Welcome to Portal
If you choose to upload a key, the process is as follows:
In accordance with our standard practice, data will be encrypted using a DEK managed by us and stored in our KMS. The DEK will further be encrypted using our KEK, which will be stored on a separate server.
To upload your KEK, you will be required to extract the public key from a certificate we provide, which you will then use to encrypt and hash your key.
Upload the encrypted KEK and hashed KEK in Zoho Directory.
We will decrypt the DEK using our KEK to obtain plain DEK.
This plain DEK will now be encrypted using the KEK provided by you.
Sign in to Zoho Directory .
Click Admin Panel, then click Security.
Click BYOK, then click Manage certificates in the top-right corner.
Click Add certificates, provide a unique name for your certificate, and click Add. Hover over the added certificate and click the download icon.
"bcprov-jdk18on" jar with version greater than or equal to 1.78.1
Use the following Java code snippet to extract the public key from the downloaded certificate file and encrypt the key:
Click here to view the complete code snippet
/**
* @param fileName
* - Downloaded FileName
* @param plainKeyBytes
* - Generated Key Bytes
* @return - Encrypted Key
* @throws Exception
*/
public static String encryptKeyWithPublicKey(String fileName, byte[] plainKeyBytes) throws Exception {
PemReader reader = new PemReader(new FileReader(new File(fileName)));
PemObject pemObject = reader.readPemObject();
byte[] content = pemObject.getContent();
reader.close();
InputStream fin = new ByteArrayInputStream(content);
CertificateFactory f = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
PublicKey pk = certificate.getPublicKey();
byte[] publicKeyBytes = pk.getEncoded();
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
Cipher encryptCipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSource.PSpecified.DEFAULT);
encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParams);
byte[] encryptedBytes = encryptCipher.doFinal(plainKeyBytes);
return Base64.getEncoder().encodeToString(encryptedBytes);
}
Generate AES key hash value using the below code snippet:
public static String getHashValue(byte[] plainKeyBytes) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hashed = digest.digest(plainKeyBytes);
return Base64.getEncoder().encodeToString(hashed);
}
Sign in to Zoho Directory .
Click Admin Panel, then click Security.
In the Add key screen, enter the Key name, select applications, and choose your key type as Upload key.
Under Key details, select any one of the available certificates for which you have already generated Encrypted KEK and Hashed KEK.
Browse and upload the hashed KEK as a .txt file.
Browse and upload the encrypted KEK as a .txt file.
Click Add.