Key Access Object
Summary
A Key Access Object stores not only a wrapped (encrypted) key used to encrypt the file's payload, but also additional metadata about how it is stored.
Example"
{
"type": "wrapped",
"url": "https:\/\/kas.example.com:5000",
"kid": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
"protocol": "kas",
"wrappedKey": "OqnOETpwyGE3PVpUpwwWZoJTNW24UMhnXIif0mSnqLVCUPKAAhrjeue11uAXWpb9sD7ZDsmrc9ylmnSKP9vWel8ST68tv6PeVO+CPYUND7cqG2NhUHCLv5Ouys3Klurykvy8\/O3cCLDYl6RDISosxFKqnd7LYD7VnxsYqUns4AW5\/odXJrwIhNO3szZV0JgoBXs+U9bul4tSGNxmYuPOj0RE0HEX5yF5lWlt2vHNCqPlmSBV6+jePf7tOBBsqDq35GxCSHhFZhqCgA3MvnBLmKzVPArtJ1lqg3WUdnWV+o6BUzhDpOIyXzeKn4cK2mCxOXGMP2ck2C1a0sECyB82uw==",
"policyBinding": "BzmgoIxZzMmIF42qzbdD4Rw30GtdaRSQL2Xlfms1OPs=",
"encryptedMetadata": "ZoJTNW24UMhnXIif0mSnqLVCU=",
"tdf_spec_version:": "x.y.z"
}
keyAccess
Parameter | Type | Description | Required? |
---|---|---|---|
keyAccess | Object | KeyAccess object stores all information about how an object key OR key split is stored, and if / how it has been encrypted (e.g., with KEK or pub wrapping key). | Yes |
type | String | Specifies how the key is stored.Possible Values:
| Yes |
url | String | A url pointing to the desired KAS deployment | Yes |
kid | String | Identifier for the KAS public key, such as its thumbprint. The current preferred identifier can be looked up using the kas_public_key endpoint. For compatibility, our reference implementation uses the associated x509 certificate's fingerprint, although this may be a UUID or other simple string selector. | Recommended |
protocol | String | Protocol being used. Currently only kas is supported | Yes |
wrappedKey | String | The symmetric key used to encrypt the payload. It has been encrypted using the public key of the KAS, then base64 encoded. | Yes |
policyBinding | Object | This contains a keyed hash that will provide cryptographic integrity on the policy object, such that it cannot be modified or copied to another TDF, without invalidating the binding. Specifically, you would have to have access to the key in order to overwrite the policy. This is Base64 encoding of HMAC(POLICY,KEY), where:
| Yes |
encryptedMetadata | String | Metadata associated with the TDF, and the request. The contents of the metadata are freeform, and are used to pass information from the client, and any plugins that may be in use by the KAS. The metadata stored here should not be used for primary access decisions. Note: encryptedMetadata is stored as a base64-encoded string. One example of the metadata, decoded and decrypted, could be, depending on specific needs:{authHeader:"sd9f8dfkjhwkej8sdfj",connectOptions:{url:'http://localhost:4010'}} | Yes |
tdf_spec_version | String | Semver version number of the TDF spec. | No |