diff --git a/website/content/docs/secrets/kmip.mdx b/website/content/docs/secrets/kmip.mdx index 5eeaed1d1..509031f7c 100644 --- a/website/content/docs/secrets/kmip.mdx +++ b/website/content/docs/secrets/kmip.mdx @@ -12,12 +12,37 @@ description: |- with the Advanced Data Protection Module. The KMIP secrets engine allows Vault to act as a [Key Management -Interoperability Protocol](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html) (KMIP) server provider and handle +Interoperability Protocol][kmip-spec] (KMIP) server provider and handle the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows services and applications to perform cryptographic operations without having to manage cryptographic material, otherwise known as managed objects, by delegating its storage and lifecycle to a key management server. +## KMIP Conformance + +Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles: + + * [Baseline Server][baseline-server] + * Supports all profile attributes except for *Alternative Name*, *Key Value Present* and + *Key Value Location*. + * Supports all profile operations except for *Check*, *Modify Attribute* and *Delete Attribute*. + * Operation *Locate* only supports attributes *Activation Date*, *Application + Specific Information*, *Cryptographic Algorithm*, *Cryptographic Length*, + *Name*, *Object Type*, *Original Creation Date*, and *State*. + + * [Symmetric Key Lifecycle Server][lifecycle-server] + * Supports cryptographic algorithm *AES* (*3DES* is not supported). + * Only the *Transparent Symmetric Key* key format type is supported. + + * [Basic Cryptographic Server][basic-cryptographic-server] + * Supports block cipher modes *CBC*, *CFB*, *CTR*, *ECB*, *GCM*, and *OFB*. + * On mulit-part (streaming) operations, block cipher mode *GCM* is not supported. + * The supported padding methods are *None* and *PKCS5*. + +[baseline-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431430 +[lifecycle-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431487 +[basic-cryptographic-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431527 + ## Setup The KMIP secrets engine must be configured before it can start accepting KMIP @@ -66,6 +91,43 @@ allowed operations for it. Success! Data written to: kmip/scope/my-service/role/admin ``` +### Supported KMIP Operations + +The KMIP secrets engine currently supports the following set of operations: + +```text +operation_activate +operation_add_attribute +operation_create +operation_decrypt +operation_destroy +operation_discover_versions +operation_encrypt +operation_get +operation_get_attribute_list +operation_get_attributes +operation_import +operation_locate +operation_query +operation_register +operation_rekey +operation_revoke +``` + +Additionally, there are two pseudo-operations that can be used to allow or deny +all operation capabilities to a role. These operations are mutually exclusive to +all other operations. That is, if it's provided during role creation or update, +no other operations can be provided. Similarly, if an existing role contains a +pseudo-operation, and it is then updated with a set supported operation, it will +be overwritten with the newly set of provided operations. + +Pseudo-operations: + +```text +operation_all +operation_none +``` + ### Client Certificate Generation Once a scope and role has been created, client certificates can be generated for @@ -194,44 +256,6 @@ with their client certificate. serial_number 317328055225536560033788492808123425026102524390 ``` -### Supported KMIP Operations - -The KMIP protocol supports a wide variety of operations that can be -issued by clients to perform certain actions, such as key management, -encryption, signing, etc. The KMIP secrets engine currently supports a subset of -KMIP operations. - -Supported KMIP operations: - -```text -operation_activate -operation_add_attribute -operation_create -operation_destroy -operation_discover_versions -operation_get -operation_get_attribute_list -operation_get_attributes -operation_locate -operation_register -operation_rekey -operation_revoke -``` - -Additionally, there are two pseudo-operations that can be used to allow or deny -all operation capabilities to a role. These operations are mutually exclusive to -all other operations. That is, if it's provided during role creation or update, -no other operations can be provided. Similarly, if an existing role contains a -pseudo-operation, and it is then updated with a set supported operation, it will -be overwritten with the newly set of provided operations. - -Pseudo-operations: - -```text -operation_all -operation_none -``` - ## Tutorial Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine)