Keyknox Service

Virgil Keyknox Service helps to safeguard cryptographic keys and secrets of your users in your software. With Vigil Keyknox your users can securely store keys as well as sync and share them between their devices.

Virgil Keyknox is designed so that only your users can have access to their keys. All keys are stored in encrypted format and only the user is able to decrypt them on their own authorized devices.

Virgil Keyknox service can be accessed by using the Virgil Keyknox SDK or Virgil Keyknox API.

Authorization header

Virgil Keyknox Service address:

https://api.virgilsecurity.com/keyknox/v1

All API calls require authentication with Virgil JWT. So all requests go through Virgil API Gateway which bypasses the request with preset HTTP headers: X-Application-Id, X-Virgil-Identity.

Endpoints

The Virgil Keyknox REST API supports the following operations for keyknox object:

Operations	Description
Create Keyknox Record	Creates a new record, stores it, then returns keyknox `value` and `meta` data to the client. If a keyknox record already exists, service creates a new `version` of the keyknox record. It requires the keyknox/create permissions.
Reset Keyknox Record	The reset operation changes only `meta` data of a stored keyknox record. In order to perform this operation, the keyknox record must be already set in the Service.
Note, that the keyknox `value` itself cannot be changed. This operation requires the keyknox/reset permission.
Get Keyknox Record	The get operation returns keyknox record for a current user (identity) specified in a JWT. This operation requires the keyknox/get permission.

Create keyknox record

Creates a new record, stores it, then returns keyknox value and meta data to the client. If a keyknox record already exists, service creates a new version of the keyknox record. It requires the keyknox/create permissions.

Request info

HTTP Request method    PUT
Request URL            https://api.virgilsecurity.com/keyknox/v1 HTTP/1.1
Headers                X-Virgil-Identity: {UserIDString}
                       X-Account-Id: {AccountID}
                       X-Application-Id: {ApplicationID}
                       Virgil-Keyknox-Previous-Hash: {KeyknoxPreviousHash}

Click here to see the description of header parameters

The endpoint contains the following header parameters:

Parameter	Description
X-Virgil-Identity	User `identity` that was used for a JWT generation
X-Account-Id	ID of your Virgil Account. Can be found in your profile settings on Virgil Dashboard
X-Application-Id	ID of your Virgil Application
Virgil-Keyknox-Previous-Hash	Header should be obtained from the `Virgil-Keyknox-Hash` response header of the GET /keyknox endpoint. Header is optional for the case when `Keyknox` entity is created first time for provided `X-Virgil-Identity`

Request

{
    "meta": "BASE64_STRING",
    "value": "BASE64_STRING"
}

Response info

HTTP/1.1 200 OK
Content-Type: application/json
Virgil-Keyknox-Hash: kcY8QLKqFu1gScis3fvKXVBtN1Yghm1L7gARqH3iafgYSU0dGxIUWZ1RITaJshiWyOEOT62FUfQzmVUafum7kA==

Response

{
	"meta": "BASE64_STRING",
	"value": "BASE64_STRING",
	"version": "1.0"
}

Click here to see the description of request and response parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
meta	Base64	10 kb	Base64 encoded meta (of the sensitive data)
value	Base64	100 kb	Base64 encoded data (encoded sensitive data itself)
version	-	-	Version of user's keyknox entity. Read about a version generation rule in a proper chapter here

GET keyknox record

The get operation returns keyknox record for a current user specified in a JWT. This operation requires the keyknox/get permission.

Request info

HTTP Request method    GET
Request URL            https://api.virgilsecurity.com/keyknox/v1 HTTP/1.1
Headers                X-Virgil-Identity: {UserIDString}
                       X-Account-Id: {AccountID}
                       X-Application-Id: {ApplicationID}

Click here to see the description of header parameters

The endpoint contains the following header parameters:

Parameter	Description
X-Virgil-Identity	User `identity` that was used for a JWT generation
X-Account-Id	ID of your Virgil Account. Can be found in your profile settings on Virgil Dashboard
X-Application-Id	ID of your Virgil Application

Response info

HTTP/1.1 200 OK
Content-Type:         application/json
Virgil-Keyknox-Hash:  kcY8QLKqFu1gScis3fvKXVBtN1Yghm1L7gARqH3iafgYSU0dGxIUWZ1RITaJshiWyOEOT62FUfQzmVUafum7kA==

Response

{
	"meta":  "BASE64_STRING",
	"value": "BASE64_STRING",
	"version": "1.0"
}

Click here to see the description of request and response parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
meta	Base64	10 kb	Base64 encoded meta (of the sensitive data)
value	Base64	100 kb	Base64 encoded data (encoded sensitive data itself)
version	-	-	Version of user's keyknox entity. Read about a version generation rule in a proper chapter here

Reset keyknox record

The reset operation changes only meta data of a stored keyknox record. In order to perform this operation, the keyknox record must be already set in the Service. Note that the keyknox value itself cannot be changed. This operation requires the keyknox/reset permission.

Request info

HTTP Request method    POST
Request URL            https://api.virgilsecurity.com/keyknox/v1/reset HTTP/1.1
Headers                X-Virgil-Identity: {UserIDString}
                       X-Account-Id: {AccountID}
                       X-Application-Id: {ApplicationID}

Click here to see the description of header parameters

The endpoint contains the following header parameters:

Parameter	Description
X-Virgil-Identity	User `identity` that was used for a JWT generation
X-Account-Id	ID of your Virgil Account. Can be found in your profile settings on Virgil Dashboard.
X-Application-Id	ID of your Virgil Application

Response info

HTTP/1.1 200 OK
Content-Type:          application/json
Virgil-Keyknox-Hash:   kcY8QLKqFu1gScis3fvKXVBtN1Yghm1L7gARqH3iafgYSU0dGxIUWZ1RITaJshiWyOEOT62FUfQzmVUafum7kA==

Response

{
    "meta":  "",
    "value": "",
    "version": "1.0"
}

meta and value properties set to initial state - empty state.
version property, major part increment by 1, minor reset to initial state - 0.

Click here to see the description of request and response parameters

Keyknox service endpoints contains the following request and response parameters:

Parameter	Type	Constraints	Description
meta	Base64	10 kb	Base64 encoded meta (of the sensitive data)
value	Base64	100 kb	Base64 encoded data (encoded sensitive data itself)
version	-	-	Version of user's keyknox entity. Read about a version generation rule in a proper chapter here

Errors

HTTP error codes

The Application uses standard HTTP response codes:

Error code	Description
200	Success
201	Created
400	Request error
404	Entity not found
405	Method not allowed
500	Server error

HTTP 500. Server errors

This status is returned in extremely rare cases of internal application errors

Error code	Description
50000	`X-Application-Id` header is missing.
50001	`X-Account-Id` header is missing.
50002	keyknox entity not found.
50003	`X-Virgil-Identity` header is missing.
50004	`meta` parameter is missing.
50005	`meta` parameter has wrong size. max size is 10kb.
50006	`value` parameter is missing.
50007	`value` parameter has wrong size. max size is 100kb.
50008	`value` parameter was changed without the `meta` parameter.
50009	`Virgil-Keyknox-Previous-Hash` header is missing.
50010	`Virgil-Keyknox-Previous-Hash` header is invalid.
50011	`X-Application-Id` header is missing.

Version generation rule

When Keyknox record created at the first time, version parameter is set to initial state: 1.0, where the major part of the version belongs to the Keyknox meta part and the minor part of the version belongs to the Keyknox value part.
When Keyknox record already exists and the reset action is performed, then Keyknox version updates by next rules:

if only meta part was changed then performs increment minor part of the version by one.
if meta + value parts were changed, then performs reset to 0 of the minor part of the version and increment by one the major part of the version.

Service SDK

Virgil Security provides SDKs which allow you to communicate with the Virgil Keyknox Service to upload, download, and synchronize encrypted sensitive data (private keys) between user's devices:

What is next?

For best practice take a look at our use cases which use Virgil Keyknox Service for sharing users' private keys between their devices:

Add end-to-end encryption to your application using Virgil SDK and Firebase
Add end-to-end encryption to your application using Virgil SDK and your custom platform
Add end-to-end encryption to your application using Virgil SDK and Twilio