PureKit Credentials
This article contains information about PureKit credentials.
Backend keys
The following keys are used at your backend for PureKit initialization.
Mandatory
| Parameter | Description | Obtained from |
|---|---|---|
SK Application Secret key | A secret value used to to derive KMSKP and AK. Format: "SK.*version*.*PHE base64-encoded bytes*.*KMS base64-encoded bytes*.*AUTH base64-encoded bytes*". | Generated with Virgil CLI |
PHESK PHE Client Secret key | Used for application authentication at Virgil PHE service. | Derived from SK |
AK Auth Client Secret key | Symmetric key that is used to encrypt a Grant that is needed for secure session between your users and your server, therefore, Auth key has to be accessible during user authentication step. Find out more on how to use Auth Key in authenticate users section. | Derived from SK |
NMS Non-rotatable Master Secret key | A 32-byte secret value used to derive VSKP and OSKP. Format: "NM.*base64-encoded bytes*". | Generated with Virgil CLI |
OSKP Own Signing key pair | Used to sign encrypted users data, to ensure that the data won't be changed. Note that users don't sign their data while encrypting it with their private keys. | Derived from NMS |
PK Service public key | A unique service public key that is generated for a specific PHE application. Used to verify communication between your application and Virgil PHE service. | Generated at Virgil Dashboard |
Optional
| Parameter | Description | Obtained from |
|---|---|---|
BU Backup key pair | Can be used by admins to recover access to user's data in case the user forgot their password. Usually, Backup private key is rarely used, therefore, you can store it far from your server. Find out more on how to use Backup Key in the Data Encryption section. | Generated with Virgil CLI |
VSKP Virgil Storage key pair | Used to sign records sent to Virgil Cloud to enssure that the data won't be changed. (*) The VSKP Key is mandatory in case of using Virgil Cloud storage for storing users' private keys. | Derived from NMS |
KMSSK KMS Client Secret key | Used for application authentication at Virgil KMS service. | Derived from SK |
KMSPK KMS Server Public key | A unique public key of Virgil KMS service that is generated for a specific PHE application. Used to verify communication between your application and Virgil KMS service. | Created at Virgil Dashboard |
User keys
The following keys are used at your backend for managing users' data.
Mandatory
| Parameter | Description | Obtained from |
|---|---|---|
PHEK PHE end-user key | PHE symmetric key, derived on backend during sign up/in process for a user with given id. | Derived automatically during user sign up/in |
UKP User key pair | Randomly generated user keypair for a user with given id. Encrypted with UKP. | Created automatically during user sign up/in |
CKP Cell key pair | Key for data encryption. Used to encrypt specific cell (or group of cells) that are intended to have same set of entities that have access to it. CK is encrypted for BU, UKP, UKP of users that you want give access to, and EKP with matching {column} set. | Generated during encryption |
Optional
| Parameter | Description | Obtained from |
|---|---|---|
EKP External key pair | Key pair that belongs to some external systems (services) that can access some columns of users' data. | Obtained from external service |