Vault
KMIP profiles version 1.4
This document specifies conformance clauses in accordance with the OASIS TC Process (TC-PROC section 2.18 paragraph 8a ) for the KMIP Specification (KMIP-SPEC 12.1 and 12.2) for a KMIP server or KMIP client through profiles that define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction.
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
Baseline server
Supports the following objects:
Object Supported Attribute KMIP-SPEC 2.1.1 ✅ Credential KMIP-SPEC 2.1.2 ✅ Key Block KMIP-SPEC 2.1.3 ✅ Key Value KMIP-SPEC 2.1.4 ✅ Template-Attribute Structure KMIP-SPEC 2.1.8 ✅ Extension Information KMIP-SPEC 2.1.9 ✅ Profile Information KMIP-SPEC 2.1.19 ✅ Validation Information KMIP-SPEC 2.1.20 ✅ Capability Information KMIP-SPEC 2.1.21 ✅ Supports the following subsets of attributes:
Attribute Supported Notes Unique Identifier KMIP-SPEC 3.1 ✅ Name KMIP-SPEC 3.2 ✅ Object Type KMIP-SPEC 3.3 ✅ Cryptographic Algorithm KMIP-SPEC 3.4 ✅ Cryptographic Length KMIP-SPEC 3.5 ✅ Cryptographic Parameters KMIP-SPEC 3.6 ✅ Digest KMIP-SPEC 3.17 ✅ Cryptographic Usage Mask KMIP-SPEC 3.19 ✅ State KMIP-SPEC 3.22 ✅ Initial Date KMIP-SPEC 3.23 ✅ Process Start Date KMIP-SPEC 3.25 ✅ Vault 1.11 Protect Stop Date KMIP-SPEC 3.26 ✅ Vault 1.11 Activation Date KMIP-SPEC 3.24 ✅ Deactivation Date KMIP-SPEC 3.27 ✅ Compromise Occurrence Date KMIP-SPEC 3.29 ✅ Compromise Date KMIP-SPEC 3.30 ✅ Revocation Reason KMIP-SPEC 3.31 ✅ Object Group KMIP-SPEC 3.33 ✅ Fresh KMIP-SPEC 3.34 ✅ Link KMIP-SPEC 3.35 ✅ Last Change Date KMIP-SPEC 3.38 ✅ Alternative Name KMIP-SPEC 3.40 ✅ Vault 1.12 Key Value Present KMIP-SPEC 3.41 ✅ Vault 1.12 Key Value Location KMIP-SPEC 3.42 🔴 Original Creation Date KMIP-SPEC 3.43 ✅ Random Number Generator KMIP-SPEC 3.44 ✅ Description KMIP-SPEC 3.46 ✅ Comment KMIP-SPEC 3.47 ✅ Sensitive KMIP-SPEC 3.48 ✅ Always Sensitive KMIP-SPEC 3.49 ✅ Extractable KMIP-SPEC 3.50 ✅ Never Extractable KMIP-SPEC 3.51 ✅ Supports the following client-to-server operations:
Operation Supported Notes Locate KMIP-SPEC 4.9 ✅ Vault version 1.11 supports attributes Activation Date, Application Specific Information, Cryptographic Algorithm, Cryptographic Length, Name, Object Type, Original Creation Date, and State.
