2022-09-30
|
This issue is the eighteenth official release.
Optimized the content in section "Creating a Custom KMS Policy".
diff --git a/docs/kms/umn/kms_01_0045.html b/docs/kms/umn/kms_01_0045.html
index 50744973..95788eb9 100644
--- a/docs/kms/umn/kms_01_0045.html
+++ b/docs/kms/umn/kms_01_0045.html
@@ -1,17 +1,23 @@
-About KMS
+Key Management
diff --git a/docs/kms/umn/kms_01_0046.html b/docs/kms/umn/kms_01_0046.html
index 46b34740..9642d908 100644
--- a/docs/kms/umn/kms_01_0046.html
+++ b/docs/kms/umn/kms_01_0046.html
@@ -4,11 +4,11 @@
KMS can manage CMKs used for data encryption and decryption in Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Relational Database Service (RDS), and user applications.
- For OBS, KMS applies to object encryption on OBS.
 OBS is an object-based storage service that provides customers with massive, secure, reliable, and cost-effective data storage capabilities, including but not limited to bucket creation, modification, deletion, and management, as well as object upload, download, deletion, and general management. OBS can store all file types, and is suitable for individual subscribers, websites, enterprises, and developers. For more information about OBS, see Object Storage Service User Guide.
- For EVS, KMS applies to data encryption in EVS disks.
Based on a distributed architecture, an EVS disk is a virtual block storage device that can be elastically scaled up and down. EVS disks can be operated online. Using them is the same as using common server hard disks. Compared with traditional hard disks, EVS disks have higher data reliability and I/O throughput and are easier to use. EVS disks can be used in file systems, databases, and system software applications that require block storage devices. For more information about EVS, see the Elastic Volume Service User Guide.
+ - For EVS, KMS applies to data encryption in EVS disks.
Based on a distributed architecture, an EVS disk is a virtual block storage device that can be elastically scaled up and down. EVS disks can be operated online. Using them is the same as using common server hard disks. Compared with traditional hard disks, EVS disks have higher data reliability and I/O throughput and are easier to use. EVS disks can be used in file systems, databases, and system software applications that require block storage devices. For more information about EVS, see the Elastic Volume Service User Guide.
- - For IMS, KMS applies to the creation of encrypted private images.
IMS provides easy-to-use self-service image management functions. You can apply for a cloud server using either a private image or a public image. You can also create a private image using an existing ECS or an external image file. For more information about IMS, see the Image Management Service User Guide.
+ - For IMS, KMS applies to the creation of encrypted private images.
IMS provides easy-to-use self-service image management functions. You can apply for a cloud server using either a private image or a public image. You can also create a private image using an existing ECS or an external image file. For more information about IMS, see the Image Management Service User Guide.
- - For SFS, KMS applies to data encryption for files in SFS.
SFS provides high-performance file storage that is scalable on demand. It can be shared with multiple cloud servers. For more information, see the Scalable File Service User Guide.
+ - For SFS, KMS applies to data encryption for files in SFS.
SFS provides high-performance file storage that is scalable on demand. It can be shared with multiple cloud servers. For more information, see the Scalable File Service User Guide.
- For RDS, KMS applies to disk encryption in RDS database instances.
RDS is an online relational database service based on the cloud computing platform. RDS is out-of-box, reliable, scalable, and easy to manage. For more information about RDS, see the Relational Database Service User Guide.
@@ -19,7 +19,7 @@
diff --git a/docs/kms/umn/kms_01_0047.html b/docs/kms/umn/kms_01_0047.html
index 1d41a589..f1a0eb44 100644
--- a/docs/kms/umn/kms_01_0047.html
+++ b/docs/kms/umn/kms_01_0047.html
@@ -2,16 +2,16 @@
Functions
KMS provides the following functions:
- - Manages CMKs.
Using the KMS console or APIs, you can perform the following operations on CMKs: - Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of CMKs
- Importing CMKs and deleting CMK material
- Modifying the aliases and description of CMKs
- Creating, querying, and revoking a grant
- Adding, searching for, editing, and deleting tags
- Enabling key rotation
+ - Manages CMKs.
Using the KMS console or APIs, you can perform the following operations on CMKs: - Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of CMKs
- Importing CMKs and deleting CMK material
- Modifying the aliases and description of CMKs
- Creates, encrypts, and decrypts DEKs, and retires a grant on a CMK.
By calling APIs, you can create, encrypt, and decrypt DEKs, and retire a grant on a CMK. For details, see the Key Management Service API Reference.
- - Generates hardware true random numbers.
