upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-11 01:42:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Add documentation for KMIP features implemented in 1.12 (#17294)

Browse source 
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
This commit is contained in:
Divya Pola 2022-10-03 12:39:04 -05:00 committed by GitHub
parent 71fa60481f
commit 158fbcd06f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 276 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

262
website/content/docs/secrets/kmip-profiles.mdx Normal file
View file

@ -0,0 +1,262 @@
---
layout: docs
page_title: KMIP - Profiles Support
description: |-
The KMIP profiles define the use of KMIP objects, attributes, operations, message elements
and authentication methods within specific contexts of KMIP server and client interaction.
These profiles define a set of normative constraints for employing KMIP within a particular
environment or context of use.
---
# KMIP Profiles Version 1.4
This document specifies conformance clauses in accordance with the OASIS TC Process ([TC-PROC section 2.18 paragraph 8a][tc-proc-2.18] )
for the KMIP Specification ([KMIP-SPEC 12.1 and 12.2][kmip-spec]) for a KMIP server or KMIP client through profiles that define the
use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of
KMIP server and client interaction.
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
## [Baseline Server][baseline-server]
1. Supports the following objects:
| Object | Supported |
| ----------------------------------------------------------------------- | :-------: |
| Attribute [KMIP-SPEC 2.1.1][kmip-spec-2.1.1] | ✅ |
| Credential [KMIP-SPEC 2.1.2][kmip-spec-2.1.2] | ✅ |
| Key Block [KMIP-SPEC 2.1.3][kmip-spec-2.1.3] | ✅ |
| Key Value [KMIP-SPEC 2.1.4][kmip-spec-2.1.4] | ✅ |
| Template-Attribute Structure [KMIP-SPEC 2.1.8][kmip-spec-2.1.8] | ✅ |
| Extension Information [KMIP-SPEC 2.1.9][kmip-spec-2.1.9] | ✅ |
| Profile Information [KMIP-SPEC 2.1.19][kmip-spec-2.1.19] | ✅ |
| Validation Information [KMIP-SPEC 2.1.20][kmip-spec-2.1.20] | ✅ |
| Capability Information [KMIP-SPEC 2.1.21][kmip-spec-2.1.21] | ✅ |
2. Supports the following subsets of attributes:
| Attribute | Supported | Notes |
| -----------------------------------------------------------------------| :-------: | :----: |
| Unique Identifier [KMIP-SPEC 3.1][kmip-spec-3.1] | ✅ | |
| Name [KMIP-SPEC 3.2][kmip-spec-3.2] | ✅ | |
| Object Type [KMIP-SPEC 3.3][kmip-spec-3.3] | ✅ | |
| Cryptographic Algorithm [KMIP-SPEC 3.4][kmip-spec-3.4] | ✅ | |
| Cryptographic Length [KMIP-SPEC 3.5][kmip-spec-3.5] | ✅ | |
| Cryptographic Parameters [KMIP-SPEC 3.6][kmip-spec-3.6] | ✅ | |
| Digest [KMIP-SPEC 3.17][kmip-spec-3.17] | ✅ | |
| Cryptographic Usage Mask [KMIP-SPEC 3.19][kmip-spec-3.19] | ✅ | |
| State [KMIP-SPEC 3.22][kmip-spec-3.22] | ✅ | |
| Initial Date [KMIP-SPEC 3.23][kmip-spec-3.23] | ✅ | |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Protect Stop Date [KMIP-SPEC 3.26][kmip-spec-3.26] | ✅ | Vault 1.11 |
| Activation Date [KMIP-SPEC 3.24][kmip-spec-3.24] | ✅ | |
| Deactivation Date [KMIP-SPEC 3.27][kmip-spec-3.27] | ✅ | |
| Compromise Occurrence Date [KMIP-SPEC 3.29][kmip-spec-3.29] | ✅ | |
| Compromise Date [KMIP-SPEC 3.30][kmip-spec-3.30] | ✅ | |
| Revocation Reason [KMIP-SPEC 3.31][kmip-spec-3.31] | ✅ | |
| Object Group [KMIP-SPEC 3.33][kmip-spec-3.33] | ✅ | |
| Fresh [KMIP-SPEC 3.34][kmip-spec-3.34] | ✅ | |
| Link [KMIP-SPEC 3.35][kmip-spec-3.35] | ✅ | |
| Last Change Date [KMIP-SPEC 3.38][kmip-spec-3.38] | ✅ | |
| Alternative Name [KMIP-SPEC 3.40][kmip-spec-3.40] | ✅ | Vault 1.12 |
| Key Value Present [KMIP-SPEC 3.41][kmip-spec-3.41] | ✅ | Vault 1.12 |
| Key Value Location [KMIP-SPEC 3.42][kmip-spec-3.42] | 🔴 | |
| Original Creation Date [KMIP-SPEC 3.43][kmip-spec-3.43] | ✅ | |
| Random Number Generator [KMIP-SPEC 3.44][kmip-spec-3.44] | ✅ | |
| Description [KMIP-SPEC 3.46][kmip-spec-3.46] | ✅ | |
