| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-09 |
get key, get encryption key, view encryption key, retrieve encryption key, API examples |
hs-crypto |
{{site.data.keyword.attribute-definition-list}}
{: #retrieve-key}
You can retrieve a root key or standard key by using {{site.data.keyword.cloud}} {{site.data.keyword.hscrypto}}. {: shortdesc}
If you have a Writer or Manager access policy, you can retrieve the contents of a standard key, such as the key material and policy details.
Root keys{: term} stay within the bounds of a hardware security module. The key material for a root key cannot be retrieved. {: note}
{: #get-key-api}
To view detailed information about a specific key, you can make a GET call to
the following endpoint.
https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID_or_alias>
{: codeblock}
-
Retrieve your service and authentication credentials to work with keys in the service.
-
Retrieve the ID of the standard key that you would like to access or manage.
The ID value is used to access detailed information about the standard key, such as the key material itself. You can retrieve the ID for a specified key by making a
GET /v2/keysrequest, or by accessing the UI. -
Run the following cURL command to get details about your key and the key material.
curl -X GET \ "https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID_or_alias>" \ -H 'accept: application/vnd.ibm.kms.key+json' \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H "x-kms-key-ring: <key_ring_ID>" \ -H 'correlation-id: <correlation_ID>'
{: codeblock}
Replace the variables in the example request according to the following table.
Variable Description regionRequired. The region abbreviation, such as us-southoreu-de, that represents the geographic area where your {{site.data.keyword.hscrypto}} instance resides. For more information, see Regional service endpoints.key_ID_or_aliasRequired. The identifier or alias for the key that you want to retrieve. IAM_tokenRequired. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAMtoken, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_IDRequired. The unique identifier that is assigned to your {{site.data.keyword.hscrypto}} instance. For more information, see Retrieving an instance ID. key_ring_IDOptional. The unique identifier of the key ring that the key belongs to. If unspecified, {{site.data.keyword.hscrypto}} will search for the key in every key ring that is associated with the specified instance. Therefore, it is suggested to specify the key ring ID for a more optimized request. \n \n Note: The key ring ID of keys that are created without an x-kms-key-ringheader is: default. For more information, see Managing key rings.correlation_IDThe unique identifier that is used to track and correlate transactions. {: caption="Describes the variables needed to view a specified key with the API" caption-side="bottom"} A successful
GET api/v2/keys/<key_ID_or_alias>response returns details about your key and the key material. The following JSON object shows an example returned value for a standard key.{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "02fd6835-6001-4482-a892-13bd2085f75d", "name": "test-standard-key", "aliases": [ "alias-1", "alias-2" ], "state": 1, "expirationDate": "2020-03-15T03:50:12Z", "extractable": true, "crn": "crn:v1:bluemix:public:hs-crypto:us-south:a/f047b55a3362ac06afad8a3f2f5586ea:12e8c9c2-a162-472d-b7d6-8b9a86b815a6:key:02fd6835-6001-4482-a892-13bd2085f75d", "imported": false, "creationDate": "2020-03-12T03:50:12Z", "createdBy": "...", "algorithmType": "AES", "algorithmMetadata": { "bitLength": "256", "mode": "CBC_PAD" }, "algorithmBitSize": 256, "algorithmMode": "CBC_PAD", "lastUpdateDate": "2020-03-12T03:50:12Z", "dualAuthDelete": { "enabled": false }, "deleted": false, "payload": "Rm91ciBzY29yZSBhbmQgc2V2ZW4geWVhcnMgYWdv..." } ] }{: screen}
The following JSON object shows an example returned value for a root key.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "2291e4ae-a14c-4af9-88f0-27c0cb2739e2", "aliases": [ "alias-1", "alias-2" ], "name": "test-root-key", "state": 1, "extractable": false, "crn": "crn:v1:bluemix:public:hs-crypto:us-south:a/f047b55a3362ac06afad8a3f2f5586ea:30372f20-d9f1-40b3-b486-a709e1932c9c:key:2291e4ae-a14c-4af9-88f0-27c0cb2739e2", "imported": false, "creationDate": "2020-03-05T16:28:38Z", "createdBy": "...", "algorithmType": "AES", "algorithmMetadata": { "bitLength": "256", "mode": "CBC_PAD" }, "algorithmBitSize": 256, "algorithmMode": "CBC_PAD", "lastUpdateDate": "2020-03-05T16:39:25Z", "keyVersion": { "id": "436901cb-f4e4-45f4-bd65-91a7f6d13461", "creationDate": "2020-03-05T16:39:25Z" }, "dualAuthDelete": { "enabled": false }, "deleted": false } ] }{: screen}
The
payloador key material for a root key stays within the bounds of a hardware security module and cannot be retrieved. {: note}For a detailed description of the response parameters, see the {{site.data.keyword.hscrypto}} key management REST API reference doc{: external}.