Export Keys

Steps to add an export key to data stores.

The data store export key is used to identify the data store and encrypt the resilient package. It is also used by the Node Administrator, who runs the DevOps API, to export the encrypted package. The export key is the public part of an asymmetric public-private key pair. A Key Management System (KMS) administrator, who is responsible for managing the cryptographic keys in your system, creates this public-private key pair in a Key Store. The KMS administrator then shares the public key with the user who has the Security Officer permission in the ESA. The Security Officer adds the public key to the data store. This step is required only if you are distributing the resilient package to Immutable Resilient protectors.
For more information, and example, of using the DevOps process in Immutable Resilient protectors, refer to the section DevOps Approach for Application Protector.

The Security Officer shares the fingerprint of the public key to the Node Administrator.

Adding Export Key

Use the following instructions to add a Public Key to a Data Store.

To add a Public Key to a Data Store:

  1. On the ESA Web UI, navigate to Policy Management > Data Stores.

    The list of all the data stores appear.

  2. From the Export Keys tab for the data store, click Add.

    The Add Export Key screen appears.

  3. In the Algorithm drop-down list, specify one of the following options:

    • RSA-OAEP-256
    • RSA-OAEP-512

    In case of AWS, the algorithm must be the same one that was selected by the KMS Administrator while creating the asymmetric key pair in the Key Store. Currently, AWS only supports RSA-OAEP-256.

  4. In the Description field, add a description to reference the key pair. For example, specify the key name or the key ID.

  5. In the Public key drop-down list, choose the PEM file that you have downloaded from the Key Store. The contents of the PEM file appear in the text box below. Alternatively, you can paste the contents of the PEM file in the text box.

  6. Click Add.
    The public key is added to the list of keys. A public key can be assigned to only one data store. However, a data store can contain multiple public keys.

  7. Click the Copy Fingerprint icon to copy the fingerprint of the public key without the colon separators.
    The user exporting the resilient package uses this fingerprint in the DevOps API that is used to download the resilient package. Note that the DevOps API works even when the fingerprint contains colon separators.

Managing Export Key

After an export key is created, it cannot be modified. However, you can update the RSA algorithm to be used with the key and the description of the key. Only a user with Security Officer permissions can modify an export key.

To modify an export key:

  1. On the ESA Web UI, navigate to Policy Management > Data Stores.

    The list of all the data stores appear.

  2. From the Export Keys tab for the data store, click the Edit Export Key icon for the specified key.

    The Edit Export Key screen appears.

  3. In the Algorithm drop-down list, modify the RSA algorithm to be used with the export key.

    Note: In case of AWS, the algorithm must be the same one that was selected by the KMS Administrator while creating the asymmetric key pair in the Key Store. Currently, AWS only supports RSA-OAEP-256.

  4. In the Description field, update the description as required.

  5. Click Save to save the changes.

Deleting Export Key

Only a user with Security Officer permissions can delete an export key.

To remove an export key:

  1. On the ESA Web UI, navigate to Policy Management > Data Stores.

    The list of all the data stores appear.

  2. From the Export Keys tab for the data store, click the Delete Export Key icon for the specified key.

    A confirmation dialog appears.

  3. Click OK.

    A message Export Key has been removed from the Data Store successfully appears.


Last modified : January 15, 2026