The Akeyless Platform combines the capabilities of an HSM and a KMS to provide enhanced key-life cycle management, including cryptographic key generation, protection, versioning/rotation (more on this subject on the key rotation guide Key Rotation), and using keys with Encryption-as-a-Service and Digital Signing functions.
Akeyless supports a wide range of encryption keys, including:
CBC type algorithms are easy to misuse, require additional data to be supplied when used, and are not authenticated. We recommend using a different type of algorithm unless there is a clear use case for it.
A key can be in one of three states, Enabled, Disabled, or Pending Deletion. The default state of a key is enabled unless stated otherwise, and can be transferred between states by any user with the appropriate permissions.
Any keys that are not in an Enabled state cannot be used for any cryptographic operations (Encrypt or Decrypt). Attempting to set a key that is protecting a different item in the system into a Disabled or Pending Deletion state will fail.
To create an encryption key, use these commands with the following parameters:
-n: The desired name for the key
-a: The desired encryption algorithm for the key
akeyless create-dfc-key -n MyAES128GCMKey -a AES128GCM
akeyless create-dfc-key -n MyAES256GCMKey -a AES256GCM
akeyless create-dfc-key -n MyAES128SIVKey -a AES128SIV
akeyless create-dfc-key -n MyAES256SIVKey -a AES256SIV
akeyless create-dfc-key -n MyRSAKey -a RSA1024
akeyless create-dfc-key -n MyRSAKey -a RSA2048
akeyless create-dfc-key -n MyCBC -a AES256CBC
To list all available options for key creation run this command:
akeyless create-dfc-key -h
- Delete an Encryption Key: Delete an obsolete Encryption Key or an obsolete version of an Encryption Key.
You may schedule a later deletion date by adding a
akeyless delete-item -n MyAES256GCMKey
akeyless delete-item -n MyAES128GCMKey --delete-in-days=30
- Get the public key from your RSA encryption key:
akeyless get-rsa-public -n MyRSAKey
- Disabling a Key: Changes a key's state to
This command can also be used to cancel a pending
deletecommand, changing the key to the disabled state, from which it can be re-enabled.
akeyless set-item-state -n MyAES256GCMKey -s disabled
- Enabling a Key: can be used to return a disabled key to an enabled state.
akeyless set-item-state -n MyAES256GCMKey -s enabled
After creating a key, you can use it in order to encrypt values using this command with the following parameters:
-k: The name of the key to encrypt with.
-p: The string to encrypt.
When using a CBC type encryption algorithm, there will be an additional parameter called the initialization vector, a 16 bytes of random data, encoded in base64 format, which must be unique to each encryption operation, and must be saved in order to decrypt the value, marked with the parameter -X.
akeyless encrypt -k MyAES256GCMKey -p 12345
akeyless encrypt -k cbc -p 12345 -X iv=7iBxRZ3NvucULGXgpsUFGw==
The output should look like a jumbled string of characters
Similarly, you can use it in order to Decrypt values using this command with the following parameters:
-k: The name of the key to encrypt with.
-c: The string to decrypt.
akeyless decrypt -k MyAES256GCMKey -c AQAAAAEIAacq7xBbq3PYFnTmuUwqdRHclYjti/5u/MvVacv7mtFjlJQtUIpY13YF
akeyless decrypt -k cbc -c AQAAAAEIAWj/BDSTdvCHMG1aqBW+r+u41nEvN1qTRQ== -X iv=7iBxRZ3NvucULGXgpsUFGw==
The output should be the message you encrypted beforehand:
Using HMAC with encryption:
You may choose to add a hash function encryption over a key with the following command:
akeyless hmac -p <plaintext> -f <hash function> -k <key>
selecting a hash function between sha-256 and sha-512. The full parameters for this command can be found here.
Log in to the Akeyless Console, and go to Secrets & Keys > New > Encryption Key>DFC.
Define a Name of the key, and specify the Location as a path to the virtual folder where you want to create the new key, using slash
/separators. If the folder does not exist, it will be created together with the key.
Define the remaining parameters as follows:
Description: general description of the key (optional).
Tags: assign tags to the key (optional).
Delete Protection: When enabled, protects the secret from accidental deletion.
Type: The encryption algorithm used for the key.
- To delete the key, go to the key's location in your repository, select it and tap the trash icon. You will get the option to choose if you wish to delete it immediately or in a set amount of days. The key must be set to be disabled via the edit options before doing so. A scheduled deletion can be canceled by re-selecting the delete option.
- To view the public key for RSA keys, go to the folder in Akeyless where you saved the desired key, select it, and tap get public RSA key
Go to the folder in Akeyless where you saved the desired key and select it.
Tap the Encrypt/Decrypt text button
Select the desired operation and enter the required text
When using a CBC type encryption algorithm, there will be an additional parameter called the initialization vector, 16 bytes of random data, encoded in base64 format, which must be unique to each encryption operation, and must be saved in order to decrypt the value, marked with the parameter -X.
Updated about 1 month ago