleted
$ ibmcloud kp key delete $MY_COS_KEY_ID --output json

FAILED
kp.Error:
    correlation_id='fffdd8a9-405a-4a91-a5a7-52c30d11424d',
    msg='Conflict: Key could not be deleted. Please see "reasons" for more details.',
    reasons='[PROTECTED_RESOURCE_ERR: Key is protecting one or more cloud resources -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/docs/key-protect?topic=key-protect-troubleshooting#unable-to-delete-keys]'

# delete the KP root key; use --force because the registration between COS and KMS still exists
$ ibmcloud kp key delete $MY_COS_KEY_ID --force --output json

# delete the KMS instance
$ ibmcloud resource service-instance-delete $KMS_NAME --force

# delete the COS instance
$ ibmcloud resource service-instance-delete $COS_NAME --force

# view resources (COS and KMS should no longer exist)
$ ibmcloud resource service-instances

Retrieving instances with type service_instance in resource group Default in all locations under account <account name> as <email address>...
OK
No service instance found.

Required parameters

  • KEY_ID_OR_ALIAS

    The v4 UUID or alias of the key that you want to query.

  • -i, --instance-id

    The IBM Cloud instance ID that identifies your Key Protect instance.

    You can set an environment variable instead of specifying -i with the following command: $ export KP_INSTANCE_ID=<INSTANCE_ID>.

Optional parameters

  • -c, --crn-query

    Specify the crn query whose registrations need to be listed

  • -k, --key-id

    Specify the key id whose registrations need to be listed.

  • -o, --output

    Set the CLI output format. By default, all commands print in table format. To change the output format to JSON, use --output json.

    Setting the output to JSON (--output json) includes the cloud resource name (CRN) in the output.

  • -r, --key-ring

    A unique, human readable name for the key-ring. Required to show registrations on the given key ring.

ibmcloud kp kmip command

The KMIP commands allow API access to KMIP adapters and objects.

Sub-command Status v0.10 Description
adapter-create Create a KMIP Adapter
adapter Retrieve a KMIP Adapter
adapters List KMIP Adapters in an instance
adapter-delete Delete a KMIP Adapter
cert-create Create a KMIP Client Certificate associated with an adapter
cert Retrieve a KMIP Client Certificate
certs List KMIP Client Certificate associated with a KMIP Adapter
cert-delete Delete a KMIP Client Certificate
object Retrieve a KMIP Object
objects List KMIP Objects in a KMIP Adapter
object-delete Delete a KMIP Object

kp kmip adapter-create

Use kmip adapter-create to create a KMIP Adapter under a Key Protect instance. Adapters are used to group and manage KMIP objects. KMIP adapters under the same Key Protect instance must have a unique name, since adapters can be retrieved by either the name or the ID. For all KMIP-related CLI commands, any argument or flag that takes an Adapter ID can also use an Adapter name.

Depending on the profile, different information may need to be supplied to create the adapter. Currently, only one profile of KMIP adapter is supported: native_1.0.

The native_1.0 profile needs only the ID of a root key to be provided in the -k flag.

adapter-create 
    -p, --profile PROFILE 
    [-k, --crk-id CRK_ID] 
    [-n, --name NAME] 
    [-d, --description DESC]
    -i, --instance-id      INSTANCE_ID
    [-o, --output          OUTPUT]

Example

These are examples of kp kmip adapter-create.

Example 1

This example creates KMIP adapter with the native_1.0 profile

ibmcloud kp kmip adapter-create -n myadapter -k 47a0ad90-204d-4e45-aa5b-68ed40a05fa2 -p native_1.0 -d "my description"
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Adapter...
OK
Adapter ID                             Adapter Profile   Adapter Name   Adapter Description   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      my description  
$ ibmcloud kp kmip adapters
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Listing KMIP Adapters...
OK
Adapter ID                             Adapter Profile   Adapter Name   Created At                      Updated At   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      2024-03-20 22:06:43 +0000 UTC   2024-03-20 22:06:43 +0000 UTC

kp kmip adapter

Retrieve details about a KMIP adapter, including the creation and update date. You can use the adapter ID or the adapter name.

ibmcloud kp kmip adapter ADAPTERID
    -i, --instance-id INSTANCE_ID
    [-o, --output      OUTPUT]

Example

These are examples of kp kmip adapter.

Example 1

Note that there are some attributes to the adapter only visible in the JSON output format.

