We enforce TLS communication coming towards our API. In addition to that, all the endpoints starting with ‘/Generic’ are secured by encryption.
First, please log into the LastPass Admin Portal and open the “Advanced Options” tab on the left side menu. Select “Keys” from the submenu, find the “Generic API” Key. You need to click on the refresh icon that generates the RSA key pair and download it to your local computer. If you lose your private key you need to refresh the key again and update your code base with the new key accordingly.
You will need to use that Private key to sign the requests you are sending to the server. You will also need that Private key to decrypt AES key which is an encryption key used to encrypt the server response.
How to use encryption for /Generic endpoints?
The request is in plain-text but it needs a private key signature:
The response has an attribute called ‘Payload’ and it is encrypted by AES and the AES key is encrypted with the Public key you generated in Admin portal:
Therefore, when you get the response from the server you need to use the RSA Private key to decrypt the ‘Response.Value.EncKey’ to extract AES Key and IV. Then use those to decrypt ‘Response.Payload’.
Here is the sample Request and Response:
"Payload": "...", //JSON encoded as base64 string
"Timestamp": "2018-05-28 03:43:09Z",
"Signature": "..." //RSA signature on challenge. Challenge is Timestamp + Payload
"Key": "<YOUR GENERIC API KEY HERE>"
'EncKey': '...', //RSA Encrypted of AES Key and IV
'Payload': '...', //AES encrypted payload