You can generate 512-bit hardware true random numbers using a KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for keys and encryption parameters. For details, see the Key Management Service API Reference.
+ - Generates hardware true random numbers.
You can generate 512-bit hardware true random numbers using a KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for keys and encryption parameters. For details, see the .
Overview
-A CMK contains key metadata (key ID, key alias, description, key status, and creation date) and the key material used for encrypting and decrypting data.
- - When a user uses the KMS Console to create a CMK, the KMS automatically generates a key material for the CMK.
- If you want to use your own key material, you can use the key import function on KMS Console to create a CMK whose key material is empty, and import the key material to the CMK.
- Important Notes- Security
You need to ensure that random sources meet your security requirements when using them to generate key material. When using the import key function, you need to be responsible for the security of your key material. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
- - Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
-Differences between the imported key material and the key material generated by KMS are shown in Table 1.
+A custom key contains key metadata (key ID, key alias, description, key status, and creation date) and key materials used for encrypting and decrypting data. - When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
- If you want to use your own key material, you can use the key import function on the KMS console to create a custom key whose key material is empty, and import the key material to the custom key.
+
+ Important Notes- Security
You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
+ - Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
+Differences between the imported key material and the key material generated by KMS are shown in Table 1.
-Table 1 Differences between the imported key material and the key material generated by KMSKey Material Source
+Table 1 Differences between the imported key material and the key material generated by KMSKey Material Source
|
-Difference
+ | Difference
|
|---|
-CMKs using the imported key material
+ | Imported keys
|
-- You can delete the key material, but cannot delete the CMK and its metadata.
- When importing the key material, you can set the expiration time of the key material. After the key material expires, the KMS automatically deletes the key material within 24 hours, but does not delete the CMK and its metadata.
It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key material or unintended deletion of key material.
+
|
|
-CMKs using KMS generated key material
+ | Keys created in KMS
|
-- The key material cannot be manually deleted.
- You cannot set the expiration time for key material.
+ | - The key material cannot be manually deleted.
- Symmetric keys can be rotated.
- You cannot set the expiration time for key material.
|
- Association
When a key material is imported to a CMK, the CMK is permanently associated with the key material. Other key material cannot be imported into the CMK.
- - Uniqueness
If you use the CMK created using the imported key material to encrypt data, the encrypted data can be decrypted only by the CMK that has been used to encrypt the data, because the metadata and key material of the CMK must be consistent.
+ - Association
When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.
+ - Uniqueness
If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
diff --git a/docs/kms/umn/kms_01_0055.html b/docs/kms/umn/kms_01_0055.html
index b5f89c2e..425a8e8a 100644
--- a/docs/kms/umn/kms_01_0055.html
+++ b/docs/kms/umn/kms_01_0055.html
@@ -1,50 +1,55 @@
-Importing Key Material
+Importing a Key Material
ScenarioIf you want to use your own key material instead of the KMS-generated material, you can use the console to import your key material to KMS. CMKs created using imported material and KMS-generated material are managed together by KMS.
This section describes how to import key material through KMS Console.
- A CMK with imported material works in the same way as one using KMS-generated material, that is, you enable and disable them as well as schedule their deletion and cancel their scheduled deletion in the same way.
- You can only import 256-bit symmetric keys.
- Prerequisites- You have obtained an account and its password for logging in to the management console.
- You have prepared the key material to be imported.
+ Prerequisites- You have prepared the key material to be imported.
- Procedure- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Choose . The Key Management Service page is displayed.
- In the upper right corner, click Import Key.
- In the Import Key dialog box, set the alias and description of the key.
Figure 1 Creating a CMK
- - (Optional) Add tags as needed, and enter the tag key and tag value.
- When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK. The page with key details is displayed. Then you can add tags to the CMK.
- The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
- A maximum of 10 tags can be added for one CMK.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
+ Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the upper right corner, click Import Key.
- In the Import Key dialog box, set the alias and description of the key.
Figure 1 Creating a CMK
+- Alias is the alias of the key to be created.
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
+ - (Optional) Description is the description of the custom key.
- (Optional) Add tags as needed, and enter the tag key and tag value.
- When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK. The page with key details is displayed. Then you can add tags to the CMK.
- The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
- A maximum of 10 tags can be added for one CMK.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
+
+
- Click security and durability to read and confirm information regarding the security and durability of the imported key.
- Select I understand the security and durability of using an imported key, and create a CMK whose key material is empty.
- Click Next to go to the Download the Import Items step. Select a key-wrapping algorithm according to Table 1.