| Comment [KMIP-SPEC 3.47][kmip-spec-3.47] | ✅ | |
| Sensitive [KMIP-SPEC 3.48][kmip-spec-3.48] | ✅ | |
| Always Sensitive [KMIP-SPEC 3.49][kmip-spec-3.49] | ✅ | |
| Extractable [KMIP-SPEC 3.50][kmip-spec-3.50] | ✅ | |
| Never Extractable [KMIP-SPEC 3.51][kmip-spec-3.51] | ✅ | |
3. Supports the following client-to-server operations:
| Operation | Supported | Notes |
| ------------------------------------------------------| :--------:|:-----:|
| Locate [KMIP-SPEC 4.9][kmip-spec-4.9] | ✅ | Vault version 1.11 supports attributes Activation Date, Application Specific Information, Cryptographic Algorithm, Cryptographic Length, Name, Object Type, Original Creation Date, and State. <br/> Vault version 1.12 supports all profile attributes except for Key Value Location. |
| Check [KMIP-SPEC 4.10][kmip-spec-4.10] | 🔴 | |
| Get [KMIP-SPEC 4.11][kmip-spec-4.11] | ✅ | |
| Get Attributes [KMIP-SPEC 4.12][kmip-spec-4.12] | ✅ | |
| Get Attribute List [KMIP-SPEC 4.13][kmip-spec-4.13] | ✅ | |
| Add Attribute [KMIP-SPEC 4.14][kmip-spec-4.14] | ✅ | |
| Modify Attribute [KMIP-SPEC 4.15][kmip-spec-4.15] | ✅ | Vault 1.12 |
| Delete Attribute [KMIP-SPEC 4.16][kmip-spec-4.16] | ✅ | Vault 1.12 |
| Activate [KMIP-SPEC 4.19][kmip-spec-4.19] | ✅ | |
| Revoke [KMIP-SPEC 4.20][kmip-spec-4.20] | ✅ | |
| Destroy [KMIP-SPEC 4.21][kmip-spec-4.21] | ✅ | |
| Query [KMIP-SPEC 4.25][kmip-spec-4.25] | ✅ | Vault 1.11 |
| Discover Versions [KMIP-SPEC 4.26][kmip-spec-4.26] | ✅ | |
4.Supports the following message contents:
| Message Content | Supported |
| -----------------------------------------------------------------| :--------:|
| Protocol Version [KMIP-SPEC 6.1][kmip-spec-6.1] | ✅ |
| Operation [KMIP-SPEC 6.2][kmip-spec-6.2] | ✅ |
| Maximum Response Size [KMIP-SPEC 6.3][kmip-spec-6.3] | ✅ |
| Unique Batch Item ID [KMIP-SPEC 6.4][kmip-spec-6.4] | ✅ |
| Time Stamp [KMIP-SPEC 6.5][kmip-spec-6.5] | ✅ |
| Asynchronous Indicator [KMIP-SPEC 6.7][kmip-spec-6.7] | ✅ |
| Result Status [KMIP-SPEC 6.9][kmip-spec-6.9] | ✅ |
| Result Reason [KMIP-SPEC 6.10][kmip-spec-6.10] | ✅ |
| Batch Order Option [KMIP-SPEC 6.12][kmip-spec-6.12] | ✅ |
| Batch Error Continuation Option [KMIP-SPEC 6.13][kmip-spec-6.13] | ✅ |
| Batch Count [KMIP-SPEC 6.14][kmip-spec-6.14] | ✅ |
| Batch Item [KMIP-SPEC 6.15][kmip-spec-6.15] | ✅ |
| Attestation Capable Indicator [KMIP-SPEC 6.17][kmip-spec-6.17] | ✅ |
| Client Correlation Value [KMIP-SPEC 6.18][kmip-spec-6.18] | ✅ |
| Server Correlation Value [KMIP-SPEC 6.19][kmip-spec-6.19] | ✅ |
| Message Extension [KMIP-SPEC 6.16][kmip-spec-6.16] | ✅ |
5. Supports the ID Placeholder [KMIP-SPEC 4][kmip-spec-4]
6. Supports Message Format [KMIP-SPEC 7][kmip-spec-7]
7. Supports Authentication [KMIP-SPEC 8][kmip-spec-8]
8. Supports the TTLV encoding [KMIP-SPEC 9.1][kmip-spec-9.1]
9. Supports the transport requirements [KMIP-SPEC 10][kmip-spec-10]
10. Supports Error Handling [KMIP-SPEC 11][kmip-spec-11] for any supported object, attribute, or operation
11. Optionally supports any clause within [KMIP-SPEC][kmip-spec] that is not listed above
12. Optionally supports extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements - We do not have any extensions
## [Symmetric Key Lifecycle Server][lifecycle-server]
1. SHALL conform to the [Baseline Server][baseline-server]
2. Supports the following objects:
| Object | Supported |
| -----------------------------------------------------------------------| :----- --:|
| Symmetric Key [KMIP-SPEC 2.2.2][kmip-spec-2.2.2] | ✅ |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] | ✅ |
3. Supports the following subsets of attributes:
| Attribute | Supported | Notes |
| -----------------------------------------------------------------------| :-------: | :---: |
| Cryptographic Algorithm [KMIP-SPEC 3.4][kmip-spec-3.4] | ✅ | |
| Object Type [KMIP-SPEC 3.3][kmip-spec-3.3] | ✅ | |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Protect Stop Date [KMIP-SPEC 3.26][kmip-spec-3.26] | ✅ | Vault 1.11 |
