You can use UKO to create a group of key templates, keys, and keystores for a target group of users that require the same access permissions in a vault. You can create vaults in UKO with the UKO web interface, or programmatically with the UKO API.
As a Vault Administrator, you can bundle the key templates, keys, and keystores UKO into groups called vault. A vault is a collection of key templates, keys, internal keystores, and external keystores that require the same access permissions. For example, if you have a group of team members who need a particular type of access to a specific group of key templates, keys, and keystores, you can create a vault and assign the appropriate access roles to the target user group. The users that are assigned access to the vault can create and manage the resources that exist within the vault.
Vaults are also useful in cases where it is important for one business unit to have access to a set of key templates, keys, and keystores that another business unit cannot have. An administrator can create vaults for each business unit and assign the appropriate level of access to the appropriate users. In the case where the administrator wants to delegate platform management of a specific vault to someone else, they can assign a user to that vault. The sub-administrator is then able to manage the vault and grant access to the appropriate users.
Before you create a vault, keep in mind of the following considerations:
- Vaults can hold key templates, KMS keys, and keystores.
- A key template, a key, or a keystore only can belong to one vault at a time. You need to specify a vault to a key template, a managed key, or a target keystore upon creation.
For more information about granting access, see Granting access to vaults.
Creating vaults with the UKO web interface
To create a vault by using the web interface, complete the following steps through the Vaults page. Optionally, you can create a vault when you create a key template, create a managed key, or add a keystore.
- Log in to UKO.
- Click Vaults from the navigation to view all the available vaults.
- To create a vault, click Create vault.
- Enter a name in Vault name. Optionally, you can add an extended description to your vault in the Description section. The vault name must be of 1 to 100 characters in length. The characters can be letters (case-sensitive), digits (0-9), or symbols (#@!$%\’_-).
- (Optional) In the Security and recovery section, you could specify a new recovery key specific for this vault. Per default, the system wide key is inherited from System administration page. Specify another key name only, if you want to use a different recovery key to protect this individual vault. You can learn more about recovery keys in the Key hierarchy chapter.
- Click Create vault to confirm.
You have successfully created a vault.
Creating vaults through the API
To create a vault through the API, follow these steps:
Retrieve your service and authentication credentials to work with vaults in the service.
Create a vault by making a
POSTcall to the following endpoint.
For detailed instructions and code examples about using the API method, check out the Cloud API reference doc.