This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee BYOK capabilities

Posted on 05-10-2017 08:17 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi All,

We are currently evaluating Apigee's cloud offering for API management and one of the security requirements is a Bring your own Key (BYOK) capability.

Does this capability exist in Apigee and where is / can it used, i.e. can our own keys be used wherever encryption is used like the key vaults, message content itself, etc.

Regards

Nisch

2 5 495
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
naseerm
Staff
Reply posted on --/--/---- --:-- AM

Hi @Nischkalan Kanahia

Yes, Apigee provides encrypted KVM for storing your own keys, these keys can then be used from within a API Proxy to perform cryptographic operations like - Encryption, Decryption, Signatures, Hashes etc.

You also have REST APIs for managing you keys in KVM.

Let me know if you need any more info.

-Naseer

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to naseerm
Reply posted on --/--/---- --:-- AM

@Naseer Mohammad

Thanks Naseer. I am familiar with the KVM but what I am trying to establish is whether there is support for using encryption keys that are private to the organisation and not held in the cloud for the cryptographic functions

0 Likes

Posted on --/--/---- --:-- AM
naseerm
Staff
In response to
Reply posted on --/--/---- --:-- AM

@Nischkalan Kanahia

Can you further elaborate what do you mean by "encryption keys that are private to the organization":

Note any information you store in Vault or KVM is private to your organization and only your organization can have access to that info.

If you are talking about storing your cryptographic keys in your datacenter that implies you perform all your cryptographic operations on-prem, which is not really a BYOK use-case.

Probably it will help if you can provide the use-case you are trying to implement, I can guide you in the right direction.

-Naseer

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

yes, please elaborate on what you mean by

using encryption keys that are private to the organisation and not held in the cloud for the cryptographic functions

Provide some additional detail about what you're thinking. What kind of keys? secret keys? public/private pairs? where is the encryption performed, and by which actor? Where is the decryption performed?

0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@Nischkalan Kanahia , Great Questions,

Just to getter better understanding, Let me know if this is what you think,

  • Store encrypted information using your own keys instead of Apigee Logic inside Apigee Edge for example, KVM , Vaults, Cache etc ?

If above is correct, Yes, You can do that part of message mediation / transformation using your own keys & using custom policies like Java / Python / Javascript. You can encrypt / decrypt the information using your own keys & algorithms before storing information in KVM, Encrypted KVM, Vaults , Cache.

Apigee has KVM, Encrypted KVM, Cache, Vaults etc where you can store information. By default we don't encrypt any request / response. You can do that based on your requirements using Java / Python / JS callouts.

If you are thinking to use your own keys part of API Products / Developer Apps, Yes, It's possible. For more details see thread here.

Hope it helps. Keep us posted moving forward if any.