Vault version 1.12 supports all profile attributes except for Key Value Location.Check KMIP-SPEC 4.10 🔴 Get KMIP-SPEC 4.11 ✅ Get Attributes KMIP-SPEC 4.12 ✅ Get Attribute List KMIP-SPEC 4.13 ✅ Add Attribute KMIP-SPEC 4.14 ✅ Modify Attribute KMIP-SPEC 4.15 ✅ Vault 1.12 Delete Attribute KMIP-SPEC 4.16 ✅ Vault 1.12 Activate KMIP-SPEC 4.19 ✅ Revoke KMIP-SPEC 4.20 ✅ Destroy KMIP-SPEC 4.21 ✅ Query KMIP-SPEC 4.25 ✅ Vault 1.11 Discover Versions KMIP-SPEC 4.26 ✅ 4.Supports the following message contents:
Message Content Supported Protocol Version KMIP-SPEC 6.1 ✅ Operation KMIP-SPEC 6.2 ✅ Maximum Response Size KMIP-SPEC 6.3 ✅ Unique Batch Item ID KMIP-SPEC 6.4 ✅ Time Stamp KMIP-SPEC 6.5 ✅ Asynchronous Indicator KMIP-SPEC 6.7 ✅ Result Status KMIP-SPEC 6.9 ✅ Result Reason KMIP-SPEC 6.10 ✅ Batch Order Option KMIP-SPEC 6.12 ✅ Batch Error Continuation Option KMIP-SPEC 6.13 ✅ Batch Count KMIP-SPEC 6.14 ✅ Batch Item KMIP-SPEC 6.15 ✅ Attestation Capable Indicator KMIP-SPEC 6.17 ✅ Client Correlation Value KMIP-SPEC 6.18 ✅ Server Correlation Value KMIP-SPEC 6.19 ✅ Message Extension KMIP-SPEC 6.16 ✅ Supports the ID Placeholder KMIP-SPEC 4
Supports Message Format KMIP-SPEC 7
Supports Authentication KMIP-SPEC 8
Supports the TTLV encoding KMIP-SPEC 9.1
Supports the transport requirements KMIP-SPEC 10
Supports Error Handling KMIP-SPEC 11 for any supported object, attribute, or operation
Optionally supports any clause within KMIP-SPEC that is not listed above
Optionally supports extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements - We do not have any extensions
Symmetric key lifecycle server
SHALL conform to the Baseline Server
Supports the following objects:
Object Supported Symmetric Key KMIP-SPEC 2.2.2 ✅ Key Format Type KMIP-SPEC 9.1.3.2.3 ✅ Supports the following subsets of attributes:
Attribute Supported Notes Cryptographic Algorithm KMIP-SPEC 3.4 ✅ Object Type KMIP-SPEC 3.3 ✅ Process Start Date KMIP-SPEC 3.25 ✅ Vault 1.11 Protect Stop Date KMIP-SPEC 3.26 ✅ Vault 1.11 Supports the following client-to-server operations:
Operation Supported Create KMIP-SPEC 4.1 ✅ Supports the following message encoding:
Message Encoding Supported Notes Cryptographic Algorithm KMIP-SPEC 9.1.3.2.13 with values: i. 3DES ✅ Vault 1.12 ii. AES ✅ Object Type KMIP-SPEC 9.1.3.2.12 with value: i. Symmetric Key ✅ Key Format Type KMIP-SPEC 9.1.3.2.3 with value: i. Raw ✅ ii. Transparent Symmetric Key 🔴 MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Symmetric Key Lifecycle Server
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
Basic cryptographic server
SHALL conform to the Baseline Server
Supports the following client-to-server operations:
Operation Supported Notes Encrypt KMIP-SPEC 4.29 ✅ Vault 1.11
Supported for AES, unsupported for 3DES:
Supported Block Cipher Modes:
- GCM
- CBC
- CFB
- CTR
- ECB
- OFB
Stream operations are supported except for GCM block cipher mode.
Supported padding methods:
- None
- PKCS5
Decypt KMIP-SPEC 4.30 ✅ Vault 1.11
Supported for AES, unsupported for 3DES:
Supported Block Cipher Modes:
- GCM
- CBC
- CFB
- CTR
- ECB
- OFB
Stream operations are supported except for GCM block cipher mode.
