Learn how to manage and use cryptographic keys with Infisical.
ROOT_ENCRYPTION_KEY
environment variable. You can also use a Hardware Security Module (HSM), to create the root key. Read more about HSM.
AES-GCM-128
, AES-GCM-256
).Creating a KMS key
Encrypt/Decrypt
for encryption, and Sign/Verify
for signing).AES-GCM-256
).Encrypting data with the KMS key
Accessing your key
Decrypting your data
Creating a KMS key
Encrypt/Decrypt
for encryption, and Sign/Verify
for signing).RSA_4096
).Signing data with the KMS key
RSASSA PSS SHA 512
: Not deterministic, and includes random salt.RSASSA PSS SHA 384
: Not deterministic, and includes random salt.RSASSA PSS SHA 256
: Not deterministic, and includes random salt.RSASSA PKCS1 V1.5 SHA 512
: Deterministic, and does not include randomness.RSASSA PKCS1 V1.5 SHA 384
: Deterministic, and does not include randomness.RSASSA PKCS1 V1.5 SHA 256
: Deterministic, and does not include randomness.ECDSA SHA 512
: Not deterministic, and includes randomness.ECDSA SHA 384
: Not deterministic, and includes randomness.ECDSA SHA 256
: Not deterministic, and includes randomness.RSASSA PSS SHA 512
signing algorithm.Accessing your key
Verifying data with the KMS key
Invalid
.Is my data stored in Infisical KMS?
Can key material be accessed outside of Infisical KMS?
What algorithms does Infisical KMS support?
RSA_4096
: For signing and verifying data.
ECC_NIST_P256
: For signing and verifying data.
AES-256-GCM
: For encryption and decryption operations.
AES-128-GCM
: For encryption and decryption operations.
How do I sign and verify a digest using the Infisical KMS?
Sign
and Verify
endpoints respectively.
You will need to pass "isDigest": true
in the request body to indicate that you are signing or verifying a digest.
The data you are signing or verifying will need to be a base64 encoded digest of the data you wish to sign or verify.
It’s important that the digest is created using the same hashing algorithm as the signing algorithm. As an example, you would create the digest with SHA512
if you are using the RSASSA_PKCS1_V1_5_SHA_512
signing algorithm.To create a SHA512 digest of your data, you can use the following command with OpenSSL:RSA PSS
signing algorithms are not supported for digest signing and verification. Please use RSA PKCS1 V1.5
signing algorithms for digest signing and verification, or ECDSA
if you’re using an ECC key.