If you choose to upload a key, the process is as follows:

1. In accordance with our standard practice, data will be encrypted using a DEK managed by us and stored in our KMS. The DEK will further be encrypted using our KEK, which will be stored on a separate server.

2. To upload your KEK, you will be required to extract the public key from a certificate we provide, which you will then use to encrypt and hash your key.

3. Upload the encrypted KEK and hashed KEK in Zoho Directory.

4. We will decrypt the DEK using our KEK to obtain plain DEK.

5. This plain DEK will now be encrypted using the KEK provided by you.

Upload Key:

1. Add a BYOK Certificate:

1. Sign in to Zoho Directory .

2. Click Admin Panel, then click Security.

3. Click BYOK, then click Manage certificates in the top-right corner.

4. Click Add certificates, provide a unique name for your certificate, and click Add. Hover over the added certificate and click the download icon.
   
   

Note: You can only add a maximum of two certificates.

2. To generate encrypted KEK:

Prerequisites:

• "bcprov-jdk18on" jar with version greater than or equal to 1.78.1

Use the following Java code snippet to extract the public key from the downloaded certificate file and encrypt the key:

Click here to view the complete code snippet

/**
 * @param fileName
 *            - Downloaded FileName
 * @param plainKeyBytes
 *            - Generated Key Bytes
 * @return - Encrypted Key
 * @throws Exception
 */
	public static String encryptKeyWithPublicKey(String fileName, byte[] plainKeyBytes) throws Exception {

		PemReader reader = new PemReader(new FileReader(new File(fileName)));
		PemObject pemObject = reader.readPemObject();
		byte[] content = pemObject.getContent();
		reader.close();
		InputStream fin = new ByteArrayInputStream(content);
		CertificateFactory f = CertificateFactory.getInstance("X.509");
		X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
		PublicKey pk = certificate.getPublicKey();
		byte[] publicKeyBytes = pk.getEncoded();
		X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
		PublicKey publicKey = keyFactory.generatePublic(keySpec);
		Cipher encryptCipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
		OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSource.PSpecified.DEFAULT);
		encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParams);
		byte[] encryptedBytes = encryptCipher.doFinal(plainKeyBytes);
		return Base64.getEncoder().encodeToString(encryptedBytes);

	}

3. To generate hashed KEK:

Generate AES key hash value   using the below code snippet:

public static String getHashValue(byte[] plainKeyBytes) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] hashed = digest.digest(plainKeyBytes);
    return Base64.getEncoder().encodeToString(hashed);
}

4. To upload key:

1. Sign in to Zoho Directory .

2. Click Admin Panel, then click Security.

3. Click BYOK, then click Setup.
   
   
   
   
   
   Note: Click + Add key on the right if you already have a key added.
   
   

4. In the Add key screen, enter the Key name, select applications, and choose your key type as Upload key.
   

Note: The key name cannot be edited if you've chosen all available apps. Only one key can be applied to an app, and apps already assigned will not be listed under Available applications. 

 

5. Under Key details, select any one of the available certificates for which you have already generated Encrypted KEK and Hashed KEK.
   

Note: You can add a certificate by clicking the + icon next to the Available certificates and generate encrypted KEK and hashed KEK using the above mentioned Java code snippets.

6. Browse and upload the hashed KEK as a .txt file.

7. Browse and upload the encrypted KEK as a .txt file.

8. Click Add.