Supported padding methods:
- None
- PKCS5
MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Basic Cryptographic Server
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
Asymmetric key lifecycle server
SHALL conform to the Baseline Server
Supports the following objects:
Object Supported Symmetric Key KMIP-SPEC 2.2.2 ✅ Key Format Type KMIP-SPEC 9.1.3.2.3 ✅ Supports the following objects:
Object Supported Notes Public Key KMIP-SPEC 2.2.3 ✅ Vault 1.13 Private Key KMIP-SPEC 2.2.4 ✅ Vault 1.13 Process Start Date KMIP-SPEC 3.25 ✅ Vault 1.11 Key Format Type KMIP-SPEC 9.1.3.2.3 ✅ Supports the following attributes:
Attribute Supported Notes Cryptographic Algorithm KMIP-SPEC 3.4 ✅ Object Type KMIP-SPEC 3.3 ✅ Process Start Date KMIP-SPEC 3.25 ✅ Vault 1.11 Protect Stop Date KMIP-SPEC 3.26 ✅ Vault 1.11 Supports the following message encoding:
Message Encoding Supported Notes Cryptographic Algorithm KMIP-SPEC 9.1.3.2.13 with values: i. RSA ✅ Vault 1.13 Object Type KMIP-SPEC 9.1.3.2.12 with value: i. Public Key ✅ Vault 1.13 ii. Private Key ✅ Vault 1.13 Key Format Type KMIP-SPEC 9.1.3.2.3 with value: i. PKCS#1 ✅ Vault 1.13
Supported for Private and Public Keysii. PKCS#8 ✅ Vault 1.13
Supported for Private Keyiii. Transparent RSA Public Key ✅ Vault 1.13 iv. Transparent RSA Private Key ✅ Vault 1.13 v. X.509 ✅ Vault 1.13
Supported for Public KeyMAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Symmetric Key Lifecycle Server
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
Advanced cryptographic server
SHALL conform to the Baseline Server
Supports the following client-to-server operations:
Operation Supported Notes Encrypt KMIP-SPEC 4.29 ✅ Vault 1.11
See Basic Cryptographic Server
Vault 1.13
Supported for RSA Asymmetric Keys:
Supported padding methods:
- OAEP
- PKCS1v15
Streaming operations are not supported.Decypt KMIP-SPEC 4.30 ✅ Vault 1.11
See Basic Cryptographic Server
Vault 1.13
Supported for RSA Asymmetric Keys:
Supported padding methods:
- OAEP
- PKCS1v15
Streaming operations are not supported.Sign KMIP-SPEC 4.31 ✅ Vault 1.13
Supported for RSA Asymmetric Keys:
Supported padding methods:
- PSS
- PKCS1v15
The supported hashing algorithms with PSS are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- SHA512_224
- SHA512_256
- SHA3_224
- SHA3_256
- SHA3_384
- SHA3_512
The supported hashing algorithms with PKCS1v15 are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
Streaming operations are supported.Signature Verify KMIP-SPEC 4.32 ✅ Vault 1.13
Supported for RSA Asymmetric Keys:
Supported padding methods:
- PSS
- PKCS1v15
The supported hashing algorithms with PSS are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- SHA512_224
- SHA512_256
- SHA3_224
- SHA3_256
- SHA3_384
- SHA3_512
The supported hashing algorithms with PKCS1v15 are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
Streaming operations are supported.MAC KMIP-SPEC 4.33 ✅ Vault 1.13
Supported for RSA Asymmetric Keys:
The supported hashing algorithms are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- SHA512_224
- SHA512_256
- SHA3_256
- SHA3_384
- SHA3_512
The follwing hashing algorithms are not supported:
- MD4
- MD5
- SHA1
Streaming operations are supported.MAC Verify KMIP-SPEC 4.34 ✅ Vault 1.13
Supported for RSA Asymmetric Keys:
The supported hashing algorithms are:
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- SHA512_224
- SHA512_256
- SHA3_256
- SHA3_384
- SHA3_512
The follwing hashing algorithms are not supported:
- MD4
- MD5
- SHA1
Streaming operations are supported.RNG Retrieve KMIP-SPEC 4.35 ✅ Vault 1.13 RNG Seed KMIP-SPEC 4.36 ✅ Vault 1.13 MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Basic Cryptographic Server
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.