Figure 2 Obtaining the wrapping key and import token
-Table 1 Key wrapping algorithmsAlgorithm
+Table 1 Key wrapping algorithmsAlgorithm
|
-Description
+ | Description
|
-Configuration
+ | Configuration
|
|---|
-RSAES_OAEP_SHA_256
+ | RSAES_OAEP_SHA_256
|
-RSA encryption algorithm that uses OAEP and has the SHA-256 hash function
+ | RSA encryption algorithm that uses OAEP and has the SHA-256 hash function
|
-Choose an algorithm from the drop-down list box.
+ | Choose an algorithm from the drop-down list box.
- If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt the key material.
- If the HSMs do not support OAEP, use RSAES_PKCS1_V1_5 to encrypt the key material.
NOTICE: The RSAES_OAEP_SHA_1 encryption algorithm is no longer secure. Exercise caution when performing this operation.
|
-RSAES_PKCS1_V1_5
+ | RSAES_PKCS1_V1_5
|
-RSA encryption algorithm (v1.5) of Public-Key Cryptography Standards number 1 (PKCS #1)
+ | RSA encryption algorithm (v1.5) of Public-Key Cryptography Standards number 1 (PKCS #1)
|
-RSAES_OAEP_SHA_1
+ | RSAES_OAEP_SHA_1
|
-RSA encryption algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
+ | RSA encryption algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
|
- Click Download. The following files are downloaded: wrappingKey, importToken, and README. These are displayed in Figure 3.
Figure 3 Downloaded files
+ If you stop a key material import process and want to try again, click Import Key Material in the row of the required CMK, and import key material in the dialog box that is displayed.
+
+ - Click Download. The following files are downloaded: wrappingKey, importToken, and README. These are displayed in Figure 3.
Figure 3 Downloaded files
- wrappingKey_CMK ID_download time is a wrapping key used to encrypt the key material.
- importToken_CMK ID_download time is an import token used to import key material to KMS.
- README_CMK ID_download time is a description file recording information such as a CMK's serial number, wrapping algorithm, wrapping key name, token file name, and the expiration time of the token file and wrapping key.
 The wrapping key and import token expire within 24 hours of creation. If they have expired, download them again.
@@ -66,20 +71,20 @@
- Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
-- You use the downloaded wrappingKey file to encrypt the key material to be imported.
- Method 1: Use the downloaded wrapping key to encrypt the key material on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to encrypt the key material.
If you need to run the openssl pkeyutl command, the OpenSSL version must be 1.0.2 or later.
+ - You use the downloaded wrappingKey file to encrypt the key material to be imported.
- Method 1: Use the downloaded wrapping key to encrypt the key material on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to encrypt a key material and use the downloaded wrapping key to encrypt the key material.
If you need to run the openssl pkeyutl command, the OpenSSL version must be 1.0.2 or later.
The following example describes how to use the downloaded wrapping key to encrypt the generated key material (256-bit symmetric key). The procedure is as follows: - Run the following command to generate the key material (256-bit symmetric key) and save the generated key material as PlaintextKeyMaterial.bin:
openssl rand -out PlaintextKeyMaterial.bin 32
- - Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
Replace PublicKey.bin in the command with the name of the wrapping key wrappingKey_key ID_download time downloaded in 10.
+ - Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
Replace PublicKey.bin in the command with the name of the wrapping key wrappingKey_key ID_download time downloaded in 9.
-Table 2 Encrypting the generated key material using the downloaded wrapping keyWrapping Key Algorithm
+Table 2 Encrypting the generated key material using the downloaded wrapping keyWrapping Key Algorithm
|
-Key Materials Encryption
+ | Key Materials Encryption
|
|---|
-RSAES_OAEP_SHA_256
+ | RSAES_OAEP_SHA_256
|
-openssl pkeyutl
+ | openssl pkeyutl
-in PlaintextKeyMaterial.bin
-inkey PublicKey.bin
-out EncryptedKeyMaterial.bin
@@ -88,9 +93,9 @@
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
|
-RSAES_PKCS1_V1_5
+ | RSAES_PKCS1_V1_5
|
-openssl rsautl -encrypt
+ | openssl rsautl -encrypt
-in PlaintextKeyMaterial.bin
-pkcs
-inkey PublicKey.bin
@@ -99,9 +104,9 @@
-out EncryptedKeyMaterial.bin
|
-RSAES_OAEP_SHA_1
+ | RSAES_OAEP_SHA_1
|
-openssl pkeyutl
+ | openssl pkeyutl
-in PlaintextKeyMaterial.bin
-inkey PublicKey.bin
-out EncryptedKeyMaterial.bin
@@ -116,48 +121,48 @@
-- Click Next to go to the Import Key Material step. Configure the parameters as described in Table 3.
