PyKMIP

PyKMIP is a Python implementation of the Key Management Interoperability Protocol (KMIP) specification, supporting version 1.1 of the KMIP standard. The KMIP standard is governed by the Organization for the Advancement of Structured Information Standards (OASIS) and specifies a client/server-based protocol to perform key, certificate, and secret object management, including storage and maintenance operations.

The PyKMIP library currently provides a KMIP client and server supporting the following operations for the KMIP SymmetricKey managed object:

• Create
• Register
• Get
• Destroy

Note that KMIP specifies profiles that tailor the standard to specific use cases. The KMIP Profile Support section includes several profiles that need to be developed for PyKMIP to fully support symmetric key storage and generation capabilities. A list of operations necessary for these profiles is included.

The PyKMIP software-based KMIP server is intended for use only in testing and demonstration environments. Note that the PyKMIP server is NOT intended to be a substitute for secured, hardware-based KMIP appliances. The PyKMIP client should be used for operational purposes only with a hardware-based KMIP server. The development of the PyKMIP client and server should take place in parallel to facilitate testing of each operation as it is developed.

Platforms

PyKMIP has been tested and runs on Ubuntu 12.04 LTS.

KMIP Profile Support

The KMIP standard includes various profiles that tailor the standard for specific use cases (e.g., symmetric key storage with TLS 1.2). These profiles specify conformance to certain operations and attributes. The operations listed below are needed to support symmetric key profiles, which are also provided below. We would appreciate help in the development of these operations, and have listed our recommended order of development prioritization in descending order. Since active development of these features is already underway, please check the code base to assess the status of operations prior to development.

KMIP operations to add to PyKMIP:

• Discover Versions
• List
• Locate
• Check
• Revoke
• Get Attributes
• Get Attribute List
• Add Attribute
• Modify Attribute
• Delete Attribute
• Activate
• Query

Note that the Create, Register, Get, and Destroy operations were completed with the initial version of PyKMIP to allow very basic KMIP symmetric key operations.

Server Profiles

Server profiles that support KMIP symmetric key operations:

• Basic Baseline Server KMIP Profile (includes TLS 1.0+)
  • Client-to-Server operations needed for this (see the Baseline Server Clause) include:
    • Locate
    • Check
    • Get
    • Get Attributes
    • Get Attribute
    • List
    • Add Attribute
    • Modify Attribute
    • Delete Attribute
    • Activate
    • Revoke
    • Destroy
    • Query
    • Discover Versions
• Symmetric Key Store and Server TLS 1.2 Authentication KMIP Profile
  • Client-to-Server operations needed for this (see the Symmetric Key Store and Server Conformance Clause) include all operations from the Basic Baseline Server KMIP Profile and also the Register operation.
• Symmetric Key Foundry and Server TLS 1.2 Authentication KMIP profile
  • Client-to-Server operations needed for this (see the Symmetric Key Foundry and Server Conformance Clause) include all operations from the Basic Baseline Server KMIP Profile and also the Create operation.

Client Profiles

Client profiles that support KMIP symmetric key operations:

• Basic Baseline Client KMIP Profile (includes TLS 1.0+)
  • Client-to-Server operations needed for this (see the Baseline Client Clause) include:
    • Locate
    • Check
    • Get
    • Get Attributes
    • Get Attribute
    • List
    • Add Attribute
    • Modify Attribute
    • Delete Attribute
    • Activate
    • Revoke
    • Destroy
    • Query
    • Discover Versions
• Symmetric Key Store Client TLS 1.2 Authentication KMIP Profile
  • Client-to-Server operations needed for this (see the Symmetric Key Store Client Conformance Clause) include all operations from the Basic Baseline Client KMIP Profile and also the Register operation.
• Symmetric Key Foundry Client TLS 1.2 Authentication KMIP Profile
  • Client-to-Server operations needed for this (see the Symmetric Key Foundry Client Conformance Clause) include all operations from the Basic Baseline Client KMIP Profile and also the Create operation.
• Storage Client TLS 1.2 Authentication KMIP Profile
  • Client-to-Server operations needed for this (see the Storage Client Conformance Clauses) include all operations from the Basic Baseline Client KMIP Profile, the Register operation from the Symmetric Key Store Client TLS 1.2 Authentication KMIP Profile, and the Create operation from the Symmetric Key Foundry Client TLS 1.2 Authentication KMIP Profile.

References

The source code for PyKMIP is hosted on GitHub and the library is available for installation from the Python Package Index (PyPI):

• GitHub
• PyPI

For more information on KMIP version 1.1, see the following documentation:

• Key Management Interoperability Protocol Specification Version 1.1
• Key Management Interoperability Protocol Profiles Version 1.1
• Key Management Interoperability Protocol Test Cases Version 1.1

Contributors

Many thanks to the developers who created PyKMIP:

• Nathan Reller
• Peter Hamilton
• Kaitlin Farr