4. Supports the following client-to-server operations:
| Operation | Supported |
| ------------------------------------------------------| :--------:|
| Create [KMIP-SPEC 4.1][kmip-spec-4.1] | ✅ |
5. Supports the following message encoding:
| Message Encoding | Supported | Notes |
| -------------------------------------------------------------------------------------| :--------:|:-----:|
| Cryptographic Algorithm [KMIP-SPEC 9.1.3.2.13][kmip-spec-9.1.3.2.13] with values: | | |
| i. 3DES | ✅ | Vault 1.12 |
| ii. AES | ✅ | |
| Object Type [KMIP-SPEC 9.1.3.2.12][kmip-spec-9.1.3.2.12] with value: | | |
| i. Symmetric Key | ✅ | |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] with value: | | |
| i. Raw | ✅ | |
| ii. Transparent Symmetric Key | 🔴 | |
6. MAY support any clause within [KMIP-SPEC][kmip-spec] provided it does not conflict with any other clause within the section [Symmetric Key Lifecycle Server][lifecycle-server]
7. MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
## [Basic Cryptographic Server][basic-cryptographic-server]
1. SHALL conform to the [Baseline Server][baseline-server]
2. Supports the following client-to-server operations:
| Operation | Supported | Notes |
| ------------------------------------------------------| :--------:| --------|
| Encrypt [KMIP-SPEC 4.29][kmip-spec-4.29] | ✅ | Vault 1.11 <br/> Supported for AES, unsupported for 3DES: <br/><br/> Supported Block Cipher Modes: <br/> <ol> <li> GCM </li> <li> CBC </li> <li> CFB </li> <li> CTR </li> <li> ECB </li> <li> OFB </li> </ol> <br/> Stream operations are supported except for GCM block cipher mode. <br/><br/> Supported padding methods: <br/> <ol> <li> None </li> <li> PKCS5 </li> </ol> |
| Decypt [KMIP-SPEC 4.30][kmip-spec-4.30] | ✅ | Vault 1.11 <br/> Supported for AES, unsupported for 3DES: <br/><br/> Supported Block Cipher Modes: <br/> <ol> <li> GCM </li> <li> CBC </li> <li> CFB </li> <li> CTR </li> <li> ECB </li> <li> OFB </li> </ol> <br/> Stream operations are supported except for GCM block cipher mode. <br/><br/> Supported padding methods: <br/> <ol> <li> None </li> <li> PKCS5 </li> </ol> | |
3. MAY support any clause within [KMIP-SPEC][kmip-spec] provided it does not conflict with any other clause within the section [Basic Cryptographic Server][basic-cryptographic-server]
4. MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
[kmip-spec-2.1.1]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660735
[kmip-spec-2.1.2]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660736
[kmip-spec-2.1.3]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660737
[kmip-spec-2.1.4]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660738
[kmip-spec-2.1.8]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660757
[kmip-spec-2.1.9]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660758
[kmip-spec-2.1.19]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660768
[kmip-spec-2.1.20]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660769
[kmip-spec-2.1.21]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660770
[kmip-spec-3.1]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660784
[kmip-spec-3.2]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660785
[kmip-spec-3.3]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660786
[kmip-spec-3.4]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660787
[kmip-spec-3.5]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660788
[kmip-spec-3.6]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660789
[kmip-spec-3.17]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660800
[kmip-spec-3.19]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660807
[kmip-spec-3.22]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660810
[kmip-spec-3.23]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660811
[kmip-spec-3.25]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660813