Figure 4 Importing key material
+ - Click Next. Go to the Import Key Material step. Configure the parameters as described in Table 3.
Figure 4 Importing key material
-Table 3 Parameters for importing key materialParameter
+Table 3 Parameters for importing key materialParameter
|
-Description
+ | Description
|
|---|
-Key ID
+ | Key ID
|
-Random ID of a CMK generated during the CMK creation
+ | Random ID of a CMK generated during the CMK creation
|
-Key material
+ | Key material
|
-- Use the key material encrypted by the wrappingKey file downloaded in 10.
- Click Import to import the key material.
+ | - Use the key material encrypted by the wrappingKey file downloaded in 9.
- Click Import to import the key material.
|
- Click Next to go to the Import Key Token step. Configure the parameters as described in Table 4.
Figure 5 Importing a key token
+ - Click Next to go to the Import Key Token step. Configure the parameters as described in Table 4.
Figure 5 Importing a key token
-Table 4 Parameters for importing a key tokenParameter
+Table 4 Parameters for importing a key tokenParameter
|
-Description
+ | Description
|
|---|
-Key ID
+ | Key ID
|
-Random ID of a CMK generated during the CMK creation
+ | Random ID of a CMK generated during the CMK creation
|
-Token
+ | Token
|
-Select the importToken downloaded in 10.
+ | Select the importToken downloaded in 9.
|
-Key material expiration mode
+ | Key material expiration mode
|
-- Key material will never expire: This option specifies that key material will not expire after import.
- Key material expires on: This option specifies the expiration time of the key material. By default, the key material expires in 24 hours after import.
When the key material expires, KMS will delete them in 24 hours, making the CMK unusable and the CMK status Pending import.
+
|
|
diff --git a/docs/kms/umn/kms_01_0072.html b/docs/kms/umn/kms_01_0072.html
index 8d52f043..0657b83c 100644
--- a/docs/kms/umn/kms_01_0072.html
+++ b/docs/kms/umn/kms_01_0072.html
@@ -1,25 +1,25 @@
-Scheduling the Deletion of One or Multiple CMKs
+Deleting One or More CMKs
ScenarioThis section describes how to use the management console to schedule the deletion of one or multiple unwanted CMKs.
If deletion is scheduled for a CMK, the deletion will not take effect immediately. Instead, it will take effect after a waiting period of 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by it. Therefore, you are advised to exercise caution when performing this operation.
Before deleting the CMK, confirm that it is not in use and will not be used.
- - You can configure the SMN notification function to receive notifications when OBS fails to use the CMK to decrypt data before the deletion date. If you want to use the CMK again, cancel its deletion on the console. For SMN configuration instructions, see Configuring SMN.
- You can choose to go to the EVS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by EVS.
- You can choose Computing > Image Management Service to go to the IMS page. Select the Private Image tab. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by IMS.
- You can choose to go to the SFS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by SFS.
- You can choose Database > Relational Database Service to view the database instance list, and click the name of the target database instance. On the details page of the database instance, check whether the key to be deleted is in use.
+ - You can configure the SMN notification function to receive notifications when OBS fails to use the CMK to decrypt data before the deletion date. If you want to use the CMK again, cancel its deletion on the console. For SMN configuration instructions, see Configuring SMN.
- You can choose to go to the EVS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by EVS.
- You can choose Computing > Image Management Service to go to the IMS page. Select the Private Image tab. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by IMS.
- You can choose to go to the SFS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by SFS.
- You can choose Database > Relational Database Service to view the database instance list, and click the name of the target database instance. On the details page of the database instance, check whether the key to be deleted is in use.
Default Master Keys created by KMS cannot be scheduled for deletion.
- Prerequisites- You have obtained an account and its password for logging in to the management console.
- The CMK to be deleted is in Enabled, Disabled, or Pending Import status.
+ Prerequisites- The CMK to be deleted is in Enabled, Disabled, or Pending Import status.
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The Key Management Service page is displayed.
- In the row containing the desired CMK, click Delete.
Figure 1 Scheduling the deletion for one CMK
+Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired CMK, click Delete.
Figure 1 Scheduling the deletion for one CMK
- In the dialog box that is displayed, enter the number of days after which you want the deletion to take effect.
Figure 2 Scheduling a deletion time
- - Click Yes to schedule the deletion.
To delete multiple CMKs at a time, select them and click Delete in the upper left corner of the list.
+ - Click Yes to schedule the deletion.
