This section explains how to generate Elliptic Curve Digital Signature Algorithm (ECDSA) keys and ECDSA verification signatures that are compatible with the Qumulo file system key store.

In Qumulo Core 6.1.0 (and higher), you can store multiple ECDSA public keys in the Qumulo file system key store and use these keys to protect file system resources.

Generating an ECDSA Private Key

This section explains how to generate a 256-bit ECDSA private key by using Linux CLI tools and AWS, GCP, and Azure CLI or API.

To Generate a Private Key by Using Linux CLI Tools

To generate a key in the .pem format, run the openssl or ssh-keygen tools.

  • Run the openssl tool and specify the path to the private key. For example:

    openssl ecparam \
      -genkey \
      -name prime256v1 \
      -out /private-key-path
    
  • Run the ssh-keygen tool and specify the path to the private key. For example:

    ssh-keygen \
      -f /private-key-path \
      -t ecdsa \
      -m PEM
    

The following is an example private key.

-----BEGIN EC PRIVATE KEY-----
EXAMPLEabCDe8fghi8J28KlB8mO+no93N0pBqrs/TUvWXYza4BC0DefghiJklmNO
PQRsTUVWXyZAbc0DEFGhIJ////////////////////////////////////7///kl
MNOPQRSTUVwXYZA5bcD++ef7gHIjKlMOnopQRst82u3OVWxY8oZaBcdEfEg62hij
k8LmNoP7/Q4RSTu9V7WXyzABCDeF0G/7HIJ4KlMN/////////////////////opq
3OrsTUV7w9XyzAB2CDEFGHIjKLMNOPQ7r7S7t/uVwxY1zaBO9c23Sd1EF3G3hijk
L1mN1OPQRSTUve2+X06YZABcD/eFGhIJ/Kl5MNOPQrsTuEXAMPLE
-----END EC PRIVATE KEY-----

Generating a Key Pair by Using the AWS Key Management Service (KMS)

Use the AWS Management Console, AWS CLI, or AWS KMS API. For more information, see the following resources:

When you create a key pair, specify the following details:

  • Key Type: Asymmetric key

  • Usage: Sign and verify

  • Key Specification: ECC_NIST_P256

Generating a Key Pair by Using the GCP Cloud Key Management Service (Cloud KMS)

Use the GCP Cloud Console, Cloud CLI, or Cloud API. For more information, see Create a key in the Cloud Key Management Service documentation.

When you create a key pair, specify the following details:

  • Protection Level: software or HSM

  • Purpose: Asymmetric sign

  • Algorithm: Elliptic Curve P-256 - SHA256 Digest

Generating a Key Pair by Using the Azure Key Vault

Use the Azure Key Vault and the Azure CLI. For more information, see az keyvault key create in the Azure documentation.

When you create a key pair, specify the following details:

  • Key Type: EC

  • Curve: P-256

  • Key Size: 256

Extracting the Public Key from an ECDSA Private Key

After you create a 256-bit ECDSA private key, you can extract a public key from it by using Linux CLI tools and AWS, GCP, and Azure CLI and API. You can store the public key in the Qumulo file system key store.

To Extract the Public Key by Using Linux CLI Tools

  1. Run the openssl tool and specify the path to the private key and the path for saving the public key. For example:

    openssl pkey \
      -in /private-key-path \
      -pubout > /public-key-path
    
  2. If your private key is in OpenSSH format, export the public key into the .pem format. Run the ssh-keygen tool and specify the path to the private key and the path for saving the public key. For example:

    ssh-keygen \
     -e \
     -f /private-key-path \
     -m PEM > /public-key-path
    
  3. To convert your private key to .pem format, run the ssh-keygen tool and specify the path to the private key. For example:

    ssh-keygen \
      -p \
      -f /private-key-path \
      -m pem
    

The following is an example public key in .pem format.

-----BEGIN PUBLIC KEY-----
EXAMPLEabCDef0GHIJKL4MNOPqRStUV5wXyz491abc1d2efGijklmNOP0qrsTUv
WXYza1BCdEfGHIjkOlMnOpqr1STUvW3XYzAB6c8DefghIJkEXAMPLE==
-----END PUBLIC KEY-----

Extracting the Public Key by Using the AWS Key Management Service (KMS)

Use the AWS Management Console, AWS CLI, or AWS KMS API. For more information, see the following resources:

Extracting the Public Key by Using the GCP Cloud Key Management Service (Cloud KMS)

Use the GCP Cloud Console, Cloud CLI, or Cloud API. For more information, see Retrieve the public key in the Cloud Key Management Service documentation.

Extracting the Public Key by Using the Azure Key Vault

Use the Azure Key Vault and the Azure CLI. For more information, see az keyvault key download in the Azure documentation.

Signing a Security Challenge by Using an ECDSA Private Key

When you perform actions such as adding a new key to the Qumulo file system key store, replacing an existing key in the key store, or unlocking a snapshot, you must verify that you have access to the private key by signing a security challenge.

You can use your private key to generate a verification signature and then provide this signature to Qumulo Core in Base64 encoding.

To Sign a Security Challenge by Using Linux CLI Tools

  1. Save the security challenge to be signed to a file. For example:

    echo -n "This is my challenge." > /tmp/challenge.out
    
  2. To sign the challenge, run the openssl tool and specify the path to the private key. For example:

    openssl dgst \
      -sha256 \
      -r \
      -sign /path-to-private-key \
      -out /tmp/signature.sha256 /tmp/challenge.out
    
  3. To encode the signature in Base64 format, run the openssl tool. For example:

    openssl base64 \
      -in /tmp/signature.sha256 \
      -out /tmp/key_signature.b64
    

To Sign a Security Challenge by Using the AWS Key Management Service (KMS)

  1. Sign a security challenge by using the AWS CLI or AWS KMS API. For more information, see the following resources:

    • AWS CLI: sign in the AWS CLI Command Reference

    • AWS KMS API: Sign in the AWS Key Management Service API Reference

  2. Specify the ECDSA_SHA_256 algorithm.

    The response returns a Base64-encoded verification signature.

To Sign a Security Challenge by Using the GCP Cloud Key Management Service (Cloud CMS)

  1. Sign a security challenge by using the GCP Cloud Console, Cloud CLI, or Cloud API. For more information, see Creating a signature in the Cloud Key Management Service documentation.

  2. Specify the SHA256 digest algorithm.

  3. If the signature in the response is comprised of raw bytes (not a Base64-encoded string) encode the signature file by using the base64 CLI tool on the signature file that the Cloud CLI generates. For example:

    base64 /gcp-output-path/signature.bytes
    

To Sign a Security Challenge by Using the Azure Key Vault

  1. Sign a security challenge by using the Azure Key Vault and the Azure API. For more information, see sign in the Azure documentation.

  2. Convert your plaintext challenge into the correct format. For example:

    echo -n "This is my challenge." \
      | sha256sum \
      | cut -d' ' -f1 \
      | xxd -r -p \
      | base64 \
      | tr '/+' '_-'
    
  3. Use the re-encoded challenge to call the Azure API.

  4. Specify ES256 as the algorithm.

    The signature in the response is encoded in UrlBase64 format.

  5. Encode the signature in Base64 format. For example:

    echo $(echo -n VGhpcyBpcyBteSBzaWduYXR1cmUu | tr '_-' '/+')==