Implementing Zero Knowledge

❗️

Warning:

When working with Customer Fragments, it is the your responsibility to back them up securely and in a safe place.

Encryption keys created with the Customer Fragment cannot be reconstructed without it. Therefore all information that is encrypted with those keys will not be recoverable if the Customer Fragment is lost.

Generate a Customer Fragment

You can create multiple Customer Fragments. Each Customer Fragment will be used to create a separate encryption key, for example, to force privacy segregation among different teams, departments, and organization units.

To generate a Customer Fragment:

  1. Open the Akeyless Gateway Configuration Manager at http://Your-Akeyless-Gateway-URL:8000.

  2. On the menu bar at the left, click Zero-Knowledge Encryption.

  3. On the Zero-Knowledge Encryption page, click Generate Customer Fragment.

  4. In the pop-up, provide a description of the new Customer Fragment and click Save. You can create as many Customer Fragments as you need.

  5. Click Download to download the file with all the generated Customer Fragments and save it in a safe and secured place.

12741274

Created Customer Fragment

Generate Customer Fragment from the Akeyless CLI:

First, please create the following environment variable to point your CLI to interact with the relevant Gateway:

export AKEYLESS_GATEWAY_URL=https://Your_GW_URL:8080

To generate a Customer Fragment, run the following Akeyless CLI command:

akeyless gen-customer-fragment --description MyFirstCF

You'll get the following output:

$ akeyless gen-customer-fragment --description MyFirstCF

WARNING: It is the clients responsibility to back up the customer fragment.
Keys that were created with a customer fragment cannot be reconstructed without it and all information that is 
encrypted with them will not be recoverable if the customer fragment is lost.

In order to use the generated customer fragment, it must be saved in /root/.akeyless/customer_fragments.json

The following json contains the newly generated customer fragment:
{
    "customer_fragments": [
        {
            "id": "cf-xyzxyzxyzxyzxyzxyz",
            "value": "SomE/CUstOmer/FrAGMenTvALue==",
            "description": "MyFirstCF"
        }
    ]
}

🚧

Important

Once you have your customer_fragments.json file saved, you'll need to provide a path to the file containing your Fragment as part of the Gateway installation command each time you want to update your Gateway instance.

docker run -d -p 8000:8000 -p 8200:8200 -p 18888:18888 -p 8080:8080 -p 5696:5696 -v /host/path/target/customer_fragments.json:/root/.akeyless/customer_fragments.json -e ADMIN_ACCESS_ID="identity-access-id" -e ADMIN_ACCESS_KEY="identity-access-key" --name akeyless-gw akeyless/base"

Create a DFC Encryption Key

With the Customer Fragment at hand, you can create DFC encryption keys.

To create a DFC Encryption Key:

  1. Open the Akeyless Gateway Console at http://Your-Akeyless-Gateway-URL:18888.

  2. On the menu bar at the left, click Secrets & Keys.

  3. On the Secrets & Keys page, click New -> Encryption Key -> DFC.

  4. In the pop-up, specify the parameters of the new key and select a Customer Fragment to be used with this key.

  5. Click Save.

18851885

Create Zero Knowledge Key from the Akeyless CLI:

To generate a key using a Customer Fragment, run the following command:

akeyless create-key -n MyKeyWithMyCF -a RSA2048 -f customer-fragment-id

You'll get the following output:

akeyless create-key -n MyKeyWithMyCF -a RSA2048 -f customer-fragment-id 
=====================
Encryption Key Fragment #0 created successfully in 1.451µs milliseconds
Encryption Key Fragment #1 created successfully in 1.452µs milliseconds
=====================
A new RSA2048 key named MyKeyWithMyCF was successfully created

The key can be viewed in the Gateway Console at port 18888:

10481048

DFC key in the Console

Set Up a Default Encryption Key

To set a default Encryption Key based on your Customer Fragment to enforce Zero-Knowledge by default for all your secrets that will be created using your Gateway. This will ensure that any item created with Akeyless (via Web UI, CLI, or SDKs) will be encrypted using your encryption key.

🚧

Note:

Only Symmetric encryption keys generated using a Customer Fragment can be used as Default Encryption Keys.

To set up a default Encryption Key:

  1. Open the Akeyless Gateway Configuration Manager at http://Your-Akeyless-Gateway-URL:8000.

  2. On the menu bar at the left, click Defaults.

  3. In the Default Encryption Key drop-down list, select one of the available encryption keys.

  4. Click Save Changes.

11651165

Default Encryption Key


What’s Next