[kmip-spec-3.26]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660814
[kmip-spec-3.24]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660812
[kmip-spec-3.27]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660815
[kmip-spec-3.29]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660817
[kmip-spec-3.30]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660818
[kmip-spec-3.31]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660819
[kmip-spec-3.33]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660821
[kmip-spec-3.34]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660822
[kmip-spec-3.35]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660823
[kmip-spec-3.38]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660826
[kmip-spec-3.40]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660828
[kmip-spec-3.41]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660829
[kmip-spec-3.42]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660830
[kmip-spec-3.43]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660831
[kmip-spec-3.44]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660832
[kmip-spec-3.46]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660834
[kmip-spec-3.47]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660835
[kmip-spec-3.48]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660836
[kmip-spec-3.49]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660837
[kmip-spec-3.50]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660838
[kmip-spec-3.51]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660839
[kmip-spec-4.9]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660849
[kmip-spec-4.10]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660850
[kmip-spec-4.11]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660851
[kmip-spec-4.12]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660852
[kmip-spec-4.13]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660853
[kmip-spec-4.14]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660854
[kmip-spec-4.15]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660855
[kmip-spec-4.16]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660856
[kmip-spec-4.19]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660859
[kmip-spec-4.20]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660860
[kmip-spec-4.21]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660861
[kmip-spec-4.25]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660865
[kmip-spec-4.26]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660866
[kmip-spec-6.1]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660887
[kmip-spec-6.2]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660888
[kmip-spec-6.3]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660889
[kmip-spec-6.4]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660890
[kmip-spec-6.5]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660891
[kmip-spec-6.7]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660893
[kmip-spec-6.9]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660895
[kmip-spec-6.10]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660896
[kmip-spec-6.12]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660898
[kmip-spec-6.13]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660899
[kmip-spec-6.14]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660900
[kmip-spec-6.15]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660901
[kmip-spec-6.17]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660903
[kmip-spec-6.18]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660904
[kmip-spec-6.19]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660905
[kmip-spec-6.16]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660902
[kmip-spec-4]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660840
[kmip-spec-7]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660906