$ ibmcloud kp key create rootKmip
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating key: 'rootKmip', in instance: '8944cc2d-7e00-46b2-baa4-787051e0f7b3'...
OK
Key ID                                 Key Name   
47a0ad90-204d-4e45-aa5b-68ed40a05fa2   rootKmip   
$ ibmcloud kp kmip adapter-create -n myadapter -k 47a0ad90-204d-4e45-aa5b-68ed40a05fa2 -p native_1.0
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Adapter...
OK
Adapter ID                             Adapter Profile   Adapter Name   Adapter Description   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      -   
# retreiving adapter by name
$ ibmcloud kp kmip adapter myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Getting KMIP Adapter...
OK
Adapter ID                             Adapter Profile   Adapter Name   Created At                      Updated At                      Adapter Description   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      2024-03-20 22:06:43 +0000 UTC   2024-03-20 22:06:43 +0000 UTC   -   
# retrieving adapter by ID
$ ibmcloud kp kmip adapter d6a00af1-277f-40e8-b33e-da3a68752209 -o json
{
    "id": "d6a00af1-277f-40e8-b33e-da3a68752209",
    "profile": "native_1.0",
    "profile_data": {
        "crk_id": "47a0ad90-204d-4e45-aa5b-68ed40a05fa2"
    },
    "name": "myadapter",
    "description": "",
    "created_by": "IBMid-664003LB2T",
    "created_at": "2024-03-20T22:06:43Z",
    "updated_by": "IBMid-664003LB2T",
    "updated_at": "2024-03-20T22:06:43Z"
}

kp kmip adapters

List the KMIP adapters that are available in your Key Protect Instance.

ibmcloud kp kmip adapters 
    -i, --instance-id      INSTANCE_ID
    [-o, --output          OUTPUT]
    [-n, --limit LIMIT] 
    [-s, --offset OFFSET] 
    [-t, --total-count]

Example

These are examples of kp kmip adapters.

Example 1

$ ibmcloud kp kmip adapters -n 100 -s 0
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Listing KMIP Adapters...
OK
Adapter ID                             Adapter Profile   Adapter Name   Created At                      Updated At   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      2024-03-20 22:06:43 +0000 UTC   2024-03-20 22:06:43 +0000 UTC

kp kmip adapter-delete

Deletes a KMIP adapter. This will delete any objects and certificates associated with the adapter.

ibmcloud kp kmip adapter-delete ADAPTERID
    -i, --instance-id      INSTANCE_ID

Example

These are examples of kp kmip adapter-delete.

Example 1

$ ibmcloud kp kmip adapter-create -n adap -k 47a0ad90-204d-4e45-aa5b-68ed40a05fa2 -p native_1.0
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Adapter...
OK
Adapter ID                             Adapter Profile   Adapter Name   Adapter Description   
e97e4297-4a6f-41c9-ae67-0920715964fd   native_1.0        adap           -   
$ ibmcloud kp kmip adapter-delete e97e4297-4a6f-41c9-ae67-0920715964fd
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Deleting KMIP Adapter...
OK

kp kmip cert-create

Use kp kmip cert-create to create an KMIP Client Certificate to associate to a specific KMIP adapter. The certificate provided in the -c flag should be in the x509 PEM format. The certificate file can be uploaded by using the prefix @ to specify a filepath, or by providing the contents of the certificate file directly to the flag.

KMIP Client Certificates are used to connect and authenticate to the KMIP server through mutual TLS (mTLS). A certificate must be registered before any KMIP protocol operations can be carried out with a KMIP adapter. It may take up to 5 minutes for the certificate to be usable in KMIP operations.

Certificates must have a unique name within the same KMIP adapter, and the contents of the certificate must be unique, even between multiple adapters.

See also: KMIP Protocol Specifications

ibmcloud kp kmip cert-create 
    -a ADAPTER_NAME_OR_ID 
    -c {@path/to/cert | CERTIFICATE} 
    [-n NAME]
    -i, --instance-id     INSTANCE_ID
    [-o, --output         OUTPUT]

Example

These are examples of kp kmip cert-create.

Example 1

This example shows two ways of uploading the same certificate file.

