Endpoint Encryption

 View Only

KMS Search Filters and Examples

  • 1.  KMS Search Filters and Examples

    Posted Apr 08, 2011 05:50 AM

    PGP Key Management Server introduces a new search languaage to search for KMS objects like symmetric keys, asymmetric keys, secure
    data, consumers and other objects.

    The seach language details are described in the attached document (please find it on the end of this article)

    Quotation

    When quoting the search filter with PGP Command Line there are some differences between running PGP Command Line on Windows and
    running it on Linux operating systems.

    On Windows the quoted string needs to be quoted using two double quotation marks ("") while the whole search filter needs to be a single
    double quotation mark (").

    Example for Windows:

     "EQ(NAME,""MekSeries1"")"
    

    Example for Linux / Unix:

     'EQ(NAME,"MekSeries1")'
    


    Search Filter Examples

    Search for a MAK (Managed Asymmetric Key) by name, using a regular expression:

     Windows:
    pgp --usp-server keys.senderdomain.com --search-mak "RE(NAME,""mekseries.+application1"")"
    Linux:
    pgp --usp-server keys.senderdomain.com --search-mak 'RE(NAME,"mekseries.+application1")'
    

    Search for a MAK by UUID:

     Windows:
    pgp --usp-server keys.senderdomain.com --search-mak "EQ(UUID,""f056de57-b569-4c0a-8960-18808f04af95"")"
    Linux:
    pgp --usp-server keys.senderdomain.com --search-mak 'EQ(UUID,"f056de57-b569-4c0a-8960-18808f04af95")'
    

    Search for a MAK by PGP Key-ID:

     Windows:
    pgp --usp-server keys.senderdomain.com --search-mak "EQ(KEY_ID,0x5D2B4461)"
    Linux:
    pgp --usp-server keys.senderdomain.com --search-mak 'EQ(KEY_ID,0x5D2B4461)'
    

    Search for all MAKs that match both of the custome attributes and values (version 3.2 or higher)
    all MAK UUIDs will be returned which have the custom attribute "APPLICATION" set to "APP1" and the customer attribute "ENABLED" set to "TRUE"

    Windows:
    pgp --usp-server keys.senderdomain.com --search-mak "AND(EQ(""APPLICATION"",""APP1""),EQ(""ENABLED"",""TRUE""))"
    Linux:
    pgp --usp-server keys.senderdomain.com --search-mak 'AND(EQ("APPLICATION","APP1"),EQ("ENABLED","TRUE"))'
    

    Search for a consumer by name (using regular expression):

     Windows:
    pgp --usp-server keys.senderdomain.com --search-consumer "RE(NAME,""test.*1"")"
    Linux:
    pgp --usp-server keys.senderdomain.com --search-consumer 'RE(NAME,"test.*1")'
    

    Search for a MEK Series by UUID:

     Windows:
    pgp --usp-server keys.senderdomain.com --details --search-mek-series "EQ(UUID,""563fb515-1369-40d6-b23d-1fef0638eecb"")"
    Linux:
    pgp --usp-server keys.senderdomain.com --details --search-mek-series 'EQ(UUID,"563fb515-1369-40d6-b23d-1fef0638eecb")'
    

    Search operation modifiers:

    All search operations for PGP Command Line can be modified using three different flags:
    --brief : This will only print the UUIDS of the results, one per line
    --details : This will print additional details about each object in the result list
    --xml : This will print all known details, in a parsable XML format for each object in the result list

    Search operation output examples:

    Searching for a MEK series using default output:

     pgp --usp-server keys.senderdomain.com --search-mek-series 'EQ(NAME,"MekSeries1")'
    output:
    UUID                                    Name          No MEKs
    ------------------------------------    ----------    -------
    563fb515-1369-40d6-b23d-1fef0638eecb    MekSeries1    2 
    

    Searching for a MEK series using --brief output:

     pgp --usp-server keys.senderdomain.com --search-mek-series 'EQ(NAME,"MekSeries1")' --brief
    output:
    563fb515-1369-40d6-b23d-1fef0638eecb 
    

    Searching for a MEK series using --details output:

     pgp --usp-server keys.senderdomain.com --search-mek-series 'EQ(NAME,"MekSeries1")' --details
    output:
    MEK Series Details: MekSeries1
           UUID: 563fb515-1369-40d6-b23d-1fef0638eecb
           Number of MEKs in series: 2
      Creation time: 2010-06-30
        End of life: 2011-09-29
     Validity (sec): 86400 
    

    Searching for a MEK series using --xml output:

     pgp --usp-server keys.senderdomain.com --search-mek-series 'EQ(NAME,"MekSeries1")' --xml
    output:
    <?xml version="1.0"?>
    <MEKSeriesList>
      <MEKSeries>
        <name>MekSeries1</name>
        <UUID>563fb515-1369-40d6-b23d-1fef0638eecb</UUID>
        <NumMEKs>2</NumMEKs>
        <CreationTime>2010-06-30</CreationTime>
        <EndOfLife>2011-09-29</EndOfLife>
        <ValidityDuration>86400</ValidityDuration>
        <attributes/>
      </MEKSeries>
    </MEKSeriesList> 
    

    Reference

    The reference documentation for KMS search filters can be found in appendix D of the PGP Command Line User's Guide
    The PGP Command Line User's Guide can be downloaded from Support Knowledgebase Article DOC3607