External keys | Utimaco Integration Guides

Custom key storage relies on 3d-party enterprise software for how the encrypted, external key "blobs" (binary objects) are stored, and how their life-cycle is managed. How a custom key storage methodology should be backed up/restored depends on the media or methods provided by the enterprise software, or by a 3d party.

If using custom keystores, the keys must be created as "external" (CXI_KEY_FLAG_EXTERNAL) keys.

When creating keys for use in an unmanaged environment, the keys should be created with the CXI_KEY_FLAG_EXTERNAL flag set, for the 'flag' (the first) parameter.

// create a key
PropertyList keyTemplate;
keyTemplate.setAlgo(CXI_KEY_ALGO_AES);
keyTemplate.setSize(256);
keyTemplate.setName("AES test key");
Key aesKey = cxi->key_generate(CXI_FLAG_KEY_EXTERNAL, keyTemplate);
// alternately, cxi->key_open(CXI_FLAG_KEY_EXTERNAL, keyTemplate);

Creating, generating or opening a key with CXI_FLAG_KEY_EXTERNAL is a common requirement, regardless of language (Java, C++, etc), and regardless of how you decide to store the key.

In CXI, the Key is a ByteArray and is already serialized, no other steps are needed to store it as a byte [] into a database row, etc.

In Java_CXI, the Key is a Key object, and you will need to call <key>.getEncoded() on it.

// create a key
KeyAttributes attr = new CryptoServerCXI.KeyAttributes();
attr.setAlgo(KEY_ALGO_AES);
attr.setSize(256);
attr.setGroup("test");
attr.setName("AES test key");
Key aesKey = cxi.generateKey(FLAG_EXTERNAL, attr);
byte [] extKey = aesKey.getEncoded();

In both these cases, the byte array should begin with 0x4B ('K').

For formats of serialized key blobs - which may be backup blobs, simple blobs, key handles, etc - please see the SecurityServer documentation.