| layout | page_title | description |
|---|---|---|
docs |
KMIP - Profiles Support |
The KMIP profiles define the use of KMIP objects, attributes, operations, message elements
and authentication methods within specific contexts of KMIP server and client interaction.
These profiles define a set of normative constraints for employing KMIP within a particular
environment or context of use. |
This document specifies conformance clauses in accordance with the OASIS TC Process (TC-PROC section 2.18 paragraph 8a ) for the KMIP Specification (KMIP-SPEC 12.1 and 12.2) for a KMIP server or KMIP client through profiles that define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction.
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
- Supports the following objects:
| Object | Supported |
| ----------------------------------------------------------------------- | :-------: |
| Attribute [KMIP-SPEC 2.1.1][kmip-spec-2.1.1] | ✅ |
| Credential [KMIP-SPEC 2.1.2][kmip-spec-2.1.2] | ✅ |
| Key Block [KMIP-SPEC 2.1.3][kmip-spec-2.1.3] | ✅ |
| Key Value [KMIP-SPEC 2.1.4][kmip-spec-2.1.4] | ✅ |
| Template-Attribute Structure [KMIP-SPEC 2.1.8][kmip-spec-2.1.8] | ✅ |
| Extension Information [KMIP-SPEC 2.1.9][kmip-spec-2.1.9] | ✅ |
| Profile Information [KMIP-SPEC 2.1.19][kmip-spec-2.1.19] | ✅ |
| Validation Information [KMIP-SPEC 2.1.20][kmip-spec-2.1.20] | ✅ |
| Capability Information [KMIP-SPEC 2.1.21][kmip-spec-2.1.21] | ✅ |
- Supports the following subsets of attributes:
| Attribute | Supported | Notes |
| -----------------------------------------------------------------------| :-------: | :----: |
| Unique Identifier [KMIP-SPEC 3.1][kmip-spec-3.1] | ✅ | |
| Name [KMIP-SPEC 3.2][kmip-spec-3.2] | ✅ | |
| Object Type [KMIP-SPEC 3.3][kmip-spec-3.3] | ✅ | |
| Cryptographic Algorithm [KMIP-SPEC 3.4][kmip-spec-3.4] | ✅ | |
| Cryptographic Length [KMIP-SPEC 3.5][kmip-spec-3.5] | ✅ | |
| Cryptographic Parameters [KMIP-SPEC 3.6][kmip-spec-3.6] | ✅ | |
| Digest [KMIP-SPEC 3.17][kmip-spec-3.17] | ✅ | |
| Cryptographic Usage Mask [KMIP-SPEC 3.19][kmip-spec-3.19] | ✅ | |
| State [KMIP-SPEC 3.22][kmip-spec-3.22] | ✅ | |
| Initial Date [KMIP-SPEC 3.23][kmip-spec-3.23] | ✅ | |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Protect Stop Date [KMIP-SPEC 3.26][kmip-spec-3.26] | ✅ | Vault 1.11 |
| Activation Date [KMIP-SPEC 3.24][kmip-spec-3.24] | ✅ | |
| Deactivation Date [KMIP-SPEC 3.27][kmip-spec-3.27] | ✅ | |
| Compromise Occurrence Date [KMIP-SPEC 3.29][kmip-spec-3.29] | ✅ | |
| Compromise Date [KMIP-SPEC 3.30][kmip-spec-3.30] | ✅ | |
| Revocation Reason [KMIP-SPEC 3.31][kmip-spec-3.31] | ✅ | |
| Object Group [KMIP-SPEC 3.33][kmip-spec-3.33] | ✅ | |
| Fresh [KMIP-SPEC 3.34][kmip-spec-3.34] | ✅ | |
| Link [KMIP-SPEC 3.35][kmip-spec-3.35] | ✅ | |
| Last Change Date [KMIP-SPEC 3.38][kmip-spec-3.38] | ✅ | |
| Alternative Name [KMIP-SPEC 3.40][kmip-spec-3.40] | ✅ | Vault 1.12 |
| Key Value Present [KMIP-SPEC 3.41][kmip-spec-3.41] | ✅ | Vault 1.12 |
| Key Value Location [KMIP-SPEC 3.42][kmip-spec-3.42] | 🔴 | |
| Original Creation Date [KMIP-SPEC 3.43][kmip-spec-3.43] | ✅ | |
| Random Number Generator [KMIP-SPEC 3.44][kmip-spec-3.44] | ✅ | |
| Description [KMIP-SPEC 3.46][kmip-spec-3.46] | ✅ | |
| Comment [KMIP-SPEC 3.47][kmip-spec-3.47] | ✅ | |
| Sensitive [KMIP-SPEC 3.48][kmip-spec-3.48] | ✅ | |
| Always Sensitive [KMIP-SPEC 3.49][kmip-spec-3.49] | ✅ | |
| Extractable [KMIP-SPEC 3.50][kmip-spec-3.50] | ✅ | |
| Never Extractable [KMIP-SPEC 3.51][kmip-spec-3.51] | ✅ | |
- Supports the following client-to-server operations:
| Operation | Supported | Notes |
| ------------------------------------------------------| :--------:|:-----:|
| Locate [KMIP-SPEC 4.9][kmip-spec-4.9] | ✅ | Vault version 1.11 supports attributes Activation Date, Application Specific Information, Cryptographic Algorithm, Cryptographic Length, Name, Object Type, Original Creation Date, and State. <br/> Vault version 1.12 supports all profile attributes except for Key Value Location. |
| Check [KMIP-SPEC 4.10][kmip-spec-4.10] | 🔴 | |
| Get [KMIP-SPEC 4.11][kmip-spec-4.11] | ✅ | |
| Get Attributes [KMIP-SPEC 4.12][kmip-spec-4.12] | ✅ | |
| Get Attribute List [KMIP-SPEC 4.13][kmip-spec-4.13] | ✅ | |
| Add Attribute [KMIP-SPEC 4.14][kmip-spec-4.14] | ✅ | |
| Modify Attribute [KMIP-SPEC 4.15][kmip-spec-4.15] | ✅ | Vault 1.12 |
| Delete Attribute [KMIP-SPEC 4.16][kmip-spec-4.16] | ✅ | Vault 1.12 |
| Activate [KMIP-SPEC 4.19][kmip-spec-4.19] | ✅ | |
| Revoke [KMIP-SPEC 4.20][kmip-spec-4.20] | ✅ | |
| Destroy [KMIP-SPEC 4.21][kmip-spec-4.21] | ✅ | |
| Query [KMIP-SPEC 4.25][kmip-spec-4.25] | ✅ | Vault 1.11 |
| Discover Versions [KMIP-SPEC 4.26][kmip-spec-4.26] | ✅ | |
4.Supports the following message contents:
| Message Content | Supported |
| -----------------------------------------------------------------| :--------:|
| Protocol Version [KMIP-SPEC 6.1][kmip-spec-6.1] | ✅ |
| Operation [KMIP-SPEC 6.2][kmip-spec-6.2] | ✅ |
| Maximum Response Size [KMIP-SPEC 6.3][kmip-spec-6.3] | ✅ |
| Unique Batch Item ID [KMIP-SPEC 6.4][kmip-spec-6.4] | ✅ |
| Time Stamp [KMIP-SPEC 6.5][kmip-spec-6.5] | ✅ |
| Asynchronous Indicator [KMIP-SPEC 6.7][kmip-spec-6.7] | ✅ |
| Result Status [KMIP-SPEC 6.9][kmip-spec-6.9] | ✅ |
| Result Reason [KMIP-SPEC 6.10][kmip-spec-6.10] | ✅ |
| Batch Order Option [KMIP-SPEC 6.12][kmip-spec-6.12] | ✅ |
| Batch Error Continuation Option [KMIP-SPEC 6.13][kmip-spec-6.13] | ✅ |
| Batch Count [KMIP-SPEC 6.14][kmip-spec-6.14] | ✅ |
| Batch Item [KMIP-SPEC 6.15][kmip-spec-6.15] | ✅ |
| Attestation Capable Indicator [KMIP-SPEC 6.17][kmip-spec-6.17] | ✅ |
| Client Correlation Value [KMIP-SPEC 6.18][kmip-spec-6.18] | ✅ |
| Server Correlation Value [KMIP-SPEC 6.19][kmip-spec-6.19] | ✅ |
| Message Extension [KMIP-SPEC 6.16][kmip-spec-6.16] | ✅ |
- Supports the ID Placeholder KMIP-SPEC 4
- Supports Message Format KMIP-SPEC 7
- Supports Authentication KMIP-SPEC 8
- Supports the TTLV encoding KMIP-SPEC 9.1
- Supports the transport requirements KMIP-SPEC 10
- Supports Error Handling KMIP-SPEC 11 for any supported object, attribute, or operation
- Optionally supports any clause within KMIP-SPEC that is not listed above
- Optionally supports extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements - We do not have any extensions
- SHALL conform to the Baseline Server
- Supports the following objects:
| Object | Supported |
| -----------------------------------------------------------------------| :----- --:|
| Symmetric Key [KMIP-SPEC 2.2.2][kmip-spec-2.2.2] | ✅ |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] | ✅ |
- Supports the following subsets of attributes:
| Attribute | Supported | Notes |
| -----------------------------------------------------------------------| :-------: | :---: |
| Cryptographic Algorithm [KMIP-SPEC 3.4][kmip-spec-3.4] | ✅ | |
| Object Type [KMIP-SPEC 3.3][kmip-spec-3.3] | ✅ | |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Protect Stop Date [KMIP-SPEC 3.26][kmip-spec-3.26] | ✅ | Vault 1.11 |
- Supports the following client-to-server operations:
| Operation | Supported |
| ------------------------------------------------------| :--------:|
| Create [KMIP-SPEC 4.1][kmip-spec-4.1] | ✅ |
- Supports the following message encoding:
| Message Encoding | Supported | Notes |
| -------------------------------------------------------------------------------------| :--------:|:-----:|
| Cryptographic Algorithm [KMIP-SPEC 9.1.3.2.13][kmip-spec-9.1.3.2.13] with values: | | |
| i. 3DES | ✅ | Vault 1.12 |
| ii. AES | ✅ | |
| Object Type [KMIP-SPEC 9.1.3.2.12][kmip-spec-9.1.3.2.12] with value: | | |
| i. Symmetric Key | ✅ | |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] with value: | | |
| i. Raw | ✅ | |
| ii. Transparent Symmetric Key | 🔴 | |
- MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Symmetric Key Lifecycle Server
- MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
- SHALL conform to the Baseline Server
- Supports the following client-to-server operations:
| Operation | Supported | Notes |
| ------------------------------------------------------| :--------:| --------|
| Encrypt [KMIP-SPEC 4.29][kmip-spec-4.29] | ✅ | Vault 1.11 <br/> Supported for AES, unsupported for 3DES: <br/><br/> Supported Block Cipher Modes: <br/> <ol> <li> GCM </li> <li> CBC </li> <li> CFB </li> <li> CTR </li> <li> ECB </li> <li> OFB </li> </ol> <br/> Stream operations are supported except for GCM block cipher mode. <br/><br/> Supported padding methods: <br/> <ol> <li> None </li> <li> PKCS5 </li> </ol> |
| Decypt [KMIP-SPEC 4.30][kmip-spec-4.30] | ✅ | Vault 1.11 <br/> Supported for AES, unsupported for 3DES: <br/><br/> Supported Block Cipher Modes: <br/> <ol> <li> GCM </li> <li> CBC </li> <li> CFB </li> <li> CTR </li> <li> ECB </li> <li> OFB </li> </ol> <br/> Stream operations are supported except for GCM block cipher mode. <br/><br/> Supported padding methods: <br/> <ol> <li> None </li> <li> PKCS5 </li> </ol> | |
- MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Basic Cryptographic Server
- MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
-
SHALL conform to the Baseline Server
-
Supports the following objects:
| Object | Supported |
| -----------------------------------------------------------------------| :----- --:|
| Symmetric Key [KMIP-SPEC 2.2.2][kmip-spec-2.2.2] | ✅ |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] | ✅ |
- Supports the following objects:
| Object | Supported | Notes |
| --------------------------------------------------------------------| :-------: | :---: |
| Public Key [KMIP-SPEC 2.2.3][kmip-spec-2.2.3] | ✅ | Vault 1.13 |
| Private Key [KMIP-SPEC 2.2.4][kmip-spec-2.2.4] | ✅ | Vault 1.13 |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] | ✅ | |
- Supports the following attributes:
| Attribute | Supported | Notes |
| -----------------------------------------------------------------------| :-------: | :---: |
| Cryptographic Algorithm [KMIP-SPEC 3.4][kmip-spec-3.4] | ✅ | |
| Object Type [KMIP-SPEC 3.3][kmip-spec-3.3] | ✅ | |
| Process Start Date [KMIP-SPEC 3.25][kmip-spec-3.25] | ✅ | Vault 1.11 |
| Protect Stop Date [KMIP-SPEC 3.26][kmip-spec-3.26] | ✅ | Vault 1.11 |
- Supports the following message encoding:
| Message Encoding | Supported | Notes |
| -------------------------------------------------------------------------------------| :--------:|:-----:|
| Cryptographic Algorithm [KMIP-SPEC 9.1.3.2.13][kmip-spec-9.1.3.2.13] with values: | | |
| i. RSA | ✅ | Vault 1.13 |
| Object Type [KMIP-SPEC 9.1.3.2.12][kmip-spec-9.1.3.2.12] with value: | | |
| i. Public Key | ✅ | Vault 1.13 |
| ii. Private Key | ✅ | Vault 1.13 |
| Key Format Type [KMIP-SPEC 9.1.3.2.3][kmip-spec-9.1.3.2.3] with value: | | |
| i. PKCS#1 | ✅ | Vault 1.13 <br/> Supported for Private and Public Keys|
| ii. PKCS#8 | ✅ | Vault 1.13 <br/> Supported for Private Key|
| iii. Transparent RSA Public Key | ✅ | Vault 1.13 |
| iv. Transparent RSA Private Key | ✅ | Vault 1.13 |
| v. X.509 | ✅ | Vault 1.13 <br/> Supported for Public Key|
- MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Symmetric Key Lifecycle Server
- MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.