To delete multiple CMKs at a time, select them and click Delete in the upper left corner of the list.
diff --git a/docs/kms/umn/kms_01_0074.html b/docs/kms/umn/kms_01_0074.html
index 4f61f6e4..2e83146c 100644
--- a/docs/kms/umn/kms_01_0074.html
+++ b/docs/kms/umn/kms_01_0074.html
@@ -2,6 +2,41 @@
What Is a Customer Master Key?
A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or multiple DEKs.
+ CMKs are categorized into custom keys and default keys. - Custom keys
Keys created or imported by users on the KMS console.
+ - Default keys
When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key with the alias suffix /default.
+On the KMS console, you can query Default Master Keys, but can neither disable them nor schedule their deletion.
+
+Table 1 Default Master KeysAlias
+ |
+Cloud Service
+ |
+
|---|
+
+obs/default
+ |
+Object Storage Service (OBS)
+ |
+
+evs/default
+ |
+Elastic Volume Service (EVS)
+ |
+
+ims/default
+ |
+Image Management Service (IMS)
+ |
+
+sfs/default
+ |
+Scalable File Service (SFS)
+ |
+
+
+
+
+
diff --git a/docs/kms/umn/kms_01_0094.html b/docs/kms/umn/kms_01_0094.html
index b81e4b0f..cf93d351 100644
--- a/docs/kms/umn/kms_01_0094.html
+++ b/docs/kms/umn/kms_01_0094.html
@@ -1,48 +1,68 @@
- Context
- Security risks exist when a DEK is extensively and repeatedly used. For security purposes, you can configure KMS to create new key materials for the CMK.
- New key materials can be created in two methods:
- - Manual key rotation
Create a CMK on the KMS management console to replace the original CMK. If cloud services (such as OBS) use a CMK to encrypt and decrypt data, you need to create a new CMK on the KMS management console and replace the original one used for KMS encryption on OBS Console.
+ Key Rotation Overview
+ Purpose of Key RotationKeys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
+ The purposes of key rotation are:
+ - To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
+ - To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
+ - To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
+
+
+ Key Rotation MethodsYou can use either of the following key rotation methods:
+ - Manual key rotation
Replace the key in use with a new key. For example, if key A is in use, you can create key B using a new encryption material, and replace key A with key B. This achieves the same outcome as changing the key material of key A.
+
+Take OBS as an example. To manually rotate a key, create a new custom key on the KMS console. Replace the old custom key with the new one on the OBS console.
+Figure 1 Manual key rotation
+ - Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.
+Automatic key rotation has the following characteristics:
+- Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
+Figure 2 Key rotation
+
+ KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key. - KMS uses the latest version of the custom key to encrypt data.
- When decrypting data, KMS uses the custom key version that was used to encrypt the data.
+
- - Automatic key rotation
Enable rotation for an existing CMK so that KMS automatically generates new key material for the CMK.
-Key rotation only changes the key material of a CMK. The CMK's attributes (such as ID, alias, description, and permissions settings) remain unchanged.
-The key rotation function enables KMS to automatically rotate CMKs according to the specified rotation interval (365 days by default). For a CMK with the key rotation function enabled, a new version is generated upon each rotation. See Figure 1 for details.
-Figure 1 Working principle of key rotation
-KMS retains all versions associated of the CMK, so that you can decrypt any ciphertext encrypted using the CMK.
-- KMS uses the latest version of the CMK to encrypt data.
- KMS uses the same version of the CMK to decrypt data as that used to encrypt the data.
-
-Table 1 Key rotation modesKey Type
+Rotation Modes
+ Table 1 Key rotation modesKey Type
|
-Support for Key Rotation
+ | Rotation Mode
|
|---|
-Default Master Key
+ | Default master key
|
-Keys cannot be rotated.
+ | Cannot be rotated.
|
-Imported CMK
+ | User-defined key (imported CMK)
|
-Keys can only be rotated manually.
+ | Can only be manually rotated.
+For more information about user-defined keys, see CMK Overview.
|
-Disabled CMK
+ | Symmetric key
|
-KMS does not rotate disabled CMKs and keeps their rotation status unchanged. After a CMK is enabled, if the backup CMK has been used for longer than the rotation period, KMS will immediately rotate keys. If the backup CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+ | Can be automatically or manually rotated.
|
-CMK in pending deletion status
+ | Disabled CMK
|
-KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the backup CMK has been used for longer than the rotation period, KMS will immediately rotate keys. If the backup CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+ | Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Disabling One or More CMKs.