$ ibmcloud kp key create rootKmip
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating key: 'rootKmip', in instance: '8944cc2d-7e00-46b2-baa4-787051e0f7b3'...
OK
Key ID                                 Key Name   
47a0ad90-204d-4e45-aa5b-68ed40a05fa2   rootKmip   
$ ibmcloud kp kmip adapter-create -n myadapter -k 47a0ad90-204d-4e45-aa5b-68ed40a05fa2 -p native_1.0
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Adapter...
OK
Adapter ID                             Adapter Profile   Adapter Name   Adapter Description   
d6a00af1-277f-40e8-b33e-da3a68752209   native_1.0        myadapter      -   

$ export CERT=$(cat ./cert.pem) 

$ ibmcloud kp kmip cert-create -n mycert -c "$CERT" -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Client Certificate...
OK
Certificate ID                         Certificate Name   Created At   
3f550b96-86bc-44fe-8d1d-113e57067219   mycert             2024-03-20 22:08:03 +0000 UTC   

## Alternatively, you can also provide the filepath of the certificate

$ ibmcloud kp kmip cert-delete mycert -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Deleting KMIP Client Certificate...
OK

$ ibmcloud kp kmip cert-create -n mycert -c @./cert.pem -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Creating KMIP Client Certificate...
OK
Certificate ID                         Certificate Name   Created At   
a279fded-06d1-45a1-8a95-901f194fb937   mycert             2024-03-20 22:11:34 +0000 UTC

kp kmip cert

Retrieves a specific KMIP Client Certificate. A certificate can be retrieved by either the id or the name.

ibmcloud kp kmip cert CERTIFICATE 
    -a ADAPTER
    -i, --instance-id     INSTANCE_ID
    [-o, --output         OUTPUT]

Examples

These are examples of kp kmip cert.

Example 1

Getting a certificate by name:

$ ibmcloud kp kmip cert mycert -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Getting KMIP Client Certificate...
OK
Certificate ID                         Certificate Name   Created At   
a279fded-06d1-45a1-8a95-901f194fb937   mycert             2024-03-20 22:11:34 +0000 UTC

Example 2

Getting a certificate by UUID in JSON format. The PEM-format contents of the certificate will be returned in the JSON body.

$ ibmcloud kp kmip cert a279fded-06d1-45a1-8a95-901f194fb937  -a myadapter -o json
{
    "id": "a279fded-06d1-45a1-8a95-901f194fb937",
    "name": "mycert",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIFqzCCA5OgAwIBAgIUNXqfJMkAHOBHz6+ekETDlCqIEqUwDQYJKoZIhvcNAQEL\nBQAw
    ... CERTIFICATE CONTENTS ABBREVIATED ...
    Y6uFtHuQSpud0C\n-----END CERTIFICATE-----\n",
    "created_by": "IBMid-12345678",
    "created_at": "2024-03-20T22:11:34Z"
}

kp kmip certs

List all KMIP Client Certificates associated with a specific KMIP adapter.

ibmcloud kp kmip certs 
    -a, --adapter         ADAPTER
    [-n, --limit LIMIT] 
    [-s, --offset OFFSET] 
    [-t, --total-count]
    -i, --instance-id     INSTANCE_ID
    [-o, --output         OUTPUT]

Examples

These are examples of kp kmip certs.

Example 1

$ ibmcloud kp kmip certs -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Listing KMIP Client Certificates...
OK
Certificate ID                         Certificate Name   Created At   
a279fded-06d1-45a1-8a95-901f194fb937   mycert             2024-03-20 22:11:34 +0000 UTC

kp kmip cert-delete

Delete a KMIP Client Certificate.

cert-delete CERTIFICATE 
    -a adapter
    -i, --instance-id     INSTANCE_ID

Examples

These are examples of kp kmip cert-delete

Example 1

$ ibmcloud kp kmip cert-delete -a myadapter mycert
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Deleting KMIP Client Certificate...
OK

kp kmip object

KMIP Objects are created through operations performed through a KMIP client using the KMIP protocol. They cannot be created through the API, but can be read and deleted. Objects belong to a single adapter.

Objects do not have a name, and must be retrieved by ID.

ibmcloud kp kmip object OBJECT
    -a, --adapter         ADAPTER
    -i, --instance-id     INSTANCE_ID
    [-o, --output         OUTPUT]

Examples

These are examples of kp kmip object

Example 1

$ ibmcloud kp kmip object 12365a82-5404-4bd9-a4c7-2b628ee18304 -a testadapter 
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Getting KMIP Object...
OK
Object ID                              Object Type     Object State   Created At                      Updated At   
12365a82-5404-4bd9-a4c7-2b628ee18304   Symmetric Key   Active         2024-03-14 21:01:45 +0000 UTC   2024-03-14 21:01:45 +0000 UTC

Example 2

Getting a KMIP Object as a JSON will show some extra attributes not visible in the normal table view.

