luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Update KMIP documentation to reflect Vault 1.11 changes. (#15868) 

Update documentation to reflect new KMIP features in Vault 1.11.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
Victor Rodriguez 2022-06-08 13:58:45 -04:00 committed by GitHub
parent 5c03fe6a30
commit d922225fcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 63 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
website/content/docs/secrets/kmip.mdx
View File

@ -12,12 +12,37 @@ description: |-
with the Advanced Data Protection Module. with the Advanced Data Protection Module.
The KMIP secrets engine allows Vault to act as a [Key Management The KMIP secrets engine allows Vault to act as a [Key Management
Interoperability Protocol](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html) (KMIP) server provider and handle Interoperability Protocol][kmip-spec] (KMIP) server provider and handle
the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows
services and applications to perform cryptographic operations without having to services and applications to perform cryptographic operations without having to
manage cryptographic material, otherwise known as managed objects, by delegating manage cryptographic material, otherwise known as managed objects, by delegating
its storage and lifecycle to a key management server. its storage and lifecycle to a key management server.
## KMIP Conformance
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
* [Baseline Server][baseline-server]
* Supports all profile attributes except for *Alternative Name*, *Key Value Present* and
*Key Value Location*.
* Supports all profile operations except for *Check*, *Modify Attribute* and *Delete Attribute*.
* Operation *Locate* only supports attributes *Activation Date*, *Application
Specific Information*, *Cryptographic Algorithm*, *Cryptographic Length*,
*Name*, *Object Type*, *Original Creation Date*, and *State*.
* [Symmetric Key Lifecycle Server][lifecycle-server]
* Supports cryptographic algorithm *AES* (*3DES* is not supported).
* Only the *Transparent Symmetric Key* key format type is supported.
* [Basic Cryptographic Server][basic-cryptographic-server]
* Supports block cipher modes *CBC*, *CFB*, *CTR*, *ECB*, *GCM*, and *OFB*.
* On mulit-part (streaming) operations, block cipher mode *GCM* is not supported.
* The supported padding methods are *None* and *PKCS5*.
[baseline-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431430
[lifecycle-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431487
[basic-cryptographic-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431527
## Setup ## Setup
The KMIP secrets engine must be configured before it can start accepting KMIP The KMIP secrets engine must be configured before it can start accepting KMIP
@ -66,6 +91,43 @@ allowed operations for it.
Success! Data written to: kmip/scope/my-service/role/admin Success! Data written to: kmip/scope/my-service/role/admin
``` ```
### Supported KMIP Operations
The KMIP secrets engine currently supports the following set of operations:
```text
operation_activate
operation_add_attribute
operation_create
operation_decrypt
operation_destroy
operation_discover_versions
operation_encrypt
operation_get
operation_get_attribute_list
operation_get_attributes
operation_import
operation_locate
operation_query
operation_register
operation_rekey
operation_revoke
```
Additionally, there are two pseudo-operations that can be used to allow or deny
all operation capabilities to a role. These operations are mutually exclusive to
all other operations. That is, if it's provided during role creation or update,
no other operations can be provided. Similarly, if an existing role contains a
pseudo-operation, and it is then updated with a set supported operation, it will
be overwritten with the newly set of provided operations.
Pseudo-operations:
```text
operation_all
operation_none
```
### Client Certificate Generation ### Client Certificate Generation
Once a scope and role has been created, client certificates can be generated for Once a scope and role has been created, client certificates can be generated for
@ -194,44 +256,6 @@ with their client certificate.
serial_number 317328055225536560033788492808123425026102524390 serial_number 317328055225536560033788492808123425026102524390
``` ```
### Supported KMIP Operations
The KMIP protocol supports a wide variety of operations that can be
issued by clients to perform certain actions, such as key management,
encryption, signing, etc. The KMIP secrets engine currently supports a subset of
KMIP operations.
Supported KMIP operations:
```text
operation_activate
operation_add_attribute
operation_create
operation_destroy
operation_discover_versions
operation_get
operation_get_attribute_list
operation_get_attributes
operation_locate
operation_register
operation_rekey
operation_revoke
```
Additionally, there are two pseudo-operations that can be used to allow or deny
all operation capabilities to a role. These operations are mutually exclusive to
all other operations. That is, if it's provided during role creation or update,
no other operations can be provided. Similarly, if an existing role contains a
pseudo-operation, and it is then updated with a set supported operation, it will
be overwritten with the newly set of provided operations.
Pseudo-operations:
```text
operation_all
operation_none
```
## Tutorial ## Tutorial
Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine) Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine)