Documentation

Classic Keys

Suggest Edits

A Classic Key is an encryption key managed in the Akeyless KMS that can be shared with a cloud KMS or be used as an encryption key to protect your secrets, enabling you to Bring Your Own Key to the Akeyless Platform.

Once a Classic Key is shared with a cloud KMS, you can use it as any key generated by the cloud provider. Akeyless remains responsible for managing the key lifecycle by providing secure storage and full role-based access control, recording key activity, and logging. These keys can be deleted and updated like any other key.

Note that to create a Classic Key, you must have an active gateway. To set up a gateway, please go to Akeyless Gateway Overview.

The supported key types for Classic Keys are:

  • AES128GCM
  • AES256GCM
  • AES128SIV
  • AES256SIV
  • AES128CBC
  • AES256CBC
  • RSA1024
  • RSA2048
  • RSA3072
  • RSA4096
  • EC256
  • EC384
  • EC521
  • GPG

Classic Keys can either be generated by Akeyless or imported into the Akeyless KMS from another source.

📘

Info

Classic Keys are protected by an Akeyless DFC™ key.

You can create and manage your Classic Keys in both the Akeyless CLI and the Console.

👍

Note

If you are going to share the Classic Key with a cloud KMS, you need to create a target for the key to later be associated with.

Managing a Classic Key from the CLI

Creating a Classic Key

To create a Classic Key from the CLI, use this command with the following parameters:

  • name: The name of the Classic Key. The name can include the path to the virtual folder in which you want to create the new key, using the slash / separators. If the folder does not exist, it will be created together with the key.
  • alg: The type of key to be created.
  • gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).
akeyless create-classic-key --name classickey --alg RSA2048 --gateway-url https://<Your-Gateway-URL:8000>

Additional parameters can be found in the CLI Reference.

Associating a Key and a Target

To associate a Classic Key with a Cloud KMS Target, use this command with the following parameters:

  • target-name: The name of the Target you want to associate with the Classic Key.
  • name: The name of the Classic Key you want to share with the specified target.
akeyless assoc-target-item --target-name awstarg --name classickey

Different cloud providers demand additional parameters. to see the relevant parameters, go to the correlated page under External KMS Integration.

If you wish to delete the association between a key and its target, you may use the following command with the matching parameters:

akeyless delete-assoc-target-item --target-name awstarg --name classickey

Additional parameters can be found in the CLI Reference.

Managing a Classic Key from the Console

Creating a Classic Key

  1. In the Akeyless console, select Items > New > Encryption Key > Classic.

  2. Define the following:

  • Name: The name of the Classic Key.

  • Location: The path to the virtual folder in which you want to create the new key, using slash / separators.

    👍

    Note

    If the folder does not exist, it will be created together with the authentication method.

  • Description: General description of the key (optional).

  • Tags: Assign tags to the key (optional).

  • Delete Protection: When enabled, protects the Classic Key from accidental deletion.

  • Key Type: The algorithm type of key to be created (AESxxxGCM, AESxxxSIV, RSAxxxx, ECxxx, GPG).

  • Generated By: Determines if the Classic Key should be generated by the Akeyless KMS, or uploaded from another source. If you select Import Classic Key, you can upload a file into the console.

  • Protection Key: The encryption key with which to encrypt the Classic Key (if your system includes multiple encryption keys). Otherwise, select Default.

  • Gateway: Select the gateway that will correlate with the key.

  • Auto Rotate: Indicate if the Classic Key should be automatically rotated, and select the frequency. This option is not available for imported keys. You may still rotate the key manually even if you did not apply this option.

  • Rotation Notification: If you wish to get a notification before the next Automatic Rotation, click on ⊕ Add Notification and adjust the day count to any number you desire. This can be done multiple times to be notified more than once.

  1. Click Save.

Associating a Key and a Target

  1. In the Akeyless console, select the Classic Key you wish to associate.

  2. In the key info page that will open on the right, select +Attach

  3. Select the relevant Target from the drop-down list, and fill in the required parameters. These parameters may vary between cloud providers. To see the relevant parameters, go to the correlated page under External KMS Integration.


Additional Configuration for GCP Targets

  • When associating a Classic Key with a GCP target, you can use the --wrapping-key-name parameter to specify the Key Encryption Key (KEK) that will be used to encrypt the Data Encryption Key (DEK) during the export process.
  • When using --wrapping-key-name, you will also define the encryption purpose as Raw Encrypt/Decrypt and include additional encryption algorithms, such as AES_256_GCM and AES_128_GCM, when attaching the target.

Updated 5 months ago

Footer Section