A Key Access Object stores not only a wrapped (encrypted) key used to encrypt the file's payload, but also additional metadata about how it is stored.
The current schema version is 1.0.0.
{
"type": "wrapped",
"url": "https:\/\/kas.example.com:5000",
"protocol": "kas",
"wrappedKey": "OqnOETpwyGE3PVpUpwwWZoJTNW24UMhnXIif0mSnqLVCUPKAAhrjeue11uAXWpb9sD7ZDsmrc9ylmnSKP9vWel8ST68tv6PeVO+CPYUND7cqG2NhUHCLv5Ouys3Klurykvy8\/O3cCLDYl6RDISosxFKqnd7LYD7VnxsYqUns4AW5\/odXJrwIhNO3szZV0JgoBXs+U9bul4tSGNxmYuPOj0RE0HEX5yF5lWlt2vHNCqPlmSBV6+jePf7tOBBsqDq35GxCSHhFZhqCgA3MvnBLmKzVPArtJ1lqg3WUdnWV+o6BUzhDpOIyXzeKn4cK2mCxOXGMP2ck2C1a0sECyB82uw==",
"policyBinding": {
"alg": "HS256",
"hash": "BzmgoIxZzMmIF42qzbdD4Rw30GtdaRSQL2Xlfms1OPs="
},
"encryptedMetadata": "ZoJTNW24UMhnXIif0mSnqLVCU=",
"schemaVersion:": "x.y.z"
}| Parameter | Type | Description | Required? |
|---|---|---|---|
keyAccess |
Object | KeyAccess object stores all information about how an object key OR key split is stored, and if / how it has been encrypted (e.g., with KEK or pub wrapping key). | Yes |
type |
String | Specifies how the key is stored. \n\nPossible Values: \nremote: The wrapped key (see below) is stored using Virtru infrastructure and is thus not part of the final TDF manifest.\nwrapped: Default for TDF3, the wrapped key is stored as part of the manifest.\nremoteWrapped: Allows management of customer hosted keys, such as with a Customer Key Server. This feature is available as an upgrade path. |
Yes |
url |
String | A url pointing to the desired KAS deployment | Yes |
protocol |
String | Protocol being used. Currently only kas is supported |
Yes |
wrappedKey |
String | The symmetric key used to encrypt the payload. It has been encrypted using the public key of the KAS, then base64 encoded. | Yes |
policyBinding |
Object | Object describing the policyBinding. Contains a hash, and an algorithm used. | Yes |
policyBinding.alg |
String | The policy binding algorithm used to generate the hash. | Yes |
policyBinding.hash |
String | This contains a keyed hash that will provide cryptographic integrity on the policy object, such that it cannot be modified or copied to another TDF, without invalidating the binding. Specifically, you would have to have access to the key in order to overwrite the policy. \n\nThis is Base64 encoding of HMAC(POLICY,KEY), where: \n\nPOLICY: base64(policyjson) that is in the “encryptionInformation/policy” \nHMAC: HMAC SHA256 (default, but can be specified in the alg field described above) \nKEY: Whichever Key Split or Key that is available to the KAS (e.g. the underlying AES 256 key in the wrappedKey. | Yes |
encryptedMetadata |
String | Metadata associated with the TDF, and the request. The contents of the metadata are freeform, and are used to pass information from the client, and any plugins that may be in use by the KAS. For example, in Virtru's scenario, we could include information about things like, watermarking, expiration, and also data about the request. \n\nencryptedMetadata is a base64-encoded string. One example of plaintext metadata could be, depending on specific needs:\n\n\n{\nauthHeader: ''sd9f8dfkjhwkej8sdfj\",\nconnectOptions: {\n url: ''http://localhost:4010\"\n }\n}\n |
Yes |
schemaVersion |
String | Version number of the KeyAccessObject schema. | No |