Self managed key
This key hosting option represents the more traditional BYOK model allowing for root key material to be provided by the user. Currently, the minimum supported length of the user supplied key material is 256 bytes. Using this option will result in the provided material acting as the Root Encryption Key (REK) for the domain. For this guide, we assume that the Antimatter CLI has been installed (see CLI) and that a domain has been created that the user wants to use a new BYOK REK on.
Access the key management page.
Navigating to the key management page can either through the dashboard or via the CLI.
- Dashboard
- CLI
If using the dashboard, navigate to Domain Configuration -> Encryption Rotation and select the option: "Change Root Encryption Key Configuration"
This will redirect you to the key management modal where the REK source can be selected.
To upload your own key material, select the option; "I want to upload my own key material to encrypt my company's data" and click 'Next'. This will take you to a pane where the material can be provided, either as a base64 encoded string, or as a binary file. Upload the key material in either format, then click 'Apply'. The key material will be used to create a root encryption key which is then tested. If successful, a "pairing successful" notification will be displayed. Finally, click 'Done' to close the modal.
If using the CLI, a link to the key management page can be generated using the self-serve subcommand. First, ensure the CLI is logged in and using the relevant domain. You will need to provide an api key or specify a suitable oauth provider.
am config domain login --api-key <api-key>
Or
am config domain login --oauth-provider <provider>
Once the CLI is authenticated, the key management URL can be generated using:
am keys self-serve --vendor <company-name>
This will generate a URI that can be followed to the key management landing page.
From here, select "Edit Settings" and you will be presented with the different key hosting options.
To upload your own key material, select the option; "I want to upload my own key material to encrypt my company's data" and click 'Next'. This will take you to a pane where the material can be provided, either as a base64 encoded string, or as a binary file. Upload the key material in either format, then click 'Apply'. The key material will be used to create a root encryption key which is then tested. If successful, a "pairing successful" notification will be displayed. Finally, click 'Done' to close the modal.
