Public Key Cryptography

Updated: August 7, 2017

SmartKey can perform encryption and decryption of data with RSA keypairs.

Prerequisites

Performing public key cryptography requires an SmartKey account, a group with an RSA key, and an application configured in that group. See the SmartKey Developer’s Guide for more details.

Required Operations

The RSA key must have the Encrypt operation enabled for encryption and the Decrypt operation enabled for decryption. In addition, the key must be enabled.

Authorization and Configuration

You must first authenticate and optionally configure a default API client as described in Configure API Client and Client Authentication. Performing cryptography requires authenticating as an app with an API key or a client certificate. (User accounts cannot perform encryption and decryption)

Create an EncryptionAndDecryptionApi Client Object

Encryption is performed using an EncryptionAndDecryptionApi object.

import com.fortanix.sdkms.v1.api.EncryptionAndDeryptionApi();

EncryptionAndDecryptionApi cryptoApi = new EncryptionAndDecryptionApi();

Encrypting Data

Data may be encrypted even if you have only a public key.

Create an Encryption Request

The encryption request object encodes the request parameters. Only the plain (plaintext) and alg (encryption algorithm) parameters are used for public key encryption. The plaintext should be binary data passed as an array of bytes. The cryptographic algorithm is required, and must match the type of the key (in this case, RSA).

import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.EncryptRequest;

EncryptRequest encryptRequest = new encryptRequest().plain(<plaintext data as byte[]>).alg(ObjectType.RSA);

Make the Encryption Call

Data is encryped with the encrypt() method of the EncryptionAndDecryptionApi object. encrypt() is called with the UUID of the key used to perform encryption, and the encryption request. The UUID of the key can be found in the key details page of the UI, or it can be retrieved by looking up keys with the API.

import com.fortanix.sdkms.v1.model.EncryptResponse;

EncryptResponse encryptResponse = cryptoApi.encrypt(<key UUID>, encryptRequest);
byte[] ciphertext = encryptResponse.getCipher();

Decrypting Data

You will need a private key in order to decrypt data.

Create a Decryption Request

The decryption request object encodes the request parameters. Only the cipher (ciphertext) and alg (encryption algorithm) parameters are used for public key decryption. The ciphertext should be binary data passed as an array of bytes. The cryptographic algorithm is required, and must match the type of the key (in this case, RSA).

import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.DecryptRequest;

DecryptRequest decryptRequest = new decryptRequest().cipher(<ciphertext data as byte[]>).alg(ObjectType.RSA);

Make the Decryption Call

Data is decrypted with the decrypt() method of the EncryptionAndDecryptionApi object. decrypt() is called with the UUID of the key used to perform decryption, and the decryption request. The UUID of the key can be found in the key details page of the UI, or it can be retried by looking up keys with the API.

import com.fortanix.sdkms.v1.model.DecryptResponse;

DecryptResponse decryptResponse = cryptoApi.decrypt(<key UUID>, decryptRequest);
byte[] plaintext = decryptResponse.getPlain();