+ |
+
+CMKs in pending deletion state
+ |
+Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Scheduling the Deletion of One or More Keys.
|
-
+ You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
+
+
diff --git a/docs/kms/umn/kms_01_0095.html b/docs/kms/umn/kms_01_0095.html
index 04a58b4d..d05e2252 100644
--- a/docs/kms/umn/kms_01_0095.html
+++ b/docs/kms/umn/kms_01_0095.html
@@ -3,9 +3,9 @@
Disabling Key Rotation
ScenarioThis section describes how to disable rotation for a key on the KMS console.
- Prerequisites- You have obtained an account and its password for logging in to the management console.
- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
- Key rotation has been enabled.
+ Prerequisites- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
- Key rotation has been enabled.
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The Key Management Service page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy. The dialog box is displayed, as shown in Figure 1.
Figure 1 CMK rotation details
+Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy. The dialog box is displayed, as shown in Figure 1.
Figure 1 CMK rotation details
- Click
 to disable key rotation. - In the displayed Disable Rotation Policy dialog box, click Yes.
Figure 2 Disabling key rotation
- Check the rotation status, as shown in Figure 3.
Figure 3 Key rotation
diff --git a/docs/kms/umn/kms_01_0096.html b/docs/kms/umn/kms_01_0096.html
index c492df0c..da14f566 100644
--- a/docs/kms/umn/kms_01_0096.html
+++ b/docs/kms/umn/kms_01_0096.html
@@ -1,29 +1,27 @@
Querying a CMK
- ScenarioThis section describes how to use the management console to view the information about a CMK, such as its alias, status, ID, and creation time. The status of a CMK can be Enabled, Disabled, Pending deletion, or Pending import.
+ ScenarioThis section describes how to use the management console to view the information about a CMK, such as its alias, status, ID, and creation time. The status of a CMK can be Enabled, Disabled, Pending deletion, or Pending import.
- PrerequisitesYou have obtained an account and its password for logging in to the management console.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The Key Management Service page is displayed.
- In the CMK list you can view details about the CMKs.
Figure 1 CMK list
+Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the CMK list you can view details about the CMKs.
Figure 1 CMK list
- Select the CMK status from the drop-down list of All statuses. Then the CMK list displays only the CMKs in the corresponding state.
- Enter the alias of a CMK in the search box on top of the CMK list. Click
 or press Enter to search for the specified CMK. - You can click Search Tag to search for the CMK that meets the search criteria.
- You can click
 at the upper right corner on top of the CMK list to show or hide columns of the CMK list.
Table 1 describes the parameters of a CMK list.
-Table 1 CMK list parametersParameter
+Table 1 CMK list parametersParameter
|
-Description
+ | Description
|
|---|
-Alias
+ | Alias
|
-Alias of a CMK
+ | Alias of a CMK
|
-Status
+ | Status
|
-Status of a CMK, which can be one of the following:
+ | Status of a CMK, which can be one of the following:
|
-ID
+ | ID
|
-Random ID of a CMK generated during the CMK creation
+ | Random ID of a CMK generated during the CMK creation
|
-Creation Time
+ | Creation Time
|
-Creation time of the CMK
+ | Creation time of the CMK
|
-Expiration Time
+ | Expiration Time
|
-Expiration time of the key material. When the material expires, the CMK becomes an empty CMK.
+ | Expiration time of the key material. When the material expires, the CMK becomes an empty CMK.
|
-Origin
+ | Origin
|
-Source of key material, which can be one of the following:
+ | Source of key material, which can be one of the following:
diff --git a/docs/kms/umn/kms_01_0100.html b/docs/kms/umn/kms_01_0100.html
new file mode 100644
index 00000000..51105985
--- /dev/null
+++ b/docs/kms/umn/kms_01_0100.html
@@ -0,0 +1,12 @@
+
+
+Product Advantages
+- Extensive Service Integration
KMS can be integrated with Object Storage Service (OBS), Elastic Volume Service (EVS), and Image Management Service (IMS), to manage keys of these services on the KMS console, and encrypt and decrypt your local data by making the KMS API calls.
+ - Regulatory Compliance
+ What Are the Differences Between a Custom Key and a Default Key?
+The following table describes the differences between a custom key and a default key.
+
+ Table 1 Differences between a custom key and a default keyItem
+ |
+Definition
+ |
+Difference
+ |
+
|---|
+
+Custom key
+ |
+A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.
+A custom key can be used to encrypt multiple DEKs.
+ |
+- It can be disabled and scheduled for deletion.
- It is billed per use after the being created or imported.
+ |
+
+Default key
+ |
+Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is /default.
