🔑Key Management

Managing keys in enVector is strictly a server-side operation. It involves two primary actions:

  1. Registering keys – store and activate public keys on the server so they can be used for operations.

  2. Deleting keys – deactivate and remove keys on the server when they are no longer needed.

Note: The enVector server does not generate keys or store secret keys. It only handles server-side key activation (register/load) and deactivate (unload/delete). Secret keys are generated and kept on the client side.

On the client side, you can choose where to store and manage those keys:

  • Store key files on the local filesystem (for example, under keys/<key_id>/).

  • Use AWS-backed storage where key material is uploaded to AWS services such as Amazon S3 and AWS Secrets Manager, so long-term key management can be delegated to AWS instead of your application. For details on key generation and storage options, see Key Generation.

To register a new key, the library offers two distinct methods: a simple, automatic setup and a manual setup for advanced users.

Key Registration

Automatic Key Setup (Simple)

The most straightforward way to configure keys is to let the pyenvector SDK handle it for you during index initialization.

By calling ev.init_index_config() and leaving the default setting auto_key_setup=True, the library will automatically perform the following actions. For detailed information on all available parameters for this function, please refer to the Index Configuration documentation page.

  1. Check for an existing key in the specified key path.

  2. If no key is found, it will generate a new one.

  3. It will then automatically register that key with the server.

This is the recommended method for most users.

Example

import pyenvector as ev

ev.init_connect(address="localhost:50050")
# Using the default setting for automatic key generation and registration
ev.init_index_config(
    key_path="keys",
    key_id="example",
    # ... other config parameters
    auto_key_setup=True 
)

Manual Key Management (Advanced)

By default, the SDK handles key generation and registration automatically for ease of use. However, for advanced use cases where you require granular control over the key management lifecycle, you can disable this automatic setup. This allows you to manage which keys are used, when they are registered, loaded, unloaded, and ultimately released.

This guide is intended for advanced users who are familiar with the key generation process. Please refer to Key Generation.

Process Overview

When auto_key_setup is set to False, you are responsible for managing the entire lifecycle of a key. The typical flow is as follows:

  1. Generate a Key: Ensure you have a valid key and its corresponding key_id.

  2. Register the Key: Inform the server about your key so it can be recognized for future use.

  3. Load the Key: Load the registered key into your application's session to make it active.

  4. Unload the Key: Remove the key from the active session when it's no longer immediately needed.

  5. Release the Key: De-register the key from the server when it is permanently decommissioned.

Implementation Steps

Step 1: Generate Key and Disable Automatic Key Setup

First, instruct the library not to handle keys automatically by setting auto_key_setup to False during initialization.

import pyenvector as ev

ev.init_connect(address="localhost:50050")
# Disabling automatic key setup for manual management
from pyenvector import KeyGenerator
keygen = KeyGenerator(key_path="keys/self")
keygen.generate_keys()
ev.init_index_config(
    key_path="keys",
    key_id="example",
    # ... other config parameters
    auto_key_setup=False 
)

Step 2: Register Your Key

Inform the server about your key using ev.register_key(<key_id>). This makes the server aware of the key.

ev.register_key("example")

Step 3: Load the Key

To use a key, you must load it into the current client session using ev.load_key(<key_id>). This command makes the specified key active for all subsequent encryption and decryption operations.

If you already have a different key loaded in the session, you should unload it first before loading a new one to ensure predictable behavior.

ev.load_key("example")

Step 4: Unload the Key (Optional)

When you are finished using a key in your session, it is good practice to unload it. ev.unload_key(<key_id>) removes the key from the active session, preventing it from being used for subsequent operations. The key remains registered on the server and can be loaded again later.

ev.unload_key("example")

Step 5: Delete the Key (Optional)

If a key is no longer needed and should be permanently removed, you can delete it. ev.delete_key(<key_id>) de-registers the key from the server. After being deleted, the key cannot be loaded again unless it is re-registered.

# Permanently remove the key's registration from the server
ev.delete_key("example")
PreviousConnecting to the ServiceNextDisconnecting from the Service

Last updated