[kmip-spec-8]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660909
[kmip-spec-9.1]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660911
[kmip-spec-10]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660973
[kmip-spec-11]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660974
[kmip-spec]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html
[kmip-spec-2.2.2]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660775
[kmip-spec-9.1.3.2.3]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660923
[kmip-spec-4.1]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660841
[kmip-spec-9.1.3.2.13]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660933
[kmip-spec-9.1.3.2.12]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660932
[kmip-spec-4.29]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660869
[kmip-spec-4.30]: https://docs.oasis-open.org/kmip/spec/v1.4/errata01/os/kmip-spec-v1.4-errata01-os-redlined.html#_Toc490660870
[baseline-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431430
[lifecycle-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431487
[basic-cryptographic-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431527
[tc-proc-2.18]: https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/technical-committee-tc-process-27-july-2011/#specQuality

17
website/content/docs/secrets/kmip.mdx
View file

@ -3,7 +3,7 @@ layout: docs
page_title: KMIP - Secrets Engines
description: |-
The KMIP secrets engine allows Vault to act as a KMIP server provider and
handle the lifecycle of it KMIP managed objects.
handle the lifecycle of its KMIP managed objects.
---
# KMIP Secrets Engine
@ -25,12 +25,9 @@ Vault's KMIP secrets engine listens on a separate port from the standard Vault l
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
* [Baseline Server][baseline-server]
* Supports all profile attributes except for *Alternative Name*, *Key Value Present* and
*Key Value Location*.
* Supports all profile operations except for *Check*, *Modify Attribute* and *Delete Attribute*.
* Operation *Locate* only supports attributes *Activation Date*, *Application
Specific Information*, *Cryptographic Algorithm*, *Cryptographic Length*,
*Name*, *Object Type*, *Original Creation Date*, and *State*.
* Supports all profile attributes except for *Key Value Location*.
* Supports all profile operations except for *Check*.
* Operation *Locate* supports all profile attributes except for *Key Value Location*.
* [Symmetric Key Lifecycle Server][lifecycle-server]
* Supports cryptographic algorithm *AES* (*3DES* is not supported).
@ -38,9 +35,11 @@ Vault implements version 1.4 of the following Key Management Interoperability Pr
* [Basic Cryptographic Server][basic-cryptographic-server]
* Supports block cipher modes *CBC*, *CFB*, *CTR*, *ECB*, *GCM*, and *OFB*.
* On mulit-part (streaming) operations, block cipher mode *GCM* is not supported.
* On multi-part (streaming) operations, block cipher mode *GCM* is not supported.
* The supported padding methods are *None* and *PKCS5*.
Refer to [KMIP - Profiles Support](/docs/secrets/kmip-profiles) page for more details.
[baseline-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431430
[lifecycle-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431487
[basic-cryptographic-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431527
@ -102,6 +101,7 @@ operation_activate
operation_add_attribute
operation_create
operation_decrypt
operation_delete_attribute
operation_destroy
operation_discover_versions
operation_encrypt
@ -110,6 +110,7 @@ operation_get_attribute_list
operation_get_attributes
operation_import
operation_locate
operation_modify_attribute
operation_query
operation_register
operation_rekey

5
website/data/docs-nav-data.json
View file

@ -1110,6 +1110,11 @@
},
"path": "secrets/kmip"
},
{
"title": "KMIP - Profile Support",
"path": "secrets/kmip-profiles",
"hidden": true
},
{
"title": "Kubernetes",
"path": "secrets/kubernetes"