从KeyVault检索私钥 [英] Retrieval of private key from KeyVault
问题描述
我们需要为我的解决方案执行椭圆键操作(加密/解密以及派生,随机生成).该解决方案计划通过一些安全认证,该认证要求在FIPS 140-2 3级上使用HSM.
为此,我需要让keyVault替我做,或者需要一种从KeyVault检索私钥的方法.
所以我的两个问题是:
1)是否有keyVault的正式路线图,我可以从中获得这些功能在KeyVault中可用的日期?
2)是否可以从keyVault检索EC私钥?
看来这是不可能的...但是,我想知道我是否可以以某种方式使用rsa键的包装/展开功能来这样做?关于此包装/展开到底用于什么目的的任何文档?
预先感谢
密钥的私密部分不会流出Key Vault边界/HSM,这是解决方案的全部前提,因此很安全.密钥上已允许加密/解密操作.以下是受支持的列表 加密算法
A 用于包装/展开后,您可以使用它来保护另一个密钥,例如在您的情况下(如果要使用不在边界内的密钥 密钥保管箱).如果您希望将包装的所有键值都存储在Vault中,则可以将其存储为Secret值(尽管如果要查找的话,不必在Key Vault的同一实例中).
此处有关包装/展开"的文档对此进行了说明(在下面引用)
Azure Key Vault中存储的密钥可以用于保护另一个密钥,通常是对称内容加密密钥(CEK).当Azure Key Vault中的密钥不对称时,将使用密钥加密,例如RSA-OAEP和WRAPKEY/UNWRAPKEY操作为 等效于ENCRYPT/DECRYPT.如果Azure Key Vault中的密钥是对称的,则使用密钥包装;否则,将使用密钥包装.例如AES-KW.支持WRAPKEY操作是为了方便可能无法访问[公开]密钥材料的应用程序.推荐 为了获得最佳应用程序性能,WRAPKEY操作在本地执行.
让我们知道是否有帮助
Hi,
We need to do Elliptic key operations (encrypt/decrypt as well as derivation, random generations) for my Solution. This solution is planned to go through some security certification which imposes the usage of an HSM with FIPS 140-2 Level 3.
To do so I need to either have keyVault do it for me or have a way to retrieve the private key from the KeyVault.
So my two questions are:
1) Is there an official Roadmap for keyVault where I can get the date those functions would be available in KeyVault?
2) is there a way of retrieving the EC private keys from keyVault?
It looks like it is not possible... However I was wondering if I coudl somehow use the wrap/unwrap functions of an rsa key to do so? any documentation on what exactly this wrap/unwrap is used for?
Thanks in advance
Hi,
The private portion of the key does not flow out of the Key Vault boundary/HSM, which is whole premise of the solution and that makes it secure. Encrypt/Decrypt operations are already allowed on the keys. Here are the list of supported encryption algorithms
As for Wrap/Unwrap, you can use it to protect another key, like in your case (if you want to use a key that does not live within the boundary of Key Vault). The wrapped key value can even be stored as a Secret value if you want all of it to live in a Vault (not necessarily in the same instance of Key Vault though if that is what you are looking for).
The documentation here on Wrap/Unwrap explains this (quoted below)
A key stored in Azure Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). When the key in Azure Key Vault is asymmetric, key encryption is used, for example RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to ENCRYPT/DECRYPT. When the key in Azure Key Vault is symmetric, key wrapping is used; for example AES-KW. The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material; it is recommended that, for best application performance, WRAPKEY operations are performed locally.
Let know if that helps
这篇关于从KeyVault检索私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