+Example: evs/default
+ |
+- It cannot be disabled or scheduled for deletion.
- You are not charged when you use the cloud service automatically generated by the system. If the number of API requests exceeds 20,000, you will be billed.
+ |
+
+
+
+
+ Can I Export a CMK from KMS?
+No.
+ To ensure CMK security, users can only create and use CMKs in KMS.
+ What Are the Benefits of Envelope Encryption?
+Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.
+ Benefits:
+ - Advantages over CMK encryption in KMS
Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.
+A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
+Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.
+ - Advantages over encryption by using cloud services
- Security
Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
+During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.
+ - Trustworthiness
You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.
+If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.
+ - Performance and cost
To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.
+Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.
+
+
+ How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
+You can use the online tool to encrypt or decrypt data in the following procedures:
+ Encrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details on the online data encryption page.
- Click Encrypt. In the text box on the left, enter the data to be encrypted.
- Click Execute. The data encryption result is displayed in the text box on the right.
- The key you clicked is used for encryption.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
+
+
+
+ Decrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of an enabled key (excepting Default Master Keys) to open the online tool page.
- Click Decrypt. In the text box on the left, enter the data to be decrypted.
- The online tool automatically identifies the key used for data encryption, and uses it to decrypt data.
- If the key has been deleted, the decryption will fail.
+
+ - Click Execute. The data decryption result is displayed in plaintext in the text box on the right.
To copy the decrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
+
+
+
+ Service Overview
+
+
+
diff --git a/docs/kms/umn/kms_01_0114.html b/docs/kms/umn/kms_01_0114.html
new file mode 100644
index 00000000..b6766e4d
--- /dev/null
+++ b/docs/kms/umn/kms_01_0114.html
@@ -0,0 +1,12 @@
+
+
+Can I Update CMKs Created by KMS-Generated Key Materials?
+No.
+ Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.
+ Rotating CMKs
-
+
diff --git a/docs/kms/umn/kms_01_0139.html b/docs/kms/umn/kms_01_0139.html
index 0d6b9adc..61039c45 100644
--- a/docs/kms/umn/kms_01_0139.html
+++ b/docs/kms/umn/kms_01_0139.html
@@ -4,9 +4,9 @@
ScenarioThis section describes how to enable rotation for a key on the KMS console.
By default, automatic key rotation is disabled for a CMK. Every time you enable key rotation, KMS automatically rotates CMKs based on the rotation period you set.
- Prerequisites- You have obtained an account and its password for logging in to the management console.
- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
+ Prerequisites- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The Key Management Service page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy.
Figure 1 Key rotation
+Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy.
Figure 1 Key rotation
- Click
 to enable key rotation. - In the Enable Rotation Policy dialog box, set the rotation period and click OK.
Figure 2 Setting the rotation period
Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
After the setting takes effect, the new rotation period starts.
diff --git a/docs/kms/umn/kms_01_0193.html b/docs/kms/umn/kms_01_0193.html
new file mode 100644
index 00000000..f20ab6cc
--- /dev/null
+++ b/docs/kms/umn/kms_01_0193.html
@@ -0,0 +1,11 @@
+
+
+How Does KMS Protect My Keys?
+The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
+ User Guide
+
+
+
diff --git a/docs/kms/umn/kms_01_0198.html b/docs/kms/umn/kms_01_0198.html
new file mode 100644
index 00000000..ff440fa8
--- /dev/null
+++ b/docs/kms/umn/kms_01_0198.html
@@ -0,0 +1,11 @@
+
+
+Is There a Limit on the Number of CMKs That I Can Create on KMS?
+
+
+
diff --git a/docs/kms/umn/kms_01_194.html b/docs/kms/umn/kms_01_194.html
new file mode 100644
index 00000000..67823b2d
--- /dev/null
+++ b/docs/kms/umn/kms_01_194.html
@@ -0,0 +1,32 @@
+
+
+Creating a Key
+ScenarioThis section describes how to create a CMK on the KMS management console. You can create up to 100 CMKs, excluding Default Master Keys.
+ The CMK is perfectly suited for but not limited to the following scenarios: - Server-side encryption on OBS
- Encryption of data on EVS disks
- Encryption of private images on IMS
- File system encryption on SFS
- Disk encryption for database instances in RDS
- DEK encryption and decryption for user applications
+
+ Aliases of Default Master Keys end with /default. It is not allowed to use aliases ending with /default for your CMKs.
+
+
+ Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click Create Key in the upper right corner of the page. In the dialog box that is displayed, enter the alias and description of the key.
Figure 1 Create Key dialog box
+- Alias is the alias of the CMK to be created.