$ ibmcloud kp kmip object 12365a82-5404-4bd9-a4c7-2b628ee18304 -a testadapter -o json
{
    "id": "12365a82-5404-4bd9-a4c7-2b628ee18304",
    "kmip_object_type": 2,
    "state": 2,
    "created_by_kmip_client_cert_id": "531c18f3-4e37-447e-a7e0-e8676407bb75",
    "created_by": "IBMid-123456",
    "created_at": "2024-03-14T21:01:45Z",
    "updated_by_kmip_client_cert_id": "531c18f3-4e37-447e-a7e0-e8676407bb75",
    "updated_by": "IBMid-123456",
    "updated_at": "2024-03-14T21:01:45Z"
}

kp kmip objects

List KMIP Objects and view information about their Object Type and Object state among other metadata. Use the -f flag to filter for objects only in a specific state. By default, the state filter is set to 1,2,3,4.

The numbers correspond to the object states as follows:

  • Pre-Active = 1
  • Active = 2
  • Deactivated = 3
  • Compromised = 4
  • Destroyed = 5
  • Destroyed Compromised = 6

See KMIP State Enumeration

ibmcloud kp kmip objects 
    -a, --adapter         ADAPTER
    [-n, --limit LIMIT] 
    [-s, --offset OFFSET] 
    [-t, --total-count]
    -i, --instance-id     INSTANCE_ID
    [-o, --output         OUTPUT]

Examples

These are examples of kp kmip objects.

Example 1

$ ibmcloud kp kmip objects -a myadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Listing KMIP Objects...
OK
Object ID                              Object Type     Object State   Created At                      Updated At   
00196c59-c5c2-42d8-9729-703cd0389f60   Symmetric Key   Compromised    2024-03-14 20:47:54 +0000 UTC   2024-03-14 20:47:54 +0000 UTC   
02f1043c-0494-4399-82af-5395a14b019f   Symmetric Key   Pre-Active     2024-03-14 20:58:06 +0000 UTC   2024-03-14 20:58:06 +0000 UTC   
08082ff4-821b-4689-83ec-15cac5bd1939   Symmetric Key   Pre-Active     2024-02-22 00:10:46 +0000 UTC   2024-02-22 00:11:23 +0000 UTC   
0c1ea28d-dfaa-404a-b9c4-fcdc3f5d8b02   Symmetric Key   Deactivated    2024-03-14 21:05:48 +0000 UTC   2024-03-14 21:05:48 +0000 UTC   
10b49b05-0101-4234-927b-20a3356da291   Symmetric Key   Pre-Active     2024-03-14 21:26:54 +0000 UTC   2024-03-14 21:26:54 +0000 UTC   
12365a82-5404-4bd9-a4c7-2b628ee18304   Symmetric Key   Active         2024-03-14 21:01:45 +0000 UTC   2024-03-14 21:01:45 +0000 UTC

Example 2

Using the -f flag to filter for objects of a specific state. Use commas to specify multiple states.

$ ibmcloud kp kmip objects -a testadapter -f 5,6
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Listing KMIP Objects...
OK
Object ID                              Object Type     Object State            Created At                      Updated At   
03d38805-2bb2-4aa0-bbf3-dc4a6d5d0475   Symmetric Key   Destroyed               2024-03-14 20:47:58 +0000 UTC   2024-03-14 20:47:58 +0000 UTC   
08c94f34-0100-4331-b759-5937ed5b1228   Symmetric Key   Destroyed               2024-03-14 20:46:38 +0000 UTC   2024-03-14 20:46:38 +0000 UTC   
1a13e112-41f8-4d52-be08-a0946b8c22fa   Symmetric Key   Destroyed Compromised   2024-03-14 20:58:20 +0000 UTC   2024-03-14 20:58:20 +0000 UTC

kp kmip object-delete

Delete a KMIP Object. Only objects whose state is not Active, or not Destroyed can be successfully deleted.

cert-delete OBJECT_ID 
    -a adapter
    -i, --instance-id     INSTANCE_ID

Examples

These are examples of kp kmip object-delete

Example 1

$ ibmcloud kp kmip object-delete 9b2f5af5-3534-4f02-8836-f89af37c4351 -a testadapter
Targeting endpoint: https://qa.us-south.kms.test.cloud.ibm.com
Deleting KMIP Object...
OK

Next Steps

Look for related operations in the API documentation.