Classic Keys
A Classic Key is an encryption key managed in the Akeyless KMS that can be shared with a cloud KMS or be used as an encryption key to protect your secrets, enabling you to Bring Your Own Key to the Akeyless Platform.
Once a Classic Key is shared with a cloud KMS, you can use it as any key generated by the cloud provider. Akeyless remains responsible for managing the key lifecycle by providing secure storage and full role-based access control, recording key activity, and logging. These keys can be deleted and updated like any other key.
Note that to create a Classic Key, you must have an active gateway. To set up a gateway, please go to Akeyless Gateway Overview.
The supported key types for Classic Keys are:
- AES128GCM
- AES256GCM
- AES128SIV
- AES256SIV
- AES128CBC
- AES256CBC
- RSA1024
- RSA2048
- RSA3072
- RSA4096
- EC256
- EC384
- EC521
- GPG
Classic Keys can either be generated by Akeyless or imported into the Akeyless KMS from another source.
Info
Classic Keys are protected by an Akeyless DFC™ key.
You can create and manage your Classic Keys in both the Akeyless CLI and the Console.
Note
If you are going to share the Classic Key with a cloud KMS, you need to create a target for the key to later be associated with.
Managing a Classic Key from the CLI
Creating a Classic Key
To create a Classic Key from the CLI, use this command with the following parameters:
name
: The name of the Classic Key. The name can include the path to the virtual folder in which you want to create the new key, using the slash/
separators. If the folder does not exist, it will be created together with the key.alg
: The type of key to be created.gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
).
akeyless create-classic-key --name classickey --alg RSA2048 --gateway-url https://<Your-Gateway-URL:8000>
Additional parameters can be found in the CLI Reference.
Associating a Key and a Target
To associate a Classic Key with a Cloud KMS Target, use this command with the following parameters:
target-name
: The name of the Target you want to associate with the Classic Key.name
: The name of the Classic Key you want to share with the specified target.
akeyless assoc-target-item --target-name awstarg --name classickey
Different cloud providers demand additional parameters. to see the relevant parameters, go to the correlated page under External KMS Integration.
If you wish to delete the association between a key and its target, you may use the following command with the matching parameters:
akeyless delete-assoc-target-item --target-name awstarg --name classickey
Additional parameters can be found in the CLI Reference.
Managing a Classic Key from the Console
Creating a Classic Key
-
In the Akeyless console, select Items > New > Encryption Key > Classic.
-
Define the following:
-
Name: The name of the Classic Key.
-
Location: The path to the virtual folder in which you want to create the new key, using slash
/
separators.Note
If the folder does not exist, it will be created together with the authentication method.
-
Description: General description of the key (optional).
-
Tags: Assign tags to the key (optional).
-
Delete Protection: When enabled, protects the Classic Key from accidental deletion.
-
Key Type: The algorithm type of key to be created (
AESxxxGCM
,AESxxxSIV
,RSAxxxx
,ECxxx
,GPG
). -
Generated By: Determines if the Classic Key should be generated by the Akeyless KMS, or uploaded from another source. If you select Import Classic Key, you can upload a file into the console.
-
Protection Key: The encryption key with which to encrypt the Classic Key (if your system includes multiple encryption keys). Otherwise, select
Default
. -
Gateway: Select the gateway that will correlate with the key.
-
Auto Rotate: Indicate if the Classic Key should be automatically rotated, and select the frequency. This option is not available for imported keys. You may still rotate the key manually even if you did not apply this option.
-
Rotation Notification: If you wish to get a notification before the next Automatic Rotation, click on ⊕ Add Notification and adjust the day count to any number you desire. This can be done multiple times to be notified more than once.
- Click Save.
Associating a Key and a Target
-
In the Akeyless console, select the Classic Key you wish to associate.
-
In the key info page that will open on the right, select +Attach
-
Select the relevant Target from the drop-down list, and fill in the required parameters. These parameters may vary between cloud providers. To see the relevant parameters, go to the correlated page under External KMS Integration.
Envelope Encryption with Akeyless Classic Keys (KEK / DEK Pattern)
Goal: keep your data-encryption keys (DEKs) in Akeyless, but let a key stored in Google Cloud KMS (the KEK) wrap and unwrap them. That way the DEKs never leave Akeyless in the clear, and the KEK never leaves Google’s HSM boundary.
Create the Key-Encryption Key (KEK) in Akeyless
Open a terminal and run:
akeyless-cli create-classic-key \
--name kek-name \
--alg aes-256-gcm \
--type internal \
--description "KEK used to wrap DEKs for GCP"
You now have an AES-256-GCM “classic key” called kek-name.
Tell Akeyless that this KEK belongs to Google Cloud
- In the Akeyless UI or CLI, create a GCP target (pointing to your project, location, key-ring and key).
- Set the purpose to “raw encrypt / raw decrypt.”
- List the algorithms you’ll allow—usually aes_256_gcm (add aes_128_gcm if you also need it).
- Most importantly, pass the flag --wrapping-key-name kek-name (or pick kek-name in the UI).
This links your Akeyless key to Google’s KMS key so Akeyless can ask GCP to wrap or unwrap.
Create a Data-Encryption Key (DEK)
You can generate DEKs whenever you need them:
akeyless-cli create-classic-key \
--name dek-name \
--alg aes-256-gcm \
--type internal
Export the DEK, already wrapped by the KEK
akeyless-cli export-classic-key \
--name dek-name \
--wrapping-key-name kek-name \
--format json > dek_wrapped.json
The JSON file looks like this:
{
"key": "<base64 ciphertext>",
"iv" : "<base64 gcm nonce>"
}
- key is the DEK, encrypted with the KEK.
- iv is the 12-byte GCM nonce Google needs to decrypt.
Unwrap (decrypt) the DEK inside your application code
ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx, option.WithCredentialsJSON(creds))
if err != nil { panic(err) }
cipher, _ := base64.StdEncoding.DecodeString("<key from JSON>")
iv, _ := base64.StdEncoding.DecodeString("<iv from JSON>")
resp, err := client.RawDecrypt(ctx, &kmspb.RawDecryptRequest{
Name: "projects/.../locations/.../keyRings/.../cryptoKeys/kek-name/cryptoKeyVersions/1",
Ciphertext: cipher,
InitializationVector: iv,
})
if err != nil { panic(err) }
dekPlaintext := resp.Plaintext
dekPlaintext is now the usable AES-256-GCM key you can feed to your own data-encryption routines.
Use the DEK and rotate when needed
Encrypt or decrypt your application data with the plaintext DEK.
When it’s time to rotate, generate a brand-new DEK (step 3) and repeat the export/unwrap steps. The KEK can stay the same for months if your policy allows.
Updated 8 days ago