- (Optional) Description is the description of the CMK.
+ - (Optional) Add tags as needed, and enter the tag key and tag value.
- When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK. The page with key details is displayed. Then you can add tags to the CMK.
- The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
- A maximum of 10 tags can be added for one CMK.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
+
+ - Click OK.
In the CMK list, you can view created CMKs. The default status of a CMK is Enabled.
+
+
+ Related Operations- For details about how to upload objects with server-side encryption, see section Uploading a File with Server-Side Encryption in the Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section Creating an EVS Disk in the Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section Encrypting an Image in the Image Management Service User Guide.
- For details about how to encrypt the file system on SFS, see section Creating a File System in the Scalable File Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section Creating an RDS MySQL DB Instance in the Relational Database Service User Guide.
- For details about how to create a DEK and a plaintext-free DEK, see sections Creating a DEK and Creating a Plaintext-Free DEK in .
- For details about how to encrypt and decrypt a DEK for a user application, see sections Encrypting a DEK and Decrypting a DEK in .
+
+ - Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
If your account does not need individual IAM users, you may skip over this chapter.
This section describes the procedure for granting permissions (see Figure 1).
-PrerequisitesBefore authorizing permissions to a user group, you need to know which KMS permissions can be added to the user group. Table 1 lists the KMS system policies.
+ PrerequisitesBefore authorizing permissions to a user group, you need to know which KMS permissions can be added to the user group. System-defined roles and policies supported by DEW describes the KMS system policies.
- Table 1 KMS permissionsRole/Policy Name
+Table 1 KMS permissionsRole/Policy Name
|
-Description
+ | Description
|
-Type
- |
-Dependency
+ | Type
|
|---|
-KMS Administrator
+ | KMS Administrator
|
-Administrator permissions for the encryption key
+ | Administrator permissions for the encryption key
|
-System role
- |
-None
+ | System role
|
-KMS CMKFullAccess
+ | KMS CMKFullAccess
|
-All permissions for the encryption key
+ | All permissions for the encryption keys
|
-System policy
- |
-None
+ | System policy
|
@@ -42,6 +36,7 @@
Authorization ProcessFigure 1 Authorizing the KMS access permission to a user
Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
Create a user on the IAM console and add the user to the user group created in 1.
+Log in to the console as newly created user, and verify that the user only has read permissions for DEW.
KMS Permissions Management
-If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure the access to your cloud resources.
+ Permissions Management
+ If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
With IAM, you can use your account to create IAM users for your employees, and assign permissions to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access KMS but not to delete KMS or its resources, then you can create an IAM policy to assign the developers the permission to access KMS but prevent them from deleting KMS related data.
If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of KMS.
KMS PermissionsBy default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to and can perform specified operations on cloud services based on the permissions.
@@ -10,40 +10,34 @@
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
For more information, see Table 1.
- Table 1 KMS permissionsRole/Policy Name
+Table 1 KMS permissionsRole/Policy Name
|
-Description
+ | Description
|
-Type
- |
-Dependency
+ | Type
|
|---|
-KMS Administrator
+ | KMS Administrator
|
-Administrator permissions for the encryption key
+ | Administrator permissions for the encryption key
|
-System role
- |
-None
+ | System role
|
-KMS CMKFullAccess
+ | KMS CMKFullAccess
|
-All permissions for the encryption key
+ | All permissions for the encryption keys
|
-System policy
- |
-None
+ | System policy
|
Table 2 lists the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
+The following table describes the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
-Table 2 Common operations supported by each system-defined policy or roleOperation
+Table 2 Common operations supported by each system-defined policy or roleOperation
|
KMS Administrator
|
@@ -310,7 +304,7 @@
diff --git a/docs/kms/umn/public_sys-resources/icon-arrowdn.gif b/docs/kms/umn/public_sys-resources/icon-arrowdn.gif
index 84eec9be..37942803 100644
Binary files a/docs/kms/umn/public_sys-resources/icon-arrowdn.gif and b/docs/kms/umn/public_sys-resources/icon-arrowdn.gif differ
diff --git a/docs/kms/umn/public_sys-resources/icon-arrowrt.gif b/docs/kms/umn/public_sys-resources/icon-arrowrt.gif
index 39583d16..6aaaa11c 100644
Binary files a/docs/kms/umn/public_sys-resources/icon-arrowrt.gif and b/docs/kms/umn/public_sys-resources/icon-arrowrt.gif differ
|---|
|
|---|
|
|---|
|
|---|
| |
|---|
|
|---|
|
|---|
|
|---|
| |
|---|
|
|---|
|
|---|
|
