The Key Manager Service provides secure storage, provisioning and management of secret data. It provides all the cryptographic operations like encryption/decryption and digital signature/verification making one trust store for all partner trust path validation. It manages the lifecycle of encryption/decryption keys, including generation, distribution, administration, and deletion.
This includes keying material such as symmetric keys, asymmetric keys, certificates and algorithm data. It is a web-based key management solution that helps consolidate, control, manage, monitor, all key generation and maintenance of key life cycle required in MOSIP.
Root and Module keys reside in HSM while Base key pair reside in the DB encrypted by Module keys. All references (aliases) containing metadata of keys are present in mosip_keymgr/key_alias table. The key_store table contains encrypted Base keys.
The keys are identified as tuple of app_id and ref_id.
app_id (or applicationId): Typically, module name e.g. REGISTRATION.
ref_id (or referenceId): Specified only for Base keys (except SIGN*). Eg. 10001_110011
* SIGN: TBD
Key generation process
Root and Module keys are generated by any one of these methods:
After the deployment, the initial set of pre-requisite keys has to be generated by the Administrator to complete the Key Manager setup. This generation is a one-time activity, and afterwards, the Key Manager will auto-generate all the required Root key and Module master keys upon expiry of key duration.
Base keys are auto-generated (and updaded on expiry) - the administrator is not required to request for generation. The keys reside in the DB. A new key pair is generated if not found in the DB.
Sync Data service requests Key Manager service to provide the reg-client specific certificate. Key identifier will be APP_ID - REGISTRATION, REF_ID - CENTER-ID_MACHINE-ID.
Key Manager service generate a new key pair, encrypts the private key with REGISTRATION master key and creates a new certificate using same master.
Returns the certificate to Sync data service. If key pair is already available and is valid, returns the available certificate.
Sync data service sends the certificate to Registration Client.
The registration packet will be encrypted using the certificate received from the server after collecting all the required data for registration, including adding the digital signatures required to the registration data, and before saving/writing the data on the Registration Client hard-disk.
REG_PROC sends request to decrypt the data to Key Manager service with same app_id and ref_id.