The Key Manager Service manages cryptographically relevant objects of various forms on the basis of the Key Management Interoperability Protocol [KMIPv20]. A distinction is made between base objects and managed objects. Base objects are information that specifies a managed object. Base Objects include, for example, Attributes, Key Value and Key Wrapping Data.
A Managed Object is an object with cryptographic content that is managed by the Key Lifecycle Management System (KLMS). This includes the various keys and certificates. Templates can also be created to allow the administrator of a KLMS to group together attributes of frequently used processes. For example, a template can be created for a symmetric key in which the algorithm and length of the key are defined. When a key is to be created according to these specifications, the name of the template is passed instead of the desired attributes. To store other objects to be kept secret, the Secret Data Object (e.g. for passwords) or the Opaque Object are used. The data in the Opaque Object does not have to be interpretable by the server. For example, a key is stored even though the server does not support the encryption algorithm used.
The Key Manager can be used as a central key management and thus increase the general data security.
Access to the Key Manager's interfaces is token based. For this purpose, a signed token is created by the IdP, which contains the corresponding user information that can be used to check access authorization to the Key Manager interfaces.