Classic Keys

Introduction

A Classic Key is an encryption key managed in the Akeyless KMS that can be shared with a cloud KMS or be used as an encryption key to protect your secrets, enabling you to Bring Your Own Key to the Akeyless Platform.

Once a Classic Key is shared with a cloud KMS, you can use it as any key generated by the cloud provider. Akeyless remains responsible for managing the key lifecycle by providing secure storage and full role-based access control, recording key activity, and logging. These keys can be deleted and updated like any other key.

Note that to create a Classic Key, you must have an active gateway. To set up a gateway, please go to Akeyless Gateway Overview.

The supported key types for Classic Keys are:

  • AES128GCM
  • AES256GCM
  • AES128SIV
  • AES256SIV
  • AES128CBC
  • AES256CBC
  • RSA1024
  • RSA2048
  • RSA3072
  • RSA4096
  • EC256
  • EC384
  • EC521
  • GPG

Classic Keys can either be generated by Akeyless or imported into the Akeyless KMS from another source.

๐Ÿ“˜

Nice to Know:

Classic Keys are protected by an Akeyless DFCโ„ข key.

You can create and manage your Classic Keys in both the Akeyless CLI and the Console.

๐Ÿ‘

Tip:

If you are going to share the Classic Key with a cloud KMS, you need to create a target for the key to later be associated with.

Managing a Classic Key from the CLI

Creating a Classic Key

To create a Classic Key from the CLI, use this command with the following parameters:

  • name: The name of the Classic Key. The name can include the path to the virtual folder in which you want to create the new key, using slash / separators. If the folder does not exist, it will be created together with the key.
  • alg: The type of key to be created.
  • gateway-url: The URL of your gateway. This parameter is not mandatory, but if not explicitly stated, the default value will be http://localhost:8000.
akeyless create-classic-key --name classickey --alg RSA2048 --gateway-url http://localhost:8000

Additional parameters can be found in the CLI Reference.

Associating a Key and a Target

To associate a Classic Key with a target, use this command with the following parameters:

  • target-name: The name of the target you want to associate with the Classic Key.
  • name: The name of the Classic Key you want to share with the specified target.
akeyless assoc-target-item --target-name awstarg --name classickey

Different cloud providers demand additional parameters. to see the relevant parameters, go to the correlated page under External KMS Integration.
If you wish to delete the association between a key and its target, you may use the following command with the matching parameters:

akeyless delete-assoc-target-item --target-name awstarg --name classickey

Additional parameters can be found in the CLI Reference.

Managing a Classic Key from the Console

Creating a Classic Key

  1. In the Akeyless console, select New>Encryption Key > Classic.

  2. Define the following:

  • Name: The name of the Classic Key.

  • Location: The path to the virtual folder in which you want to create the new key, using slash / separators. If the folder does not exist, it will be created together with the key.

  • Description: general description of the key (optional).

  • Tags: assign tags to the key (optional).

  • Key Type: The algorithm type of key to be created.

  • Generated By: Determines if the Classic Key should be generated by the Akeyless KMS, or uploaded from another source. If you select Import Classic Key, you can upload a file into the console.

  • Protection Key: The encryption key with which to encrypt the Classic Key (if your system includes multiple encryption keys). Otherwise, select Default.

  • Gateway: Select the gateway that will correlate with the key.

  • Auto Rotate: Indicate if the Classic Key should be automatically rotated, and select the frequency. This option is not available for imported keys. You may still rotate the key manually even if you did not apply this option.

  1. Select Save.

Associating a Key and a Target

  1. In the Akeyless console, select the Classic Key you wish to associate.

  2. In the key info page that will open on the right, select +Attach

  3. Select the relevant target from the drop down list, and fill in the required parameters. These parameters may vary between cloud providers. To see the relevant parameters, go to the correlated page under External KMS Integration.

You can see a Classic Key's associated target in under the same info page. If you wish to delete the association between a Classic Key and a target, select the little x mark next to the target's name.