- SHALL conform to the Baseline Server
- Supports the following client-to-server operations:
| Operation | Supported | Notes |
| ------------------------------------------------------| :--------:| --------|
| Encrypt [KMIP-SPEC 4.29][kmip-spec-4.29] | ✅ | Vault 1.11 <br/> [See Basic Cryptographic Server](#basic-cryptographic-server) <br/><br/> Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> Supported padding methods: <br/> <ol> <li> OAEP </li> <li> PKCS1v15 </li> </ol> <br/> Streaming operations are not supported. |
| Decypt [KMIP-SPEC 4.30][kmip-spec-4.30] | ✅ | Vault 1.11 <br/> [See Basic Cryptographic Server](#basic-cryptographic-server) <br/><br/> Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> Supported padding methods: <br/> <ol> <li> OAEP </li> <li> PKCS1v15 </li> </ol> <br/> Streaming operations are not supported. |
| Sign [KMIP-SPEC 4.31][kmip-spec-4.31] | ✅ | Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> Supported padding methods: <br/> <ol> <li> PSS </li> <li> PKCS1v15 </li> </ol> <br/><br/> The supported hashing algorithms with PSS are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> <li> SHA512_224 </li> <li> SHA512_256 </li> <li> SHA3_224 </li> <li> SHA3_256 </li> <li> SHA3_384 </li> <li> SHA3_512 </li> </ol> <br/> The supported hashing algorithms with PKCS1v15 are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> </ol> <br/> Streaming operations are supported.|
| Signature Verify [KMIP-SPEC 4.32][kmip-spec-4.32] | ✅ | Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> Supported padding methods: <br/> <ol> <li> PSS </li> <li> PKCS1v15 </li> </ol> <br/><br/> The supported hashing algorithms with PSS are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> <li> SHA512_224 </li> <li> SHA512_256 </li> <li> SHA3_224 </li> <li> SHA3_256 </li> <li> SHA3_384 </li> <li> SHA3_512 </li> </ol> <br/> The supported hashing algorithms with PKCS1v15 are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> </ol> <br/> Streaming operations are supported.|
| MAC [KMIP-SPEC 4.33][kmip-spec-4.33] | ✅ | Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> The supported hashing algorithms are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> <li> SHA512_224 </li> <li> SHA512_256 </li> <li> SHA3_256 </li> <li> SHA3_384 </li> <li> SHA3_512 </li> </ol> <br/> The follwing hashing algorithms are not supported: <br/> <ol> <li> MD4 </li> <li> MD5 </li> <li> SHA1 </li> </ol> <br/> Streaming operations are supported.|
| MAC Verify [KMIP-SPEC 4.34][kmip-spec-4.34] | ✅ | Vault 1.13 <br/> Supported for RSA Asymmetric Keys: <br/><br/> The supported hashing algorithms are: <br/> <ol> <li> SHA224 </li> <li> SHA256 </li> <li> SHA384 </li> <li> SHA512 </li> <li> RIPEMD160 </li> <li> SHA512_224 </li> <li> SHA512_256 </li> <li> SHA3_256 </li> <li> SHA3_384 </li> <li> SHA3_512 </li> </ol> <br/> The follwing hashing algorithms are not supported: <br/> <ol> <li> MD4 </li> <li> MD5 </li> <li> SHA1 </li> </ol> <br/> Streaming operations are supported.|
| RNG Retrieve [KMIP-SPEC 4.35][kmip-spec-4.35] | ✅ | Vault 1.13 |
| RNG Seed [KMIP-SPEC 4.36][kmip-spec-4.36] | ✅ | Vault 1.13 |
- MAY support any clause within KMIP-SPEC provided it does not conflict with any other clause within the section Basic Cryptographic Server
- MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements.