A Default Master Key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a Default Master Key ends with /default.
-You can use the management console to query the status of Default Master Keys, but cannot disable or schedule the deletion of Default Master Keys.
- -Alias - |
-Cloud Service - |
-
|---|---|
obs/default - |
-OBS - |
-
evs/default - |
-Elastic Volume Service (EVS) - |
-
ims/default - |
-Image Management Service (IMS) - |
-
sfs/default - |
-Scalable File Service (SFS) - |
-
rds/default - |
-Relational Database Service (RDS) - |
-
Application Scenarios
+Small Data Encryption and Decryption
You can use the online tool on the KMS console or call KMS APIs to directly encrypt or decrypt a small amount of data, such as passwords, certificates, or phone numbers. Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.
+Figure 1 shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.
+ +
- Create a CMK on KMS.
- Call the encrypt-data API of KMS and use the CMK to encrypt the plaintext certificate.
- Deploy the certificate onto a server.
- The server calls the decrypt-data API of KMS to decrypt the ciphertext certificate.
Large Data Encryption and Decryption
If you want to encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use the envelope encryption method, where the data does not need to be transferred over the network.
+- Figure 2 illustrates the process for encrypting a local file.
+The procedure is as follows:+
- Create a CMK on KMS.
- Call the create-datakey API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK was generated by using a custom key to encrypt the plaintext DEK.
- Use the plaintext DEK to encrypt the file. A ciphertext file is generated.
- Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
- Figure 3 illustrates the process for decrypting a local file.
+The procedure is as follows:+
- Obtain the ciphertext DEK and file from the persistent storage device or the storage service.
- Call the decrypt-datakey API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.
If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.
+ - Use the plaintext DEK to decrypt the ciphertext file.
A Default Master Key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
-DEK
-Data Encryption Keys (DEKs) are used by users to encrypt data.
+Encrypting Data in OBS
+- When using Object Storage Service (OBS) to upload data with server-side encryption, you can select KMS encryption and use the key provided by KMS to encrypt the files to be uploaded. For details, see Figure 1. For more information, see Object Storage Service User Guide.
+
There are two types of CMKs that can be used:
+- The default key obs/default created by KMS
- Custom keys that you created on the KMS console
- Alternatively, you can call OBS APIs to upload a file with server-side encryption using KMS-managed keys (SSE-KMS). For details, see the .
HSM
-A Hardware Security Module (HSM) securely produces, stores, manages, and uses keys and provides encryption services.
+Encrypting Data in EVS
+- When purchasing a disk, you can choose Advanced Settings > Encryption to encrypt the disk using the key provided by KMS. For details, see Figure 1. For more information about EVS, see the Elastic Volume Service User Guide.+ +
Before you use the encryption function, EVS must be granted the permission to access KMS. If you have the right to grant the permission, you can grant the permission directly. If you do not have the permission, contact a user with the security administrator permissions to add the security administrator permission for you. Then, you can grant the permission. For more information about EVS, see the Elastic Volume Service User Guide.
+There are two types of CMKs that can be used:
+- The default key evs/default created by KMS
- Custom keys that you create on the KMS console using KMS-generated key materials
- You can also call EVS APIs to create encrypted EVS disks. For details, see the Elastic Volume Service API Reference.
Envelope Encryption
-Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes." As a result, CMKs are not used to directly encrypt and decrypt data.
+Encrypting Data in IMS
+- When uploading an image file to Image Management Service (IMS), you can choose to encrypt the image file using a key provided by KMS to protect the file. Figure 1 describes details. For details, see the Image Management Service User Guide.
+
There are two types of CMKs that can be used:
+- The default key ims/default created by KMS
- Custom keys that you create on the KMS console using KMS-generated key materials
- You can also call IMS APIs to create encrypted image files. For details, see Image Management Service API Reference.
TRNG
-A true random number generator (TRNG) is a device that generates unpredictable random numbers by physical procedures instead of computer programs.
-Project
-A project is used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
-Multiple projects can be created for one account.
-Accessing and Using KMS
- --
-
- How to Access KMS
-
- - How to Use KMS
-
-
How to Access KMS
-The cloud service provides a web-based service management platform. You can access KMS using HTTPS-compliant APIs or the management console.
- -How to Use KMS
-Working with OBS
Users can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When users upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When users download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to users in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption.
-For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service User Guide.
-Working with EVS
If you enable the encryption function when creating an EVS disk and select a CMK provided by KMS to encrypt the EVS disk, data stored to the EVS disk is automatically encrypted.
-For details about how to use the encryption function of EVS, see the Elastic Volume Service User Guide.
-Working with IMS
When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
-For details about how to use the private image encryption function of Image Management Service (IMS), see the Image Management Service User Guide.
-Working with SFS
When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
-For details about how to use the encryption function of SFS, see the Scalable File Service User Guide.
-Working with RDS
When creating a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. The enablement of disk encryption will enhance data security.
-For details about how to use the disk encryption function of RDS, see the Relational Database Service User Guide.
-Working with User Applications
To encrypt plaintext data, a user application can call the necessary KMS APIs to generate a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the necessary KMS APIs to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs. For details, see the Key Management Service API Reference.
-How to Access
+The cloud service provides a web-based service management platform. You can access KMS using HTTPS-compliant APIs or the management console.
+
Related Services
-OBS
Object Storage Service (OBS) is a scalable service that provides secure, reliable, and cost-effective cloud storage for massive amounts of data. KMS provides central management and control capabilities of CMKs for OBS. It is used for server-side encryption with KMS-managed keys (SSE-KMS) on OBS.
+Using KMS
+Interacting with Cloud Services
Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, cloud services use a specific custom key of yours to encrypt data.
+- Create a custom key on KMS.
- Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.+
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.
+ - Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
- Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.
EVS
Elastic Volume Service (EVS) offers scalable block storage for cloud servers. With high reliability, high performance, and rich specifications, EVS disks can be used for distributed file systems, development and test environments, data warehouse applications, and high-performance computing (HPC) scenarios to meet diverse service requirements. KMS provides central management and control capabilities of CMKs for EVS. It is used for encryption in EVS.
+ When users download the data from a cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.
+Service Name + |
+Description + |
+
|---|---|
Object Storage Service (OBS) + |
+You can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. +For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service Console Operation Guide. + |
+
Elastic Volume Service (EVS) + |
+If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted. +For details about how to use the encryption function of EVS, see Elastic Volume Service User Guide. + |
+
Image Management Service (IMS) + |
+When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image. +For details about how to use the private image encryption function of Image Management Service (IMS), see Image Management Service User Guide. + |
+
Scalable File Service (SFS) + |
+When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted. +For details about how to use the file system encryption function of SFS, see Scalable File Service User Guide. + |
+
Relational Database Service (RDS) + |
+When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security. +For details about how to use the disk encryption function of RDS, see Relational Database Service User Guide. + |
+
Document Database Service (DDS) + |
+When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security. +For details about how to use the disk encryption function of DDS, see Document Database Service User Guide. + |
+
IMS
Image Management Service (IMS) allows you to manage the entire lifecycle of your images. KMS provides central management and control capabilities of CMKs for Image Management Service (IMS). It is used for private image encryption in IMS.
SFS
Scalable File Service (SFS) provides high-performance file storage (NAS) that can be expanded on demand. KMS provides central management and control capabilities of CMKs for SFS. It is used for file system encryption in SFS.
+Working with User Applications
To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.
+Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.
+- The application calls the create-key API of KMS to create a custom key.
- The application calls the create-datakey API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated. +
- The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
- The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
RDS
Relational Database Service (RDS) is a relational database that is reliable, scalable, easy to manage, and immediately ready for use. KMS provides central management and control capabilities of CMKs for RDS. It is used for disk encryption in relational databases.
-ECS
An ECS is a basic computing component that consists of CPUs, memory, OS, and elastic volume service (EVS). After creating an ECS, you can use it like your local computer or physical server.
-Dedicated HSM can encrypt sensitive data in the service systems on your ECS. You can control the generation, storage, and access authorization of keys to ensure the integrity and confidentiality of data during transmission and storage.
-IAM
Identity and Access Management (IAM) provides the permission management function for .
-Only users who have KMS Administrator permissions can use .
-To apply for permissions, contact a user with Security Administrator permissions. For details, see the .
+For details, see the Key Management Service API Reference.
User Permissions
-The system provides two types of permissions by default: user management and resource management. User management refers to the management of users, user groups, and user groups' rights. Resource management refers to the control of operations that can be performed by users on cloud service resources.
-For further details, see Permissions.
+Related Services
+OBS
Object Storage Service (OBS) is a scalable service that provides secure, reliable, and cost-effective cloud storage for massive amounts of data. KMS provides central management and control capabilities of CMKs for OBS. It is used for server-side encryption with KMS-managed keys (SSE-KMS) on OBS.
+EVS
Elastic Volume Service (EVS) offers scalable block storage for cloud servers. With high reliability, high performance, and rich specifications, EVS disks can be used for distributed file systems, development and test environments, data warehouse applications, and high-performance computing (HPC) scenarios to meet diverse service requirements. KMS provides central management and control capabilities of CMKs for EVS. It is used for encryption in EVS.
+IMS
Image Management Service (IMS) allows you to manage the entire lifecycle of your images. KMS provides central management and control capabilities of CMKs for Image Management Service (IMS). It is used for private image encryption in IMS.
+SFS
Scalable File Service (SFS) provides high-performance file storage (NAS) that can be expanded on demand. KMS provides central management and control capabilities of CMKs for SFS. It is used for file system encryption in SFS.
+RDS
Relational Database Service (RDS) is a relational database that is reliable, scalable, easy to manage, and immediately ready for use. KMS provides central management and control capabilities of CMKs for RDS. It is used for disk encryption in relational databases.
+CTS
Cloud Trace Service (CTS) provides you with a history of KMS operations. After the CTS service is enabled, you can view all generated traces to review and audit performed KMS operations. For details, see the Cloud Trace Service User Guide.
+ +Operation + |
+Resource Type + |
+Trace Name + |
+
|---|---|---|
Create a key + |
+cmk + |
+createKey + |
+
Create a DEK + |
+cmk + |
+createDataKey + |
+
Create a plaintext-free DEK + |
+cmk + |
+createDataKeyWithoutPlaintext + |
+
Enable a key + |
+cmk + |
+enableKey + |
+
Disable a key + |
+cmk + |
+disableKey + |
+
Encrypt a DEK + |
+cmk + |
+encryptDatakey + |
+
Decrypt a DEK + |
+cmk + |
+decryptDatakey + |
+
Schedule key deletion + |
+cmk + |
+scheduleKeyDeletion + |
+
Cancel scheduled key deletion + |
+cmk + |
+cancelKeyDeletion + |
+
Generate random numbers + |
+rng + |
+genRandom + |
+
Modify a key alias + |
+cmk + |
+updateKeyAlias + |
+
Modify key description + |
+cmk + |
+updateKeyDescription + |
+
Prompt risks about CMK deletion + |
+cmk + |
+deleteKeyRiskTips + |
+
Import key materials + |
+cmk + |
+importKeyMaterial + |
+
Delete key materials + |
+cmk + |
+deleteImportedKeyMaterial + |
+
Create a grant + |
+cmk + |
+createGrant + |
+
Retire a grant + |
+cmk + |
+retireGrant + |
+
Revoke a grant + |
+cmk + |
+revokeGrant + |
+
Encrypt data + |
+cmk + |
+encryptData + |
+
Decrypt data + |
+cmk + |
+decryptData + |
+
Add a tag + |
+cmk + |
+dealUnifiedTags + |
+
Delete a tag + |
+cmk + |
+dealUnifiedTags + |
+
Add tags in batches + |
+cmk + |
+dealUnifiedTags + |
+
Delete tags in batches + |
+cmk + |
+dealUnifiedTags + |
+
Enable key rotation + |
+cmk + |
+enableKeyRotation + |
+
Modify key rotation interval + |
+cmk + |
+updateKeyRotationInterval + |
+
Disable key rotation + |
+cmk + |
+disableKeyRotation + |
+
IAM
Identity and Access Management (IAM) provides the permission management function for KMS.
+Only users who have KMS Administrator permissions can use KMS.
+To apply for permissions, contact a user with Security Administrator permissions. For details, see the Identity and Access Management User Guide.
+Key Management
- +KMS Permission Management
+If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
+With IAM, you can use your account to create IAM users for your employees, and grant permissions to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access KMS but not to delete KMS or its resources, then you can create an IAM policy to assign the developers the permission to access KMS but prevent them from deleting KMS related data.
+If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of KMS.
+KMS Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
+KMS is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing KMS.
+You can grant users permissions by using roles and policies.
+- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
For more information, see Table 1.
+ +Role/Policy + |
+Description + |
+Type + |
+
|---|---|---|
KMS Administrator + |
+Administrator permissions for the encryption key + |
+Role + |
+
KMS CMKFullAccess + |
+All permissions for the encryption keys + |
+Policy + |
+
KMS CMK Admin + |
+All permissions for the encryption keys + |
+Policy + |
+
KMS CMKReadOnlyAccess + |
+Read-only permission for encryption keys + |
+Policy + |
+
Table 2 lists the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
+ +Operation + |
+KMS Administrator + |
+KMS CMKFullAccess + |
+
|---|---|---|
Create a key + |
+√ + |
+√ + |
+
Enable a key + |
+√ + |
+√ + |
+
Disable a key + |
+√ + |
+√ + |
+
Schedule key deletion + |
+√ + |
+√ + |
+
Cancel scheduled key deletion + |
+√ + |
+√ + |
+
Modify a key alias + |
+√ + |
+√ + |
+
Modify key description + |
+√ + |
+√ + |
+
Generate a random number + |
+√ + |
+√ + |
+
Create a DEK + |
+√ + |
+√ + |
+
Create a plaintext-free DEK + |
+√ + |
+√ + |
+
Encrypt a DEK + |
+√ + |
+√ + |
+
Decrypt a DEK + |
+√ + |
+√ + |
+
Obtain parameters for importing a key + |
+√ + |
+√ + |
+
Import key materials + |
+√ + |
+√ + |
+
Delete key materials + |
+√ + |
+√ + |
+
Create a grant + |
+√ + |
+√ + |
+
Revoke a grant + |
+√ + |
+√ + |
+
Retire a grant + |
+√ + |
+√ + |
+
Query the grant list + |
+√ + |
+√ + |
+
Query retirable grants + |
+√ + |
+√ + |
+
Encrypt data + |
+√ + |
+√ + |
+
Decrypt data + |
+√ + |
+√ + |
+
Enable key rotation + |
+√ + |
+√ + |
+
Modify key rotation interval + |
+√ + |
+√ + |
+
Disable key rotation + |
+√ + |
+√ + |
+
Query key rotation status + |
+√ + |
+√ + |
+
Query CMK instances + |
+√ + |
+√ + |
+
Query key tags + |
+√ + |
+√ + |
+
Query project tags + |
+√ + |
+√ + |
+
Batch add or delete key tags + |
+√ + |
+√ + |
+
Add tags to a key + |
+√ + |
+√ + |
+
Delete key tags + |
+√ + |
+√ + |
+
Query the key list + |
+√ + |
+√ + |
+
Query key details + |
+√ + |
+√ + |
+
Query instance quantity + |
+√ + |
+√ + |
+
Query quotas + |
+√ + |
+√ + |
+
Related Links
- Two types of permission policies are provided by default: default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control.
- Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies.
-
-
- Creating a Key
-
- - Creating CMKs Using Imported Key Material
-
- - Managing CMKs
-
- - Configuring SMN
-
- - Managing Tags
-
- - Rotating CMKs
-
- - Managing a Grant
-
- - Permissions Management
-
-
Creating CMKs Using Imported Key Material
- -Deleting a Key Material
-Scenario
When importing key material, you can specify the expiration time. After the key material expires, KMS deletes it, and the status of the CMK changes to Pending import. You can manually delete the key material as needed. The effect of expiration of the key material is the same as that of manual deletion of the key material.
-This section describes how to delete imported key material on the management console.
- - After the key material is deleted, if you need to re-import the key material, the key material to be imported must be the same as that has been deleted.
- After the same key material is re-imported, you can use the CMK to decrypt all data encrypted using this key before deletion.
- After the deletion, the CMK will become unavailable and its status will change to Pending import.
Prerequisites
- You have imported the key material for a CMK.
- The material source of the CMK is External.
- The CMK status is Enabled or Disabled.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Choose . The key management page is displayed.
- In the row containing the desired CMK, click Delete Key Material.
- In the dialog box that is displayed, click OK.
After the deletion, the CMK will become unavailable and its status changes to Pending import.
-
Configuring SMN
-Scenario
This section describes how to configure the Simple Message Notification (SMN) function on the Cloud Trace Service (CTS) console.
-Decryption will fail if the CMK used has been scheduled for deletion. You will receive messages about the decryption failure on terminals (SMS, email, HTTP, or HTTPS) if the SMN function has been configured in CTS.
+Scenario
This section describes how to configure the Simple Message Notification (SMN) function on the Cloud Trace Service (CTS) console.
+Decryption will fail if the key used for encryption has been scheduled for deletion. You will receive messages about the decryption failure on terminals (SMS, email, HTTP, or HTTPS) if the SMN function has been configured in CTS.
Prerequisites
- CTS has been enabled.
- You have subscribed to SMN.
Prerequisites
- CTS has been enabled.
- You have subscribed to SMN.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose Management & Deployment > Cloud Trace Service to go to the CTS console.
- In the navigation tree on the left, click Tracker.
- If the desired tracker is not enabled, click Enable. In the dialog box that is displayed, click OK to enable the tracker. If the tracker is already enabled, skip this step.
- In the navigation tree on the left, click Key Event Notifications. The Key Event Notifications page is displayed.
- Click Create Key Event Notification at the upper right corner of the page. The creation page is displayed.
- In the Basic Information area, enter a notification name. See Figure 1 for details. -
- Select operation types in the Operation area. See Figure 2 for details.
-
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose Management & Deployment > Cloud Trace Service to go to the CTS console.
- In the navigation pane on the left, click Tracker List.
- If the desired tracker is not enabled, click Enable. In the dialog box that is displayed, click OK to enable the tracker. If the tracker is already enabled, skip this step.
- In the navigation pane on the left, click Key Event Notifications.
- Click Create Key Event Notification at the upper right corner of the page. The creation page is displayed.
- In the Basic Information area, enter a notification name. See Figure 1 for details. +
- Select operation types in the Operation area. See Figure 2 for details.
+
-
Table 1 Parameters for operation types Parameter
+-Table 1 Parameters for operation types Parameter
Description
+Description
Example Value
+Example Value
Operation Type
+Operation Type
SMN sends messages to users when deletion, creation, or login operations are performed on CMKs.
+SMN sends messages to users when deletion, creation, or login operations are performed on keys.
Delete
+Delete
- In the User area, specify the user who performs the specified operations. See Figure 3 for details.
- You can select All users so that SMN notifications are sent when specified operations are performed by any user.
- You can also select Specified users and add users to the User List. Then SMN notifications are sent when the specified operations are performed by specified users.
- In the User area, specify the user who performs the specified operations. See Figure 3 for details.
- - - You can select All users so that SMN notifications are sent when specified operations are performed by any user.
- You can also select Specified users and add users to the User List. Then SMN notifications are sent when the specified operations are performed by specified users.
- In the Topic area, configure whether to send notifications. See Figure 4 for details. + +
- In the Topic area, configure whether to send notifications. See Figure 4 for details. -
Table 2 Parameters for configuring the SMN notification Parameter
+-Table 2 Parameters for configuring the SMN notification Parameter
Description
+Description
Configuration
+Configuration
Send Notification
+Send Notification
Specifies whether notifications will be sent.
-- Select Yes to activate notification.
- Select No to deactivate notification.
Specifies whether notifications will be sent.
+- Select Yes to activate notification.
- Select No to deactivate notification.
Yes
+Yes
SMN Topic
+SMN Topic
You can select an existing topic or click Topic to create a topic.
-For details about topics, see the Simple Message Notification User Guide.
+You can select an existing topic or click Topic to create a topic.
+For details about topics, see the Simple Message Notification User Guide.
KMS
+KMS
- Click OK. The SMN notification is configured.
+- Click OK. The SMN notification is configured.
- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0022.html b/docs/kms/umn/kms_01_0022.html new file mode 100644 index 00000000..54e1ce6c --- /dev/null +++ b/docs/kms/umn/kms_01_0022.html @@ -0,0 +1,28 @@ + + +-Parent topic: Key Management+Parent topic: Key Management ServiceUsing the Online Tool to Encrypt and Decrypt Small-Size Data
++This section describes how to use the online tool to encrypt or decrypt small-size data (4 KB or smaller) on the KMS console.
++Prerequisites
The custom key is in Enabled status.
++Constraints
- Default keys cannot be used to encrypt or decrypt such data with the tool.
- Asymmetric keys cannot be used to encrypt or decrypt such data with the tool.
- You can call an API to use a default key to encrypt or decrypt small volumes of data. For details, see the Key Management Service API Reference.
- Use the current CMK to encrypt the data.
- Exercise caution when you delete a CMK. The online tool cannot decrypt data if the CMK used for encryption has been deleted.
+Encrypting Data
- Log in to the management console.
- Click
. Choose . The Key Management Service page is displayed.
- Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure 1. +
- Click Execute. Ciphertext of the data is displayed in the text box on the right.+
- Use the current CMK to encrypt the data.
- You can click Clear to clear the entered data.
- You can click Copy to Clipboard to copy the ciphertext and save it in a local file.
+Decrypting Data
- Log in to the management console.
- You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
- Click Decrypt. In the text box on the left, enter the data to be decrypted. For details, see Figure 2.+ +
- The tool will identify the original encryption CMK and use it to decrypt the data.
- If the key has been deleted, the decryption will fail.
- Click Execute. Plaintext of the data is displayed in the text box on the right.+
- You can click Copy to Clipboard to copy the plaintext and save it in a local file.
- Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.
The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.
+
++ diff --git a/docs/kms/umn/kms_01_0023.html b/docs/kms/umn/kms_01_0023.html index b9b1e508..ff38bb45 100644 --- a/docs/kms/umn/kms_01_0023.html +++ b/docs/kms/umn/kms_01_0023.html @@ -1,13 +1,11 @@++Parent topic: Key Management Service+Managing Tags
- +diff --git a/docs/kms/umn/kms_01_0024.html b/docs/kms/umn/kms_01_0024.html index e5dc4b32..95f62c84 100644 --- a/docs/kms/umn/kms_01_0024.html +++ b/docs/kms/umn/kms_01_0024.html @@ -1,49 +1,49 @@- Adding a Tag
- - Searching for a CMK by Tag
- - Modifying Tag Values
- Deleting Tags
@@ -15,7 +13,7 @@
-Parent topic: Key Management+Parent topic: Key Management ServiceAdding a Tag
-Scenario
Tags are used to identify CMKs. You can add tags to CMKs so that you can classify CMKs, trace them, and collect their usage status according to the tags.
+Tags are used to identify keys. You can add tags to custom keys so that you can classify custom keys, trace them, and collect their usage status according to the tags.
+-Constraints
Tags cannot be added to default keys.
-Constraints
Tags cannot be added to default keys.
-Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Tags to go to the tag management page.Figure 1 Managing tags-
- Click Add Tag. In the Add Tag dialog box, enter the tag key and tag value. Table 1 describes the parameters.Figure 2 Adding a tag+
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management page.
- Click Add Tag. In the Add Tag dialog box, enter the tag key and tag value. Table 1 describes the parameters.Figure 1 Adding a tag
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
Table 1 Tag parameters Parameter
+-Table 1 Tag parameters Parameter
Description
+Description
Value
+Value
Example Value
+Example Value
Tag key
+Tag key
Name of a tag.
-The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
-A maximum of 20 tags can be added for one CMK.
+Name of a tag.
+The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
+A maximum of 20 tags can be added for one custom key.
- Mandatory.
- Each tag key must be unique under the same CMK.
- Contains a maximum of 36 characters.
- Only digits, letters, underscores (_), and hyphens (-) are allowed.
- Mandatory.
- The tag key must be unique for the same custom key.
- 128 characters limit.
- The value cannot start or end with a space.
- The following character types are allowed:
- English
- Numbers
- Special characters: _-@
cost
+cost
Tag value
+Tag value
Value of the tag
+Value of the tag
- This parameter can be empty.
- Can contain a maximum of 43 characters.
- Only digits, letters, underscores (_), and hyphens (-) are allowed.
- This parameter can be empty.
- 255 characters limit.
- The following character types are allowed:
- English
- Numbers
- Special characters: _-@
100
+100
- Click OK to complete.
+- Click OK to complete.
@@ -52,10 +52,3 @@- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0025.html b/docs/kms/umn/kms_01_0025.html deleted file mode 100644 index 6c35b88f..00000000 --- a/docs/kms/umn/kms_01_0025.html +++ /dev/null @@ -1,27 +0,0 @@ - - -Searching for a CMK by Tag
---Scenario
This section describes how to search for tags through KMS. You can search for tags of all CMKs that meet the search criteria in the current project.
--Prerequisites
Tags have been added.
--Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click Search by Tag to show the search box.Figure 1 Searching for tags-
- In the search box, enter the tag key and tag value.
- Click
to add the input to the search criteria, and click Search. The list displays the CMKs that meet the search criteria.Figure 2 Search results-
- - Multiple tags can be added at one search. A maximum of 20 tags can be added for one search. If multiple tags are searched for at one time, only CMKs meet the combined search criteria will be displayed in the search result.
- If you want to delete an added tag from the search criteria, click
next to the tag. - You can click Reset to reset the search criteria.
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0026.html b/docs/kms/umn/kms_01_0026.html index 1ec47985..b1bb94de 100644 --- a/docs/kms/umn/kms_01_0026.html +++ b/docs/kms/umn/kms_01_0026.html @@ -1,11 +1,8 @@--Parent topic: Managing Tags-Modifying Tag Values
--Scenario
This section describes how to modify tag values on the KMS management console.
-- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0027.html b/docs/kms/umn/kms_01_0027.html index 9f648fdd..6c772fee 100644 --- a/docs/kms/umn/kms_01_0027.html +++ b/docs/kms/umn/kms_01_0027.html @@ -1,10 +1,8 @@Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Tags to go to the tag management page.Figure 1 Managing tags-
- Click Edit of the target tag, and the Edit Tag dialog box is displayed.Figure 2 Editing a tag-
- In the Edit Tag dialog box, enter a tag value, and click OK to complete the editing.
This section describes how to modify tag values on the KMS console.
+Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management page.
- Click Edit of the target tag, and the Edit Tag dialog box is displayed.
- In the Edit Tag dialog box, enter a tag value, and click OK to complete the editing.
@@ -14,10 +11,3 @@Deleting Tags
--Scenario
This section describes how to delete tags on the KMS management console.
-- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0028.html b/docs/kms/umn/kms_01_0028.html index 76851bbe..c27e1477 100644 --- a/docs/kms/umn/kms_01_0028.html +++ b/docs/kms/umn/kms_01_0028.html @@ -1,19 +1,23 @@ -Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Tags to go to the tag management page.Figure 1 Managing tags-
- Click Delete of the target tag, and the Delete Tag dialog box is displayed.
- In the Delete Tag dialog box, click Yes to complete the deletion.
This section describes how to delete tags on the KMS console.
+Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management page.
- Click Delete of the target tag, and the Delete Tag dialog box is displayed.
- In the Delete Tag dialog box, click Confirm.
@@ -13,10 +11,3 @@Managing a Grant
- +Managing CMKs
+diff --git a/docs/kms/umn/kms_01_0029.html b/docs/kms/umn/kms_01_0029.html index 7166f638..b590aa93 100644 --- a/docs/kms/umn/kms_01_0029.html +++ b/docs/kms/umn/kms_01_0029.html @@ -1,68 +1,17 @@ --
-
- Creating a Grant
+ - Viewing a CMK
- - Querying a Grant
+ - Enabling One or More CMKs
- - Revoking a Grant
+ - Disabling One or More CMKs
+
+ - Deleting One or More CMKs
+
+ - Canceling the Scheduled Deletion of One or More CMKs
-Parent topic: Key Management+Parent topic: Key Management ServiceCreating a Grant
-Scenario
You can create grants for other users to use the CMK. You can create a maximum of 100 grants for a CMK.
-The owner of a CMK can create a grant for the CMK on the KMS management console or by making the API calls. A user, who has been granted with the grant creation permission by the owner of the CMK, can create grants for the CMK only by making the API calls.
+Enabling One or More CMKs
+This section describes how to use the KMS console to enable one or more custom keys. Only enabled custom keys can be used to encrypt or decrypt data. A new custom key is in the Enabled state by default.
+-Prerequisites
The custom key you want to enable is in Disabled status.
-Prerequisites
- You have obtained the user ID of the grantee (user to whom permissions are to be authorized).
- The desired CMK is in Enabled status.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to go to the page displaying its details. You can create grants on the Grants tab page.Figure 1 Grants tab-
- Click Create Grant. The Create Grant dialog box is displayed.Figure 2 Creating a grant-
- In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted.
A grantee can perform the authorized operations only by calling the necessary API. For details, see the Key Management Service API Reference.
+Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- In the row containing the target custom key, click Enable.
- In the displayed dialog box, click OK to enable the key.- -
To enable multiple CMKs at a time, select them and click Enable in the upper left corner of the list.
-
-Table 1 Parameter description Parameter
-Description
-Example Value
-Key ID
-ID of a CMK (automatically read by the system)
--
-Grantee
-The user ID of the grantee is required.
-NOTE:-The user IDs are provided by grantees who can obtain their IDs by clicking their portraits and choosing My Credential > User ID.
-d9a6b2bdaedd4ba586cabe6372d1b312
-Granted Operations
-The following permissions can be authorized:
-NOTE:-- You can create multiple grants on a CMK to provide different permissions to the same user. The user's permissions on the CMK are the combination of all the grants.
- This parameter cannot be left blank.
- Create Grant cannot be selected exclusively.
- Create Data Key Without Plaintext
- Create Data Key
- Encrypt Data Key
- Decrypt Data Key
- Query Key Information
- Create Grant
- Retire Grant
- A grantee can retire a grant if the grantee does not need that permission.
- If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.
-
- - Click OK. When message Grant of key alias created successfully is displayed in the upper right corner, the grant has been created.
In the list of grants, you can view the grant ID, grantee ID, granted operation, and creation time of the grant.
- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0030.html b/docs/kms/umn/kms_01_0030.html index 9e6039f9..ca0a7961 100644 --- a/docs/kms/umn/kms_01_0030.html +++ b/docs/kms/umn/kms_01_0030.html @@ -1,61 +1,20 @@ --Parent topic: Managing a Grant+Parent topic: Managing CMKsQuerying a Grant
-Scenario
This section describes how to view the details about a grant, such as the grant ID, grantee user ID, granted operation, and creation time.
+Disabling One or More CMKs
+This section describes how to use the KMS console to disable one or more custom keys, thereby protecting data in urgent cases.
+After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled CMK to encrypt or decrypt data, you must enable it by following instructions in Enabling One or More CMKs.
+-Prerequisites
The CMK you want to disable is in Enabled status.
Prerequisites
You have created a grant.
+-Constraints
- Default keys created by KMS cannot be disabled.
- A disabled CMK is still billable. It will stop incurring charges if it is deleted.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Information about the CMK and grants created on it are displayed, Figure 1 shows example grant information.
-
Table 1 provides more details.
- --
-Table 1 Parameter description Parameter
-Description
-Grant ID
-Randomly generated unique identification of a grant
-Grantee
-ID of an authorized user.
-Granted Operations
-Authorized operations (such as Create Data Key) on the CMK
-Creation Time
-Creation time of the grant
-Operation
-Operations that can be performed on a grant. For example, you can revoke a grant.
- - Click a grant ID to view the grant details, Figure 2 shows example grant information.
+
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- In the row containing the target CMK, click Disable.
- In the displayed dialog box, select I understand the impact of disabling keys, and click OK.
To disable multiple CMKs at a time, select them and click Disable in the upper left corner of the list.
+
- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0031.html b/docs/kms/umn/kms_01_0031.html index 9c5528e5..8bac7757 100644 --- a/docs/kms/umn/kms_01_0031.html +++ b/docs/kms/umn/kms_01_0031.html @@ -1,19 +1,22 @@ --Parent topic: Managing a Grant+Parent topic: Managing CMKsRevoking a Grant
-Scenario
You can revoke a grant in either of the following scenarios:
-- A grantee does not need the grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)
- You do not want the grantee to have the grant.
When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.
-This section describes how to revoke a grant.
+Deleting One or More CMKs
+Before deleting the CMK, confirm that it is not in use and will not be used.
+-Prerequisites
- The key to be deleted is in Enabled, Disabled, or Pending import status.
Prerequisites
You have created a grant.
+-Constraints
- A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days.
Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by the CMK. Exercise caution when performing this operation.
+ - Default keys created by KMS cannot be scheduled for deletion.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- In the row containing the desired grantee, click Revoke Grant in the Operation column.
- In the dialog box that is displayed, click Yes. When Grant grant_ID revoked successfully is displayed in the upper right corner, the grant has been revoked.
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- In the row containing the target CMK, click Delete in the Operation column.
- On the key deletion dialog box, enter the deletion delay time.+
- A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the CMK.
To schedule the deletion of multiple CMKs at a time, select them and click Delete in the upper left corner of the list.
+diff --git a/docs/kms/umn/kms_01_0032.html b/docs/kms/umn/kms_01_0032.html index 5d8fafc9..06a1ac70 100644 --- a/docs/kms/umn/kms_01_0032.html +++ b/docs/kms/umn/kms_01_0032.html @@ -1,25 +1,18 @@ --Parent topic: Managing a Grant+Parent topic: Managing CMKsManaging CMKs
- +Canceling the Scheduled Deletion of One or More CMKs
+This section describes how to use the KMS console to cancel the scheduled deletion of one or more custom keys prior to deletion execution. After the cancellation, the key is in Disabled status.
++Prerequisites
The CMK for which you want to cancel the scheduled deletion is in Pending deletion status.
++Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- In the row containing the target CMK, click Cancel Deletion.
- In the displayed dialog box, click OK to cancel the scheduled deletion.
- If a key is created on the KMS console, the status of the key changes to Disabled after its scheduled deletion is canceled. For details about how to enable the key, see Enabling One or More CMKs.
- If the CMK is created using imported materials, its status becomes Disabled after the cancellation. To enable the CMK, see Enabling One or More CMKs.
- If the CMK is created using imported materials and no key materials have been imported for it, its status becomes Pending import after the cancellation. To use the CMK, perform Creating CMKs Using Imported Key Materials.
+ To cancel the deletion of multiple CMKs at a time, select them and click Cancel Deletion in the upper left corner of the list.
+
-diff --git a/docs/kms/umn/kms_01_0033.html b/docs/kms/umn/kms_01_0033.html deleted file mode 100644 index 3aa65df1..00000000 --- a/docs/kms/umn/kms_01_0033.html +++ /dev/null @@ -1,22 +0,0 @@ - - --
-
- Querying a CMK
-
- - Changing the Alias and Description of a CMK
-
- - Enabling One or Multiple CMKs
-
- - Disabling One or Multiple CMKs
-
- - Deleting One or More CMKs
-
- - Canceling the Scheduled Deletion of One or Multiple CMKs
-
-
-Parent topic: Key Management+Parent topic: Managing CMKsChanging the Alias and Description of a CMK
---Scenario
The alias of a CMK is a user-friendly name designed to help you locate the CMK easier.
-This section describes how to change the alias and description of a CMK on the KMS management console.
-- - A Default Master Key (the alias suffix of which is /default) does not allow alias and description changes.
- The alias and description of a CMK cannot be changed if the CMK is in Pending deletion status.
-Prerequisites
- The CMK is in Enabled, Disabled, or Pending import status.
-Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK. Details about the CMK are displayed.
- To change the alias or description of the CMK, click
next to the value of Alias or Description.Figure 1 CMK details-
- - The alias must be 1 to 255 characters in length. Only digits, letters, underscores (_), hyphens (-), colons (:), and forward slashes (/) are allowed.
- Length of the description cannot exceed 255 characters.
- Click
to save the changes.
-- diff --git a/docs/kms/umn/kms_01_0034.html b/docs/kms/umn/kms_01_0034.html deleted file mode 100644 index ece3b756..00000000 --- a/docs/kms/umn/kms_01_0034.html +++ /dev/null @@ -1,26 +0,0 @@ - - ---Parent topic: Managing CMKs-Enabling One or Multiple CMKs
---Scenario
This section describes how to use the management console to enable one or multiple CMKs. Only enabled CMKs can be used to encrypt/decrypt data. A new CMK is in the Enabled state by default.
--Prerequisites
The CMK you want to enable is in Disabled status.
--Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired CMK, click Enable.Figure 1 Enabling one CMK-
- In the dialog box that is displayed, click Yes to enable the CMK.-
To enable multiple CMKs at a time, select them and click Enable in the upper left corner of the list.
-
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0035.html b/docs/kms/umn/kms_01_0035.html deleted file mode 100644 index 6a31b302..00000000 --- a/docs/kms/umn/kms_01_0035.html +++ /dev/null @@ -1,27 +0,0 @@ - - ---Parent topic: Managing CMKs-Disabling One or Multiple CMKs
---Scenario
This section describes how to use the management console to disable one or multiple CMKs, thereby protecting data in urgent cases.
-After being disabled, a CMK cannot be used to encrypt or decrypt any data. Before using a disabled CMK to encrypt or decrypt data, you must enable it by following instructions in Enabling One or Multiple CMKs.
-- Default Master Keys created by KMS cannot be disabled.
--Prerequisites
The CMK you want to disable is in Enabled status.
--Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired CMK, click Disable.Figure 1 Disabling one CMK-
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0036.html b/docs/kms/umn/kms_01_0036.html deleted file mode 100644 index b5f9a8da..00000000 --- a/docs/kms/umn/kms_01_0036.html +++ /dev/null @@ -1,28 +0,0 @@ - - ---Parent topic: Managing CMKs-Canceling the Scheduled Deletion of One or Multiple CMKs
---Scenario
This section describes how to use the management console to cancel the scheduled deletion of one or multiple CMKs prior to deletion execution.
--Prerequisites
The CMK for which you want to cancel the scheduled deletion is in Pending deletion status.
--Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired CMK, click Cancel Deletion.Figure 1 Canceling the scheduled deletion of one CMK-
- In the displayed dialog box, click Yes to cancel the scheduled deletion for the CMK.-
- If the CMK is created using KMS generated material, its status becomes Disabled after the cancelation. To enable the CMK, see Enabling One or Multiple CMKs.
- If the CMK is created using imported material, its status becomes Disabled after the cancelation. To enable the CMK, see Enabling One or Multiple CMKs.
- If the CMK is created using imported material and no key material has been imported for it, its status becomes Pending import after the cancelation. To use the CMK, perform Creating CMKs Using Imported Key Material.
- To cancel the deletion of multiple CMKs at a time, select them and click Cancel Deletion in the upper left corner of the list.
-
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0037.html b/docs/kms/umn/kms_01_0037.html deleted file mode 100644 index 673e1744..00000000 --- a/docs/kms/umn/kms_01_0037.html +++ /dev/null @@ -1,35 +0,0 @@ - - ---Parent topic: Managing CMKs-FAQs
- --- diff --git a/docs/kms/umn/kms_01_0038.html b/docs/kms/umn/kms_01_0038.html deleted file mode 100644 index 060e978a..00000000 --- a/docs/kms/umn/kms_01_0038.html +++ /dev/null @@ -1,11 +0,0 @@ - - --
-
- What Is Key Management Service?
-
- - What Is a Customer Master Key?
-
- - What Are the Differences Between a Custom Key and a Default Key?
-
- - What Is a Data Encryption Key?
-
- - Which Cloud Services Can Use KMS for Encryption?
-
- - Will a CMK Be Charged After It Is Scheduled to Delete?
-
- - Why Can't I Delete a CMK Immediately?
-
- - Is There a Limit on the Number of CMKs That I Can Create on KMS?
-
- - What Are the Benefits of Envelope Encryption?
-
- - Can I Export a CMK from KMS?
-
- - How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
-
- - Can I Update CMKs Created by KMS-Generated Key Materials?
-
- - How Does KMS Protect My Keys?
-
-
What Is a Data Encryption Key?
--A data encryption key (DEK) is used to encrypt data.
--- diff --git a/docs/kms/umn/kms_01_0039.html b/docs/kms/umn/kms_01_0039.html deleted file mode 100644 index 9c0082cf..00000000 --- a/docs/kms/umn/kms_01_0039.html +++ /dev/null @@ -1,11 +0,0 @@ - - ---Parent topic: FAQs-Why Can't I Delete a CMK Immediately?
--The decision to delete a CMK should be taken with caution. Before deletion, confirm that the CMK's encrypted data has all been migrated. Once the CMK is deleted, you will not be able to decrypt data with it. Therefore, KMS offers a waiting period of 7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, the CMK will be permanently deleted. However, prior to the scheduled day, you can still cancel the deletion.
--- diff --git a/docs/kms/umn/kms_01_0040.html b/docs/kms/umn/kms_01_0040.html deleted file mode 100644 index 53c48e16..00000000 --- a/docs/kms/umn/kms_01_0040.html +++ /dev/null @@ -1,11 +0,0 @@ - - ---Parent topic: FAQs-Which Cloud Services Can Use KMS for Encryption?
--Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), and Relational Database Service (RDS) can use KMS for encryption.
--- diff --git a/docs/kms/umn/kms_01_0043.html b/docs/kms/umn/kms_01_0043.html deleted file mode 100644 index 4156184a..00000000 --- a/docs/kms/umn/kms_01_0043.html +++ /dev/null @@ -1,128 +0,0 @@ - - ---Parent topic: FAQs-Change History
--- diff --git a/docs/kms/umn/kms_01_0044.html b/docs/kms/umn/kms_01_0044.html index 0622546d..f32c8a4f 100644 --- a/docs/kms/umn/kms_01_0044.html +++ b/docs/kms/umn/kms_01_0044.html @@ -1,7 +1,46 @@ --
-Released On
-Description
-2023-06-15
-This is the nineteenth official release.
-Added section "How Does KMS Protect My Keys?"
-2022-09-30
-This issue is the eighteenth official release.
-Optimized the content in section "Creating a Custom KMS Policy".
-2021-11-30
-This issue is the seventeenth official release.
-- Deleted description about DSS in "Application Scenarios" and "Accessing and Using KMS".
- Added examples for creating a key and using a custom key policy in "Creating a Custom KMS Policy".
2021-10-20
-This issue is the sixteenth official release.
-- Added description about DSS in "Application Scenarios" and "Accessing and Using KMS".
- Added description about fine-grained authorization in "Permissions Management".
2021-09-22
-This is the fifteenth official release.
-- Updated screenshots in "Managing Tags".
- Updated screenshots in "Managing a Grant".
2020-08-18
-This is the fourteenth official release.
-- Modified the operation name of batchCreateKeyTags in section "Related Services".
- Updated the description in section "Creating a Key".
2020-06-29
-This is the thirteenth official release.
-- Modified operations and information displayed on the rotation setting page in section "Enabling Key Rotation".
- Added the section "Disabling Key Rotation".
2019-12-10
-This is the twelfth official release.
-- Added section "Enabling Key Rotation".
- Added the description about enabling key rotation to section "Functions".
- Added the description of enabling key rotation, changing the key rotation period, and disabling key rotation to section "Related Services".
- Updated screenshots.
2018-09-05
-This is the eleventh official release.
-Updated screenshots.
-2018-07-30
-This is the tenth official release.
-- Added section "Adding a Tag".
- Added section "Searching for Tags".
- Added section "Modifying Tag Values".
- Added section "Deleting Tags".
- Modified contents in section "Functions": added description about adding, editing, and deleting tags.
- Modified section "Related Services": added descriptions about the operations of adding tags, deleting tags, adding tags in batches, and deleting tags in batches.
- Modified section "Creating a Key": added the procedure for adding a tag.
- Modified section "Importing Key Material": added the procedure for adding a tag.
- Accepted in OTC 3.1.
- Added description about RSAES_OAEP_SHA_256 and RSAES_OAEP_SHA_1 algorithms.
- Added the description about using KMS encryption for RDS.
- Added description about the relationship between KMS and RDS, as well as how to use RDS together with KMS.
2018-06-15
-This is the ninth official release.
-- Added the description about using KMS encryption for SFS.
- Added description about relationships between KMS and SFS, as well as how to use these services together with KMS.
- Updated screenshots.
- Modified section "Importing Key material": updated the screenshots.
- Modified section "Deleting Key material": added related descriptions.
- Modified section "Configuring SMN-Enabled Event Notification": updated screenshots.
- Modified section "Importing Key Material": added the description about how to obtain the wrapping key and import token calling the API.
- Updated screenshots.
2018-03-30
-This is the eighth official release.
-- Updated screenshots.
- Added section "Importing a CMK".
- Added section "Overview".
- Added section "Importing Key Material".
- Added section "Deleting Key Material".
- Added the description of importing and deleting keys to section "Related Services".
- Updated screenshots.
2017-11-30
-This is the seventh official release.
-Updated a screenshot in section "Scheduling the Deletion of One or Multiple CMKs."
-2017-10-30
-This is the sixth official release.
-- Added operations creating a grant, retiring a grant, and revoking a grant to the table of supported KMS operations in section "Related Services."
- Added section "Configuring SMN."
- Added section "Creating a Grant."
- Added section "Querying a Grant."
- Added section "Revoking a Grant."
2017-08-30
-This is the fifth official release.
-- Added section "Project."
- Added the step of selecting a project.
- Updated some screenshots.
2017-06-30
-This is the fourth official release.
-- Added operations changing the alias of a CMK, changing the description of a CMK, and prompting risks about CMK deletion to table "KMS operations that CTS supports" in section "Related Services."
- Added section "Changing the Alias and Description of a CMK."
2017-03-31
-This is the third official release.
-- Added section "Glossary".
- Added section "User Permissions."
2017-01-20
-This is the second official release.
-- Added definitions of OBS, EVS, and IMS and optimized description about application scenarios.
- Optimized description about SSE-KMS and description about KMS operations that CTS supports.
- Added description about how to create a DEK and a plaintext-free DEK.
- Added description about relationships between KMS, EVS and IMS as well as how to use these services together with KMS.
- Added description about how to encrypt data on EVS disks.
- Added description about how to encrypt private images.
2016-12-30
-This is the first official release.
-Glossary
-- +For details about the glossaries in this document, see Glossary.
-What Is a Customer Master Key?
++A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user on KMS. It is used to encrypt and protect DEKs. One CMK can be used to encrypt one or more DEKs.
+CMKs are categorized into custom keys and default keys.+- Custom keys +
- Default keys
When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key with the alias suffix /default.
+You can use the management console to query but cannot disable or schedule the deletion of Default Master Keys.
+ ++
+Table 1 Default Master Keys Alias
+Cloud Service
+obs/default
+Object Storage Service (OBS)
+evs/default
+Elastic Volume Service (EVS)
+ims/default
+Image Management Service (IMS)
+sfs/default
+Scalable File Service (SFS)
+
+diff --git a/docs/kms/umn/kms_01_0045.html b/docs/kms/umn/kms_01_0045.html index 95788eb9..2e14a5a7 100644 --- a/docs/kms/umn/kms_01_0045.html +++ b/docs/kms/umn/kms_01_0045.html @@ -1,23 +1,45 @@ -++Parent topic: KMS Related+Key Management
- +What Is a Default Key?
+A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default.
+You can use the management console to query but cannot disable or schedule the deletion of default keys.
+Default keys are hosted for free, and are charged based on the number of the API requests for them. If API requests exceed the free limit, the excess part will be charged.
+ ++
+Table 1 Default Master Keys Alias
+Cloud Service
+obs/default
+Object Storage Service (OBS)
+evs/default
+Elastic Volume Service (EVS)
+ims/default
+Image Management Service (IMS)
+sfs/default
+Scalable File Service (SFS)
++ A default key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
+-diff --git a/docs/kms/umn/kms_01_0046.html b/docs/kms/umn/kms_01_0046.html index 9642d908..f507a0b8 100644 --- a/docs/kms/umn/kms_01_0046.html +++ b/docs/kms/umn/kms_01_0046.html @@ -1,32 +1,11 @@ --
-
- Concepts
-
- - Functions
-
- - Product Advantages
-
- - Application Scenarios
-
- - Accessing and Using KMS
-
-
-Parent topic: Service Overview+Parent topic: KMS RelatedApplication Scenarios
-KMS can manage CMKs used for data encryption and decryption in Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Relational Database Service (RDS), and user applications.
-- For OBS, KMS applies to object encryption on OBS.-
OBS is an object-based storage service that provides customers with massive, secure, reliable, and cost-effective data storage capabilities, including but not limited to bucket creation, modification, deletion, and management, as well as object upload, download, deletion, and general management. OBS can store all file types, and is suitable for individual subscribers, websites, enterprises, and developers. For more information about OBS, see Object Storage Service User Guide.
- - For EVS, KMS applies to data encryption in EVS disks.-
Based on a distributed architecture, an EVS disk is a virtual block storage device that can be elastically scaled up and down. EVS disks can be operated online. Using them is the same as using common server hard disks. Compared with traditional hard disks, EVS disks have higher data reliability and I/O throughput and are easier to use. EVS disks can be used in file systems, databases, and system software applications that require block storage devices. For more information about EVS, see the Elastic Volume Service User Guide.
- - For IMS, KMS applies to the creation of encrypted private images.-
IMS provides easy-to-use self-service image management functions. You can apply for a cloud server using either a private image or a public image. You can also create a private image using an existing ECS or an external image file. For more information about IMS, see the Image Management Service User Guide.
- - For SFS, KMS applies to data encryption for files in SFS.-
SFS provides high-performance file storage that is scalable on demand. It can be shared with multiple cloud servers. For more information, see the Scalable File Service User Guide.
- - For RDS, KMS applies to disk encryption in RDS database instances.-
RDS is an online relational database service based on the cloud computing platform. RDS is out-of-box, reliable, scalable, and easy to manage. For more information about RDS, see the Relational Database Service User Guide.
- - For user applications
To encrypt plaintext data, a user application can call the necessary KMS API to generate a DEK, which can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the necessary KMS APIs to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs. Figure 1 shows envelope encryption working principles.
-To ensure the security of the user's encrypted data, KMS does not save DEKs in plaintext or ciphertext. Instead, it manages the CMKs of users to enable users to obtain and use DEKs securely.
- -
What Is a Data Encryption Key?
+A data encryption key (DEK) is used to encrypt data.
- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0047.html b/docs/kms/umn/kms_01_0047.html index f1a0eb44..3a2c6441 100644 --- a/docs/kms/umn/kms_01_0047.html +++ b/docs/kms/umn/kms_01_0047.html @@ -1,17 +1,13 @@ --Parent topic: Key Management+Parent topic: KMS RelatedFunctions
-KMS provides the following functions:
-- Manages CMKs. -
- Creates, encrypts, and decrypts DEKs, and retires a grant on a CMK.
By calling APIs, you can create, encrypt, and decrypt DEKs, and retire a grant on a CMK. For details, see the Key Management Service API Reference.
- - Generates hardware true random numbers.
You can generate 512-bit hardware true random numbers using a KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for keys and encryption parameters. For details, see the .
-
What Is Key Management Service?
+KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.
+It uses Hardware Security Modules (HSMs) to protect keys. All keys are protected by root keys in HSMs to avoid key leakage. The HSM module meets the FIPS 140-2 Level 3 security requirements.
+It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
diff --git a/docs/kms/umn/kms_01_0048.html b/docs/kms/umn/kms_01_0048.html new file mode 100644 index 00000000..c76ae83d --- /dev/null +++ b/docs/kms/umn/kms_01_0048.html @@ -0,0 +1,59 @@ + + +-Parent topic: Key Management+Parent topic: KMS RelatedKMS Related
+ +++ diff --git a/docs/kms/umn/kms_01_0049.html b/docs/kms/umn/kms_01_0049.html new file mode 100644 index 00000000..039eb765 --- /dev/null +++ b/docs/kms/umn/kms_01_0049.html @@ -0,0 +1,11 @@ + + +-
+
- What Is Key Management Service?
+
+ - What Is a Customer Master Key?
+
+ - What Is a Default Key?
+
+ - What Are the Differences Between a Custom Key and a Default Key?
+
+ - What Is a Data Encryption Key?
+
+ - Why Cannot I Delete a CMK Immediately?
+
+ - Which Cloud Services Can Use KMS for Encryption?
+
+ - How Do Cloud Services Use KMS to Encrypt Data?
+
+ - What Are the Benefits of Envelope Encryption?
+
+ - Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
+
+ - Can I Export a CMK from KMS?
+
+ - Can I Decrypt My Data if I Permanently Delete My Custom Key?
+
+ - How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
+
+ - Can I Update CMKs Created by KMS-Generated Key Materials?
+
+ - When Should I Use a CMK Created with Imported Key Materials?
+
+ - What Types of Keys Can I Import?
+
+ - What Should I Do When I Accidentally Delete Key Materials?
+
+ - What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
+
+ - Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
+
+ - Key Algorithms Supported by KMS
+
+ - What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
+
+ - How Does KMS Protect My Keys?
+
+ - Does an Imported Key Support Rotation?
+
+
++Parent topic: FAQs+Why Cannot I Delete a CMK Immediately?
++The decision to delete a CMK should be considered with great caution. Before deletion, confirm that the CMK's encrypted data has all been migrated. As soon as the CMK is deleted, you will not be able to decrypt data with it. Therefore, KMS offers a user-specified period of 7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, the CMK will be permanently deleted. However, prior to the scheduled day, you can still cancel the pending deletion. This is a means of precaution within KMS.
+++ diff --git a/docs/kms/umn/kms_01_0050.html b/docs/kms/umn/kms_01_0050.html new file mode 100644 index 00000000..99d1f21d --- /dev/null +++ b/docs/kms/umn/kms_01_0050.html @@ -0,0 +1,57 @@ + + +++Parent topic: KMS Related+Which Cloud Services Can Use KMS for Encryption?
++Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Document Database Service (DDS), and Relational Database Service (RDS) can use KMS for encryption.
+ ++
+Table 1 List of cloud services that use KMS encryption Service Name
+Description
+Object Storage Service (OBS)
+You can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption.
+For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service Console Operation Guide.
+Elastic Volume Service (EVS)
+If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.
+For details about how to use the encryption function of EVS, see Elastic Volume Service User Guide.
+Image Management Service (IMS)
+When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
+For details about how to use the private image encryption function of Image Management Service (IMS), see Image Management Service User Guide.
+Scalable File Service (SFS)
+When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
+For details about how to use the file system encryption function of SFS, see Scalable File Service User Guide.
+Relational Database Service (RDS)
+When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.
+For details about how to use the disk encryption function of RDS, see Relational Database Service User Guide.
+Document Database Service (DDS)
+When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.
+For details about how to use the disk encryption function of DDS, see Document Database Service User Guide.
+++ diff --git a/docs/kms/umn/kms_01_0053.html b/docs/kms/umn/kms_01_0053.html new file mode 100644 index 00000000..025e6158 --- /dev/null +++ b/docs/kms/umn/kms_01_0053.html @@ -0,0 +1,15 @@ + + +++Parent topic: KMS Related+How Do Cloud Services Use KMS to Encrypt Data?
++Services (such as OBS, IMS, EVS, SFS, DDS, and RDS) use the envelope encryption method provided by KMS to protect data.
++ + Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes" of CMKs. As a result, CMKs do not directly encrypt and decrypt data.
+When users download the data from the cloud, the cloud service uses the CMK specified by KMS to decrypt the ciphertext DEK, use the decrypted DEK to decrypt data, and then provide the decrypted data for users to download.
+++ diff --git a/docs/kms/umn/kms_01_0054.html b/docs/kms/umn/kms_01_0054.html index 3242040c..f3f681b3 100644 --- a/docs/kms/umn/kms_01_0054.html +++ b/docs/kms/umn/kms_01_0054.html @@ -1,40 +1,23 @@ -++Parent topic: KMS Related+Overview
-A custom key contains key metadata (key ID, key alias, description, key status, and creation date) and key materials used for encrypting and decrypting data.-- When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
- If you want to use your own key material, you can use the key import function on the KMS console to create a custom key whose key material is empty, and import the key material to the custom key.
-Important Notes
- Security
You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
- - Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
-Differences between the imported key material and the key material generated by KMS are shown in Table 1.
- -- - Association
When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.
- - Uniqueness
If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
diff --git a/docs/kms/umn/kms_01_0055.html b/docs/kms/umn/kms_01_0055.html index 425a8e8a..db03d04e 100644 --- a/docs/kms/umn/kms_01_0055.html +++ b/docs/kms/umn/kms_01_0055.html @@ -1,190 +1,39 @@ --Parent topic: Creating CMKs Using Imported Key Material+Parent topic: KMS RelatedImporting a Key Material
--Scenario
If you want to use your own key material instead of the KMS-generated material, you can use the console to import your key material to KMS. CMKs created using imported material and KMS-generated material are managed together by KMS.
-This section describes how to import key material through KMS Console.
-- - A CMK with imported material works in the same way as one using KMS-generated material, that is, you enable and disable them as well as schedule their deletion and cancel their scheduled deletion in the same way.
- You can only import 256-bit symmetric keys.
-Prerequisites
- You have prepared the key material to be imported.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the upper right corner, click Import Key.
- In the Import Key dialog box, set the alias and description of the key.Figure 1 Creating a CMK-
- Alias is the alias of the key to be created.-
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
- (Optional) Description is the description of the custom key.
- (Optional) Add tags as needed, and enter the tag key and tag value.-
- When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK. The page with key details is displayed. Then you can add tags to the CMK.
- The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
- A maximum of 10 tags can be added for one CMK.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
- Alias is the alias of the key to be created.
- Click security and durability to read and confirm information regarding the security and durability of the imported key.
- Select I understand the security and durability of using an imported key, and create a CMK whose key material is empty.
- Click Next to go to the Download the Import Items step. Select a key-wrapping algorithm according to Table 1.Figure 2 Obtaining the wrapping key and import token+
What Are the Differences Between a Custom Key and a Default Key?
+The following table describes the differences between a custom key and a default key.
-Table 1 Key wrapping algorithms Algorithm
+-Table 1 Differences between a custom key and a default key Item
Description
+Definition
Configuration
+Difference
RSAES_OAEP_SHA_256
+Custom key
RSA encryption algorithm that uses OAEP and has the SHA-256 hash function
+A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.
+A custom key can be used to encrypt multiple DEKs.
Choose an algorithm from the drop-down list box.
-- If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt the key material.
- If the HSMs do not support OAEP, use RSAES_PKCS1_V1_5 to encrypt the key material.
NOTICE:+The RSAES_OAEP_SHA_1 encryption algorithm is no longer secure. Exercise caution when performing this operation.
-- It can be disabled and scheduled for deletion.
- It is billed per use after the being created or imported.
RSAES_PKCS1_V1_5
+Default key
RSA encryption algorithm (v1.5) of Public-Key Cryptography Standards number 1 (PKCS #1)
+Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is /default.
+Example: evs/default
RSAES_OAEP_SHA_1
-RSA encryption algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
+- It cannot be disabled or scheduled for deletion.
- If you stop a key material import process and want to try again, click Import Key Material in the row of the required CMK, and import key material in the dialog box that is displayed.
-- Click Download. The following files are downloaded: wrappingKey, importToken, and README. These are displayed in Figure 3. -
- wrappingKey_CMK ID_download time is a wrapping key used to encrypt the key material.
- importToken_CMK ID_download time is an import token used to import key material to KMS.
- README_CMK ID_download time is a description file recording information such as a CMK's serial number, wrapping algorithm, wrapping key name, token file name, and the expiration time of the token file and wrapping key.-
The wrapping key and import token expire within 24 hours of creation. If they have expired, download them again.
-
Alternatively, you can obtain the wrapping key and import token by calling the API.-- Call the get-parameters-for-import API to obtain the wrapping key and import token.
The following example describes how to obtain the wrapping key and import token of a CMK (ID: 43f1ffd7-18fb-4568-9575-602e009b7ee8; encryption algorithm: RSAES_PKCS1_V1_5).
-public_key: The content of the wrapping key (Base-64 encoding) returned after calling the API
-import_token: Content of the import token (Base-64 encoding) returned after calling the API
-- Request example
{ - "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", - "wrapping_algorithm":"RSAES_PKCS1_V1_5" -}- - Response example:
{ - "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", - "public_key":"public key base64 encoded data", - "import_token":"import token base64 encoded data", - "expiration_time":1501578672 -}-
- Request example
- Save the wrapping key, and convert its format according to the following procedure. Only the key material that is encrypted using the converted wrapping key can be imported to the management console.
- Copy the content of the wrapping key public_key, save it to the .txt file as PublicKey.b64.
- Run the following command to convert the Base-64 coding of the PublicKey.b64 file to binary data, and save the converted file as PublicKey.bin:
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
-
- Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
- You use the downloaded wrappingKey file to encrypt the key material to be imported.
- Method 1: Use the downloaded wrapping key to encrypt the key material on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to encrypt a key material and use the downloaded wrapping key to encrypt the key material.-
If you need to run the openssl pkeyutl command, the OpenSSL version must be 1.0.2 or later.
-The following example describes how to use the downloaded wrapping key to encrypt the generated key material (256-bit symmetric key). The procedure is as follows:-- Run the following command to generate the key material (256-bit symmetric key) and save the generated key material as PlaintextKeyMaterial.bin:
openssl rand -out PlaintextKeyMaterial.bin 32
- - Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
Replace PublicKey.bin in the command with the name of the wrapping key wrappingKey_key ID_download time downloaded in 9.
- --
-Table 2 Encrypting the generated key material using the downloaded wrapping key Wrapping Key Algorithm
-Key Materials Encryption
-RSAES_OAEP_SHA_256
-openssl pkeyutl
--in PlaintextKeyMaterial.bin
--inkey PublicKey.bin
--out EncryptedKeyMaterial.bin
--keyform der
--pubin -encrypt
--pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
-RSAES_PKCS1_V1_5
-openssl rsautl -encrypt
--in PlaintextKeyMaterial.bin
--pkcs
--inkey PublicKey.bin
--keyform der
--pubin
--out EncryptedKeyMaterial.bin
-RSAES_OAEP_SHA_1
-openssl pkeyutl
--in PlaintextKeyMaterial.bin
--inkey PublicKey.bin
--out EncryptedKeyMaterial.bin
--keyform der
--pubin -encrypt
--pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1
-
- Run the following command to generate the key material (256-bit symmetric key) and save the generated key material as PlaintextKeyMaterial.bin:
- Click Next. Go to the Import Key Material step. Configure the parameters as described in Table 3.
Figure 4 Importing key material- -
-
-Table 3 Parameters for importing key material Parameter
-Description
-Key ID
-Random ID of a CMK generated during the CMK creation
-Key material
-- Use the key material encrypted by the wrappingKey file downloaded in 9.
- Click Import to import the key material.
- Click Next to go to the Import Key Token step. Configure the parameters as described in Table 4.
Figure 5 Importing a key token- -
-
-Table 4 Parameters for importing a key token Parameter
-Description
-Key ID
-Random ID of a CMK generated during the CMK creation
-Token
-Select the importToken downloaded in 9.
-Key material expiration mode
-- Key material will never expire: This option specifies that key material will not expire after import.
- Key material expires on: This option specifies the expiration time of the key material. By default, the key material expires in 24 hours after import.
When the key material expires, KMS will delete them in 24 hours, making the CMK unusable and the CMK status Pending import.
-
- Click OK.
-- Key material can be successfully imported when it matches the corresponding CMK ID and token.
-Your imported material is displayed in the list of CMKs. The default status of an imported CMK is Enabled.
-- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0056.html b/docs/kms/umn/kms_01_0056.html new file mode 100644 index 00000000..c910a1e3 --- /dev/null +++ b/docs/kms/umn/kms_01_0056.html @@ -0,0 +1,12 @@ + + +-Parent topic: Creating CMKs Using Imported Key Material+Parent topic: KMS RelatedIs There a Limit on the Number of Custom Keys That I Can Create on KMS?
++Yes.
+You can create a maximum of 100 custom keys, including those in enabled, disabled, and pending deletion states. Default keys are not included.
+++ diff --git a/docs/kms/umn/kms_01_0058.html b/docs/kms/umn/kms_01_0058.html new file mode 100644 index 00000000..f8c98255 --- /dev/null +++ b/docs/kms/umn/kms_01_0058.html @@ -0,0 +1,12 @@ + + +++Parent topic: KMS Related+Can I Export a CMK from KMS?
++No.
+To ensure CMK security, users can only create and use CMKs in KMS.
+++ diff --git a/docs/kms/umn/kms_01_0059.html b/docs/kms/umn/kms_01_0059.html new file mode 100644 index 00000000..fb7255c6 --- /dev/null +++ b/docs/kms/umn/kms_01_0059.html @@ -0,0 +1,13 @@ + + +++Parent topic: KMS Related+Can I Decrypt My Data if I Permanently Delete My Custom Key?
++No.
+If you have permanently deleted your custom key, the data encrypted using it cannot be decrypted. Before the scheduled deletion date of the custom key, you can cancel the scheduled deletion.
+If the custom key is created using imported key material and only the key material is deleted, you can import the local backup of the key material to the custom key and reclaim the user data. If the key material is not backed up locally, user data cannot be reclaimed.
+++ diff --git a/docs/kms/umn/kms_01_0060.html b/docs/kms/umn/kms_01_0060.html new file mode 100644 index 00000000..0cafd98e --- /dev/null +++ b/docs/kms/umn/kms_01_0060.html @@ -0,0 +1,27 @@ + + +++Parent topic: KMS Related+How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
++You can use the online tool to encrypt or decrypt data in the following procedures:
++Encrypting Data
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure 1. +
- Click Execute. Ciphertext of the data is displayed in the text box on the right.+
- Use the current CMK to encrypt the data.
- You can click Clear to clear the entered data.
- You can click Copy to Clipboard to copy the ciphertext and save it in a local file.
+ Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.
+The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.
++Decrypting Data
- Log in to the management console.
- You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
- Click Decrypt. In the text box on the left, enter the data to be decrypted. For details, see Figure 2.+ +
- The tool will identify the original encryption CMK and use it to decrypt the data.
- If the key has been deleted, the decryption will fail.
- Click Execute. Plaintext of the data is displayed in the text box on the right.+
- You can click Copy to Clipboard to copy the plaintext and save it in a local file.
- Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.
The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.
+
++ diff --git a/docs/kms/umn/kms_01_0062.html b/docs/kms/umn/kms_01_0062.html new file mode 100644 index 00000000..2a09d66f --- /dev/null +++ b/docs/kms/umn/kms_01_0062.html @@ -0,0 +1,12 @@ + + +++Parent topic: KMS Related+Can I Update CMKs Created by KMS-Generated Key Materials?
++No.
+Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.
+++ diff --git a/docs/kms/umn/kms_01_0072.html b/docs/kms/umn/kms_01_0072.html deleted file mode 100644 index 0657b83c..00000000 --- a/docs/kms/umn/kms_01_0072.html +++ /dev/null @@ -1,32 +0,0 @@ - - -++Parent topic: KMS Related+Deleting One or More CMKs
---Scenario
This section describes how to use the management console to schedule the deletion of one or multiple unwanted CMKs.
-If deletion is scheduled for a CMK, the deletion will not take effect immediately. Instead, it will take effect after a waiting period of 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by it. Therefore, you are advised to exercise caution when performing this operation.
-Before deleting the CMK, confirm that it is not in use and will not be used.
-- You can configure the SMN notification function to receive notifications when OBS fails to use the CMK to decrypt data before the deletion date. If you want to use the CMK again, cancel its deletion on the console. For SMN configuration instructions, see Configuring SMN.
- You can choose to go to the EVS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by EVS.
- You can choose Computing > Image Management Service to go to the IMS page. Select the Private Image tab. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by IMS.
- You can choose to go to the SFS page. In the search bar, select KMS key ID and enter the CMK ID to check whether the CMK to be deleted is being used by SFS.
- You can choose Database > Relational Database Service to view the database instance list, and click the name of the target database instance. On the details page of the database instance, check whether the key to be deleted is in use.
- Default Master Keys created by KMS cannot be scheduled for deletion.
--Prerequisites
- The CMK to be deleted is in Enabled, Disabled, or Pending Import status.
-Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired CMK, click Delete.Figure 1 Scheduling the deletion for one CMK-
- In the dialog box that is displayed, enter the number of days after which you want the deletion to take effect.Figure 2 Scheduling a deletion time-
- Click Yes to schedule the deletion.-
To delete multiple CMKs at a time, select them and click Delete in the upper left corner of the list.
-
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0073.html b/docs/kms/umn/kms_01_0073.html deleted file mode 100644 index 495274c9..00000000 --- a/docs/kms/umn/kms_01_0073.html +++ /dev/null @@ -1,12 +0,0 @@ - - ---Parent topic: Managing CMKs-What Is Key Management Service?
--Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs).
-This service uses hardware security modules (HSMs) to protect CMKs. HSMs help you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage caused by human error. KMS implements access control and log-based tracking on all operations involving CMKs. Additionally, it provides CMK operation records, meeting your audit and regulatory compliance requirements.
--- diff --git a/docs/kms/umn/kms_01_0074.html b/docs/kms/umn/kms_01_0074.html deleted file mode 100644 index 2e83146c..00000000 --- a/docs/kms/umn/kms_01_0074.html +++ /dev/null @@ -1,46 +0,0 @@ - - ---Parent topic: FAQs-What Is a Customer Master Key?
--A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or multiple DEKs.
-CMKs are categorized into custom keys and default keys.-- Custom keys -
- Default keys
When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key with the alias suffix /default.
-On the KMS console, you can query Default Master Keys, but can neither disable them nor schedule their deletion.
- --
-Table 1 Default Master Keys Alias
-Cloud Service
-obs/default
-Object Storage Service (OBS)
-evs/default
-Elastic Volume Service (EVS)
-ims/default
-Image Management Service (IMS)
-sfs/default
-Scalable File Service (SFS)
-
-- diff --git a/docs/kms/umn/kms_01_0088.html b/docs/kms/umn/kms_01_0088.html new file mode 100644 index 00000000..7ead0de4 --- /dev/null +++ b/docs/kms/umn/kms_01_0088.html @@ -0,0 +1,40 @@ + + +--Parent topic: FAQs-Overview
++A custom key contains key metadata (key ID, key alias, description, key status, and creation date) and key materials used for encrypting and decrypting data.+- When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
- If you want to use your own key material, you can use the key import function on the KMS console to create a custom key whose key material is empty, and import the key material to the custom key.
+Important Notes
- Security
You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
+ - Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
+Differences between the imported key material and the key material generated by KMS are shown in Table 1.
+ ++ - Association
When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.
+ - Uniqueness
If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
+
++ diff --git a/docs/kms/umn/kms_01_0089.html b/docs/kms/umn/kms_01_0089.html new file mode 100644 index 00000000..63b6dafa --- /dev/null +++ b/docs/kms/umn/kms_01_0089.html @@ -0,0 +1,191 @@ + + +++Parent topic: Creating CMKs Using Imported Key Materials+Importing Key Materials
++If you want to use your own key materials instead of the KMS-generated materials, you can use the console to import your key materials to KMS. CMKs created using imported materials and KMS-generated materials are managed together by KMS.
+This section describes how to import key materials on the KMS console.
++Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click . Choose . The Key Management Service page is displayed.
- Click Import Key. The Import Key dialog box is displayed.
- Configure key parameters.Figure 1 Creating an empty key+
- Alias is the alias of the key to be created.+
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
- (Optional) Description is the description of the custom key.+
You can enter up to 255 characters.
+
- Alias is the alias of the key to be created.
- (Optional) Add tags to the custom key as needed, and enter the tag key and tag value.+
- If a custom key has been created without any tag, you can add a tag to the custom key later if needed. Click the alias of the custom key, choose the Tags tab, and click Add Tag.
- The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
- A maximum of 20 tags can be added for one custom key.
- If you want to delete a tag from the tag list when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
- Click security and durability to understand the security and durability of the imported key.
- Select I understand the security and durability of using an imported key, and create a custom key whose key material is empty.
- Click Next to go to the Download the Import Items step. Select a key wrapping algorithm based on Table 1.Figure 2 Obtaining the wrapping key and import token+ +
+
+Table 1 Key wrapping algorithms Algorithm
+Description
+Configuration
+RSAES_OAEP_SHA_256
+RSA algorithm that uses OAEP and has the SHA-256 hash function
+Select an algorithm based on your HSM functions.
+If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.
++ If you stop a key material import process and want to try again, click Import Key Material in the row of the required custom key, and import key material in the displayed dialog box.
+ - Obtain the wrapping key and import token. If you already have a key material, skip this step.
- Obtain the wrapping key and import token.
- Method 1: Click Download and Continue to download the wrapping key file, as shown in Figure 3.
+
- wrappingKey_KeyID is the wrapping key. It is encoded in binary format and used to encrypt the wrapping key of the key material.
- Import token: You do not need to download it. The import wizard automatically transfers the import token. If you close the wizard before completing the import, the token will automatically become invalid.
+ The wrapping key expires in 24 hours. If the wrapping key is invalid, download it again.
+The import wizard automatically transfers the import token. If you close the wizard before completing the import, the token will automatically become invalid. To retry import, open the import wizard again.
+
- Method 2: Obtain the wrapping key and import token by calling APIs.
- Call the get-parameters-for-import API to obtain the wrapping key and import token.
- public_key: content of the wrapping key (Base-64 encoding) returned after the API call
- import_token: content of the import token (Base-64 encoding) returned after the API call
The following example describes how to obtain the wrapping key and import token of a CMK (ID: 43f1ffd7-18fb-4568-9575-602e009b7ee8; algorithm: RSAES_OAEP_SHA_256).+- Example request
{ + "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", + "wrapping_algorithm":"RSAES_OAEP_SHA_256" +}+ - Example response
{ + "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", + "public_key":"public key base64 encoded data", + "import_token":"import token base64 encoded data", + "expiration_time":1501578672 +}+
- Save the wrapping key and convert its format. Only the key material encrypted using the converted wrapping key can be imported to the management console.
- Copy the content of the wrapping key public_key, paste it to a .txt file, and save the file as PublicKey.b64.
- Use OpenSSL to run the following command to perform Base-64 coding on the content of the PublicKey.b64 file to generate binary data, and save the converted file as PublicKey.bin:
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
+
- Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
- Call the get-parameters-for-import API to obtain the wrapping key and import token.
- Method 1: Click Download and Continue to download the wrapping key file, as shown in Figure 3.
+
- Use the wrapping key to encrypt the key material.+
After performing this step, you will obtain either of the following files:
+Symmetric key scenario: EncryptedKeyMaterial.bin (key material)
+Asymmetric key scenario: EncryptedKeyMaterial.bin (temporary key material) and out_rsa_private_key.der (private key ciphertext)
+Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.
+Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.++ If you need to run the openssl pkeyutl command, ensure your OpenSSL version is 1.0.2 or later.
+- Generate a key material (256-bit symmetric key) and save it as PlaintextKeyMaterial.bin.
- If the AES256 symmetric key algorithm is used, run the following command on the client where the OpenSSL tool has been installed: +
- If the RSA and ECC asymmetric key algorithms are used, run the following command on the client where the OpenSSL tool has been installed: +
- Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
If the wrapping key was downloaded from the console, replace PublicKey.bin in the following command with the wrapping key name wrappingKey_keyID.
+ ++
+Table 2 Encrypting the generated key material using the downloaded wrapping key Wrapping Key Algorithm
+Key Material Encryption
+RSAES_OAEP_SHA_256
+openssl pkeyutl
+-in PlaintextKeyMaterial.bin
+-inkey PublicKey.bin
+-out EncryptedKeyMaterial.bin
+-keyform der
+-pubin -encrypt
+-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+ - (Optional) To import an asymmetric key, generate an asymmetric private key, use the temporary key material (EncryptedKeyMaterial.bin) to encrypt the private key, and import the encrypted file as the private key ciphertext.
- Take the RSA4096 algorithm as an example. Perform the following operations:
- Generate a private key. +
- Convert the format to PKCS8.
openssl pkcs8 -topk8 -inform PEM -in pkcs1_rsa_private_key.pem -outform pem -nocrypt -out rsa_private_key.pem
+ - Convert the PKCS8 format to the DER format.
openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private_key.pem -out rsa_private_key.der -nocrypt
+ - Use a temporary key material to encrypt the private key.
openssl enc -id-aes256-wrap-pad -K $(cat 0xPlaintextKeyMaterial.bin) -iv A65959A6 -in rsa_private_key.der -out out_rsa_private_key.der
++ By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first. For details, see FAQs.
+
- Take the RSA4096 algorithm as an example. Perform the following operations:
- Generate a key material (256-bit symmetric key) and save it as PlaintextKeyMaterial.bin.
- Obtain the wrapping key and import token.
- The Import Key Material page is displayed.
+
+ +
+Table 3 Parameters for importing key materials (for symmetric keys) Parameter
+Description
+Key ID
+Random ID of a CMK generated during the CMK creation
+Key material
+Import a key material.
+For example, use the EncryptedKeyMaterial.bin file in 10.b.ii.
++
+Table 4 Parameters for importing key materials (for asymmetric keys) Parameter
+Description
+Key ID
+Random ID of a CMK generated during the CMK creation
+Temporary key material
+Import a temporary key material.
+For example, select the EncryptedKeyMaterial.bin file in 10.b.ii.
+Private key ciphertext
+Select private key ciphertext.
+For example, select the out_rsa_private_key.der file in 10.b.iii.
+ - Click Next to go to the Import Key Token step. Configure the parameters as described in Table 5.
+
+
+Table 5 Parameters for importing a key token Parameter
+Description
+Key ID
+Random ID of a CMK generated during the CMK creation
+Key import token
+Select the import token obtained via API in 12.b.
+Key material expiration mode
+- Key material will never expire: You use this option to specify that key materials will not expire after import.
- Key material will expire: You use this option to specify the expiration time of the key materials. By default, key materials expire in 24 hours after import.
After the key material expires, the system automatically deletes the key material within 24 hours. Once the key material is deleted, the key cannot be used and its status changes to Pending import.
+
- Click OK. When the Key imported successfully message is displayed in the upper right corner, the materials are imported.+
Key materials can be successfully imported when they match the corresponding CMK ID and token.
+Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is Enabled.
+
++ diff --git a/docs/kms/umn/kms_01_0090.html b/docs/kms/umn/kms_01_0090.html new file mode 100644 index 00000000..144a9c14 --- /dev/null +++ b/docs/kms/umn/kms_01_0090.html @@ -0,0 +1,21 @@ + + +++Parent topic: Creating CMKs Using Imported Key Materials+Deleting Key Materials
++When importing key materials, you can specify their expiration time. After the key material expires, KMS deletes it, and the status of the custom key changes to Pending import. You can manually delete the key materials as needed. The effect of expiration of the key material is the same as that of manual deletion of the key material.
+This section describes how to delete imported key materials on the KMS console.
++ - To re-import a deleted key material, ensure the imported material is the same as the deleted one.
- Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.
+Prerequisites
- You have imported key materials for a CMK.
- The material source of the CMK is External.
- The CMK status is Enabled or Disabled.
+Constraints
- To re-import a deleted key material, ensure the imported material is the same as the deleted one.
- Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.
- After the deletion, the CMK will become unavailable and its status will change to Pending import.
- The key materials of asymmetric keys cannot be directly deleted. To delete them, perform the instructions in Deleting One or More CMKs.
+Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- In the row containing the target CMK, click Delete Key Material.
- In the displayed dialog box, click OK. When Key material deleted successfully is displayed in the upper right corner, the key materials are successfully deleted.
After the deletion, the CMK will become unavailable and its status changes to Pending import.
+
++ diff --git a/docs/kms/umn/kms_01_0091.html b/docs/kms/umn/kms_01_0091.html new file mode 100644 index 00000000..0eea13f4 --- /dev/null +++ b/docs/kms/umn/kms_01_0091.html @@ -0,0 +1,21 @@ + + +++Parent topic: Creating CMKs Using Imported Key Materials+Service Overview
+ ++ ++ diff --git a/docs/kms/umn/kms_01_0092.html b/docs/kms/umn/kms_01_0092.html new file mode 100644 index 00000000..e82368c0 --- /dev/null +++ b/docs/kms/umn/kms_01_0092.html @@ -0,0 +1,11 @@ + + +FAQs
+ +++ diff --git a/docs/kms/umn/kms_01_0093.html b/docs/kms/umn/kms_01_0093.html deleted file mode 100644 index 4ff13513..00000000 --- a/docs/kms/umn/kms_01_0093.html +++ /dev/null @@ -1,13 +0,0 @@ - - --
+
- KMS Related
+
+
Will a CMK Be Charged After It Is Scheduled to Delete?
--No.
-The pending period of a CMK from its scheduling till its deletion is not charged.
-However, if you cancel the scheduled deletion, the charging resumes from the time when the CMK is scheduled to be deleted.
--- diff --git a/docs/kms/umn/kms_01_0094.html b/docs/kms/umn/kms_01_0094.html index cf93d351..6bdcd9c3 100644 --- a/docs/kms/umn/kms_01_0094.html +++ b/docs/kms/umn/kms_01_0094.html @@ -1,66 +1,62 @@ ---Parent topic: FAQs-Key Rotation Overview
-Purpose of Key Rotation
Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
-The purposes of key rotation are:
-- To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
- - To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
- - To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
+About Key Rotation
+-Purpose of Key Rotation
Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
+The purposes of key rotation are:
+- To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
+ - To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
+ - To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
Key Rotation Methods
You can use either of the following key rotation methods:
-- Manual key rotation
Replace the key in use with a new key. For example, if key A is in use, you can create key B using a new encryption material, and replace key A with key B. This achieves the same outcome as changing the key material of key A.
-
-Take OBS as an example. To manually rotate a key, create a new custom key on the KMS console. Replace the old custom key with the new one on the OBS console.
-Figure 1 Manual key rotation-
- Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.
-Automatic key rotation has the following characteristics:
-- Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
Figure 2 Key rotation+
Key Rotation Methods
You can use either of the following key rotation methods:
+- Manual key rotation
Method 1: Create a key B to replace the currently used key A.
+Method 2: Modify the key A and use it.
+
+Take OBS as an example. To manually rotate a key, create a new custom key on the KMS console. Replace the old custom key with the new one on the OBS console.
+Figure 1 Manual key rotation+ - Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.
+Automatic key rotation has the following characteristics:
+- Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
Figure 2 Key rotation
KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key.- KMS uses the latest version of the custom key to encrypt data.
- When decrypting data, KMS uses the custom key version that was used to encrypt the data.
KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key.- KMS uses the latest version of the custom key to encrypt data.
- When decrypting data, KMS uses the custom key version that was used to encrypt the data.
Rotation Modes
-Table 1 Key rotation modes Key Type
+-Table 1 Key rotation modes Key Type
Rotation Mode
+Rotation Mode
Default master key
+Default key
Cannot be rotated.
+Cannot be rotated.
User-defined key (imported CMK)
+Custom key
Can only be manually rotated.
-For more information about user-defined keys, see CMK Overview.
+Keys can be rotated automatically or manually, depending on the key algorithm type.
+- Symmetric key: Can be automatically or manually rotated.
- Asymmetric key: Can only be manually rotated.
Symmetric key
+Disabled CMK
Can be automatically or manually rotated.
+Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a custom key is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the custom key has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Disabling One or More CMKs.
Disabled CMK
+CMKs in pending deletion state
Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
-For more information, see Disabling One or More CMKs.
-CMKs in pending deletion state
-Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
-For more information, see Scheduling the Deletion of One or More Keys.
+KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the custom key has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Scheduling the Deletion of One or More Keys.
@@ -70,10 +66,3 @@ - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0095.html b/docs/kms/umn/kms_01_0095.html index d05e2252..f1502bf2 100644 --- a/docs/kms/umn/kms_01_0095.html +++ b/docs/kms/umn/kms_01_0095.html @@ -1,26 +1,19 @@ - You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
+ You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
Disabling Key Rotation
-+-Scenario
This section describes how to disable rotation for a key on the KMS console.
--Prerequisites
- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
- Key rotation has been enabled.
-Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy. The dialog box is displayed, as shown in Figure 1. -
- Click
to disable key rotation. - In the displayed Disable Rotation Policy dialog box, click Yes.Figure 2 Disabling key rotation-
- Check the rotation status, as shown in Figure 3. -
Managing a Grant
++- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0096.html b/docs/kms/umn/kms_01_0096.html index da14f566..f55a2b18 100644 --- a/docs/kms/umn/kms_01_0096.html +++ b/docs/kms/umn/kms_01_0096.html @@ -1,74 +1,55 @@ --
+
- Creating a Grant
+
+ - Querying a Grant
+
+ - Revoking a Grant
+
+
-Parent topic: Rotating CMKs+Parent topic: Key Management ServiceQuerying a CMK
-Scenario
This section describes how to use the management console to view the information about a CMK, such as its alias, status, ID, and creation time. The status of a CMK can be Enabled, Disabled, Pending deletion, or Pending import.
+Creating a Grant
+You can create grants for other users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.
+-Prerequisites
- You have obtained the ID of the grantee (user to whom permissions are to be authorized).
- The target custom key is in Enabled status.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the CMK list you can view details about the CMKs.Figure 1 CMK list-
- Select the CMK status from the drop-down list of All statuses. Then the CMK list displays only the CMKs in the corresponding state.
- Enter the alias of a CMK in the search box on top of the CMK list. Click
or press Enter to search for the specified CMK. - You can click Search Tag to search for the CMK that meets the search criteria.
- You can click
at the upper right corner on top of the CMK list to show or hide columns of the CMK list.
+Constraints
- The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
- A maximum of 100 grants can be created for a custom key.
- Only users and accounts can be authorized. Agency authorization is not supported.
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to go to its details page and create a grant on it.
- Click the Grants tab.
- Click Create Grant. The Create Grant dialog box is displayed.
- In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted. For more information, see Table 1.-
A grantee can perform the authorized operations only by calling the necessary APIs. For details, see the .
Table 1 describes the parameters of a CMK list.
-Table 1 CMK list parameters Parameter
+-- You can click the alias of a CMK to view its details.
Figure 2 Viewing CMK details+
- Click OK. When message Grant created successfully is displayed in the upper right corner, the grant has been created.
In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.
- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0097.html b/docs/kms/umn/kms_01_0097.html new file mode 100644 index 00000000..0da52285 --- /dev/null +++ b/docs/kms/umn/kms_01_0097.html @@ -0,0 +1,55 @@ + + +-Parent topic: Managing CMKs+Parent topic: Managing a GrantQuerying a Grant
++You can view the details about a custom key grant on the KMS console, such as the grant ID, grantee user ID, granted operation, and creation time.
++Prerequisites
You have created a grant.
++Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- Click Grant to view the grant information of the current custom key. Table 1 describes the parameters.
+
+
+Table 1 Parameter description Parameter
+Description
+Grant ID
+Randomly generated unique identification of a grant
+Granted To
+Whether permissions are granted to a user or account.
+Grantee ID
+ID of the authorized user or account.
+Granted Operations
+Authorized operations (such as Create Data Key) on the custom key
+Created
+Time when the grant is created
+Operation
+Operations that can be performed on a grant. For example, you can revoke a grant.
+
++ diff --git a/docs/kms/umn/kms_01_0098.html b/docs/kms/umn/kms_01_0098.html new file mode 100644 index 00000000..922cce6c --- /dev/null +++ b/docs/kms/umn/kms_01_0098.html @@ -0,0 +1,21 @@ + + +++Parent topic: Managing a Grant+Revoking a Grant
++You can revoke a grant on the KMS console in either of the following scenarios:
+- A grantee does not need the custom key grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)
- You do not want the grantee to have the grant.
When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.
+This section describes how to revoke a grant on the KMS console.
++Prerequisites
You have created a grant.
++Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- In the row of a grantee, click Revoke Grant.
- In the dialog box that is displayed, click OK. If Grant grant ID revoked successfully is displayed in the upper right corner, the grant has been revoked.+
You can call the API to verify that the key grant has been revoked. For details about how to use APIs, see Key Management Service API Reference.
+For example, if the grant to create a data key is revoked for a user, an error will be reported when the user calls the API to create a data key.
+
++ diff --git a/docs/kms/umn/kms_01_0100.html b/docs/kms/umn/kms_01_0100.html deleted file mode 100644 index 51105985..00000000 --- a/docs/kms/umn/kms_01_0100.html +++ /dev/null @@ -1,12 +0,0 @@ - - -++Parent topic: Managing a Grant+Product Advantages
----- diff --git a/docs/kms/umn/kms_01_0101.html b/docs/kms/umn/kms_01_0101.html index 7d5221c7..3aef2dc4 100644 --- a/docs/kms/umn/kms_01_0101.html +++ b/docs/kms/umn/kms_01_0101.html @@ -1,39 +1,13 @@ ---Parent topic: Key Management-What Are the Differences Between a Custom Key and a Default Key?
-The following table describes the differences between a custom key and a default key.
- -+
-Table 1 Differences between a custom key and a default key Item
-Definition
-Difference
-Custom key
-A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.
-A custom key can be used to encrypt multiple DEKs.
-- It can be disabled and scheduled for deletion.
- It is billed per use after the being created or imported.
Default key
-Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is /default.
-Example: evs/default
-- It cannot be disabled or scheduled for deletion.
- You are not charged when you use the cloud service automatically generated by the system. If the number of API requests exceeds 20,000, you will be billed.
Encrypting Data in RDS
+- When a user creates a database instance from Relational Database Service (RDS), the user can select Disk encryption and use the key provided by KMS to encrypt the disk of the database instance. For more information, see the Relational Database Service User Guide.Figure 1 Encrypting data in RDS+
You can use a custom key created on the KMS console for encryption.
+ - You can also call the RDS APIs to purchase encrypted database instances. For details, see the Relational Database Service User Guide.
diff --git a/docs/kms/umn/kms_01_0102.html b/docs/kms/umn/kms_01_0102.html index 8727239a..bd7b8315 100644 --- a/docs/kms/umn/kms_01_0102.html +++ b/docs/kms/umn/kms_01_0102.html @@ -1,12 +1,11 @@ --Parent topic: FAQs+Parent topic: Cloud Services with KMS IntegratedCan I Export a CMK from KMS?
-No.
-To ensure CMK security, users can only create and use CMKs in KMS.
+When Should I Use a CMK Created with Imported Key Materials?
+- If you do not want to use KMS-generated key materials, you can import your own key materials to create a CMK. Such a CMK allows deletion of only the key materials when you do not need it. In addition, when you find that the key materials are mis-deleted, you can import the same materials to the CMK.
- You can also import off-cloud key materials to KMS when you want to use the same keys on and off the cloud. This practice has proved useful when users migrate local encrypted data onto cloud.
diff --git a/docs/kms/umn/kms_01_0103.html b/docs/kms/umn/kms_01_0103.html new file mode 100644 index 00000000..588fd663 --- /dev/null +++ b/docs/kms/umn/kms_01_0103.html @@ -0,0 +1,11 @@ + + +-Parent topic: FAQs+Parent topic: KMS RelatedWhat Types of Keys Can I Import?
++You can import 256-bit symmetric keys.
+++ diff --git a/docs/kms/umn/kms_01_0104.html b/docs/kms/umn/kms_01_0104.html new file mode 100644 index 00000000..313dad6a --- /dev/null +++ b/docs/kms/umn/kms_01_0104.html @@ -0,0 +1,13 @@ + + +++Parent topic: KMS Related+What Should I Do When I Accidentally Delete Key Materials?
++You can import the backup key materials from your local device again.
++ Before importing key materials, you are advised to back up the materials. The materials to be re-imported must be consistent with the mis-deleted materials.
+++ diff --git a/docs/kms/umn/kms_01_0105.html b/docs/kms/umn/kms_01_0105.html new file mode 100644 index 00000000..e12de5d4 --- /dev/null +++ b/docs/kms/umn/kms_01_0105.html @@ -0,0 +1,13 @@ + + +++Parent topic: KMS Related+User Guide
+ ++ ++ diff --git a/docs/kms/umn/kms_01_0106.html b/docs/kms/umn/kms_01_0106.html index 32a95500..aee4e2dc 100644 --- a/docs/kms/umn/kms_01_0106.html +++ b/docs/kms/umn/kms_01_0106.html @@ -1,23 +1,25 @@ -What Are the Benefits of Envelope Encryption?
-+Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.
-Benefits:
-- Advantages over CMK encryption in KMS
Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.
-A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
-Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.
- - Advantages over encryption by using cloud services
- Security
Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
-During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.
- - Trustworthiness
You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.
-If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.
- - Performance and cost
To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.
-Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.
-
- Security
Cloud Services with KMS Integrated
++ +diff --git a/docs/kms/umn/kms_01_0107.html b/docs/kms/umn/kms_01_0107.html deleted file mode 100644 index 6e8931ee..00000000 --- a/docs/kms/umn/kms_01_0107.html +++ /dev/null @@ -1,21 +0,0 @@ - - -How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
--You can use the online tool to encrypt or decrypt data in the following procedures:
--Encrypting Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details on the online data encryption page.
- Click Encrypt. In the text box on the left, enter the data to be encrypted.
- Click Execute. The data encryption result is displayed in the text box on the right.-
- The key you clicked is used for encryption.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-Decrypting Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of an enabled key (excepting Default Master Keys) to open the online tool page.
- Click Decrypt. In the text box on the left, enter the data to be decrypted.-
- The online tool automatically identifies the key used for data encryption, and uses it to decrypt data.
- If the key has been deleted, the decryption will fail.
- Click Execute. The data decryption result is displayed in plaintext in the text box on the right.-
To copy the decrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-
-- diff --git a/docs/kms/umn/kms_01_0109.html b/docs/kms/umn/kms_01_0109.html deleted file mode 100644 index 17d9aac5..00000000 --- a/docs/kms/umn/kms_01_0109.html +++ /dev/null @@ -1,17 +0,0 @@ - - ---Parent topic: FAQs-Service Overview
- --- diff --git a/docs/kms/umn/kms_01_0114.html b/docs/kms/umn/kms_01_0114.html deleted file mode 100644 index b6766e4d..00000000 --- a/docs/kms/umn/kms_01_0114.html +++ /dev/null @@ -1,12 +0,0 @@ - - --
-
- Key Management
-
- - User Permissions
-
- - Permissions Management
-
- - Related Services
-
-
Can I Update CMKs Created by KMS-Generated Key Materials?
--No.
-Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.
--- diff --git a/docs/kms/umn/kms_01_0115.html b/docs/kms/umn/kms_01_0115.html new file mode 100644 index 00000000..c9113439 --- /dev/null +++ b/docs/kms/umn/kms_01_0115.html @@ -0,0 +1,16 @@ + + +--Parent topic: FAQs-Advantages
+++Extensive Service Integration
- By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
- By integrating with Cloud Trace Service (CTS), you can use CTS to view recent KMS operation records.
+Regulatory Compliance
Keys are generated by third-party validated HSMs. Access to keys is controlled and all operations involving keys are traceable by logs, compliant with international laws and regulations.
++Easy to Use
You can use and manage keys easily using the console or APIs, needless to purchase hardware encryption devices.
+++ diff --git a/docs/kms/umn/kms_01_0116.html b/docs/kms/umn/kms_01_0116.html new file mode 100644 index 00000000..840cbaa5 --- /dev/null +++ b/docs/kms/umn/kms_01_0116.html @@ -0,0 +1,13 @@ + + +++Parent topic: KMS+Encrypting Data in SFS
++- When creating a file system using the Scalable File Service (SFS), you can select KMS encryption and use the key provided by the KMS to encrypt the file system.For details, see Figure 1. For more information, see the Scalable File Service User Guide.
+
You can use a custom key created on the KMS console for encryption.
+ - You can use the SFS API to create an encrypted file system. For details, see the Scalable File Service API Reference.
++ diff --git a/docs/kms/umn/kms_01_0121.html b/docs/kms/umn/kms_01_0121.html new file mode 100644 index 00000000..f67c45aa --- /dev/null +++ b/docs/kms/umn/kms_01_0121.html @@ -0,0 +1,23 @@ + + +++Parent topic: Cloud Services with KMS Integrated+KMS
+ +++ diff --git a/docs/kms/umn/kms_01_0133.html b/docs/kms/umn/kms_01_0133.html new file mode 100644 index 00000000..68da44fd --- /dev/null +++ b/docs/kms/umn/kms_01_0133.html @@ -0,0 +1,17 @@ + + +-
+
- Functions
+
+ - Advantages
+
+ - Application Scenarios
+
+ - Using KMS
+
+ - Cloud Services with KMS Integrated
+
+
++Parent topic: Service Overview+Permission Control
+ +++ diff --git a/docs/kms/umn/kms_01_0135.html b/docs/kms/umn/kms_01_0135.html new file mode 100644 index 00000000..3966d0ec --- /dev/null +++ b/docs/kms/umn/kms_01_0135.html @@ -0,0 +1,62 @@ + + +-
+
- Creating a User and Authorizing the User the Permission to Access KMS
+
+ - Creating a Custom KMS Policy
+
+
++Parent topic: User Guide+Creating a User and Authorizing the User the Permission to Access KMS
++This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:
+- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
If your account does not need individual IAM users, skip this chapter.
+This section describes the procedure for granting permissions (see Figure 1).
++Prerequisites
Before granting permissions to a user group, you need to understand the available KMS permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in KMS.
+ ++
+Table 1 KMS permissions Role/Policy
+Description
+Type
+KMS Administrator
+Administrator permissions for the encryption key
+Role
+KMS CMKFullAccess
+All permissions for the encryption keys
+Policy
+KMS CMK Admin
+All permissions for the encryption keys
+Policy
+KMS CMKReadOnlyAccess
+Read-only permission for encryption keys
+Policy
++Authorization Process
+Create a user group on the IAM console and grant the user group the permission (indicating full permissions for keys).
+Create a user on the IAM console and add the user to the user group created in 1.
+Log in to the console as newly created user, and verify that the user only has the assigned permissions.
+
++ diff --git a/docs/kms/umn/kms_01_0138.html b/docs/kms/umn/kms_01_0138.html index b32acc6b..21f8ab06 100644 --- a/docs/kms/umn/kms_01_0138.html +++ b/docs/kms/umn/kms_01_0138.html @@ -1,19 +1,19 @@++Parent topic: Permission Control+Rotating CMKs
- +diff --git a/docs/kms/umn/kms_01_0139.html b/docs/kms/umn/kms_01_0139.html index 61039c45..46e17395 100644 --- a/docs/kms/umn/kms_01_0139.html +++ b/docs/kms/umn/kms_01_0139.html @@ -1,19 +1,18 @@-
-
- Key Rotation Overview
+ - About Key Rotation
- Enabling Key Rotation
- - Disabling Key Rotation
+ - Disabling Key Rotation
-Parent topic: Key Management+Parent topic: Key Management ServiceEnabling Key Rotation
-Scenario
This section describes how to enable rotation for a key on the KMS console.
-By default, automatic key rotation is disabled for a CMK. Every time you enable key rotation, KMS automatically rotates CMKs based on the rotation period you set.
+This section describes how to enable rotation for a key on the KMS console.
+By default, automatic key rotation is disabled for a custom key. Every time you enable key rotation, KMS automatically rotates custom keys based on the rotation period you set.
+-Prerequisites
- The key is enabled.
- The Origin of the key is KMS.
- Only symmetric keys can be rotated.
Prerequisites
- The CMK is in Enabled status.
- The Origin of the CMK is KMS.
-Constraints
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of the desired CMK to view its details.
- Click Rotation Policy.Figure 1 Key rotation-
- Click
to enable key rotation. - In the Enable Rotation Policy dialog box, set the rotation period and click OK.Figure 2 Setting the rotation period-
Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
-After the setting takes effect, the new rotation period starts.
-If the CMK is frequently used, you are advised to set a short rotation period for it; otherwise, set a long one.
- - After rotation is enabled, the rotation details will be displayed, as shown in Figure 3.
-
After rotation is enabled, the CMK will be rotated based on your set period.
-- - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_0142.html b/docs/kms/umn/kms_01_0142.html new file mode 100644 index 00000000..2bc8e750 --- /dev/null +++ b/docs/kms/umn/kms_01_0142.html @@ -0,0 +1,19 @@ + + + - KMS does not rotate a disabled CMK for which rotation has been enabled.
- KMS rotates it when it is enabled again. If it has been longer than the rotation period since the CMK was rotated last time, KMS will rotate the CMK within 24 hours.
- You can click
to change the rotation period. After the period is changed, KMS rotates the CMK based on the new period, which starts from the day when the change takes effect.
@@ -24,10 +23,3 @@Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of the target custom key to view its details.
- Click the Rotation Policy tab. The rotation switch is displayed.
- Click
to enable key rotation. - In the Enable Rotation Policy dialog box, set the rotation period and click OK.
- Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
- After the setting takes effect, the new rotation period starts.
- Configure the period based on how often a custom key is used. If it is frequently used, configure a short period. Otherwise, set a long one.+
- A disabled custom key is never rotated, even if rotation is enabled for it.
- KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
- You can click
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
- Check rotation details, as shown in the following figure.Figure 1 Key rotation details+
You can click
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
Creating CMKs Using Imported Key Materials
+ ++ + ++ diff --git a/docs/kms/umn/kms_01_0161.html b/docs/kms/umn/kms_01_0161.html new file mode 100644 index 00000000..2fcd633c --- /dev/null +++ b/docs/kms/umn/kms_01_0161.html @@ -0,0 +1,68 @@ + + +++Parent topic: Key Management Service+Creating a Custom KMS Policy
++Custom policies can be created as a supplement to the system policies of KMS. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
+You can create custom policies in either of the following ways:
+- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical KMS custom policies.
+Example Custom Policies of KMS
- Example: authorizing users to create and import keys
{ + "Version": "1.1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:cmk:create", + "kms:cmk:getMaterial", + "kms:cmkTag:create", + "kms:cmkTag:batch", + "kms:cmk:importMaterial" + ] + } + ] +}+
- Example: authorizing users to use keys
{ + "Version": "1.1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:dek:crypto", + "kms:cmk:get", + "kms:cmk:crypto", + "kms:cmk:generate", + "kms:cmk:list" + ] + } + ] +}+ - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
+{ + "Version": "1.1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "rds:task:list" + ] + }, + { + "Effect": "Allow", + "Action": [ + "kms:dek:crypto", + "kms:cmk:get", + "kms:cmk:crypto", + "kms:cmk:generate", + "kms:cmk:list" + ] + } + ] +}+
++ diff --git a/docs/kms/umn/kms_01_0177.html b/docs/kms/umn/kms_01_0177.html new file mode 100644 index 00000000..2efbce5c --- /dev/null +++ b/docs/kms/umn/kms_01_0177.html @@ -0,0 +1,31 @@ + + +++Parent topic: Permission Control+Key Management Service
+ +++ diff --git a/docs/kms/umn/kms_01_0178.html b/docs/kms/umn/kms_01_0178.html new file mode 100644 index 00000000..ccbe470e --- /dev/null +++ b/docs/kms/umn/kms_01_0178.html @@ -0,0 +1,79 @@ + + +-
+
- Key Types
+
+ - Creating a Key
+
+ - Creating CMKs Using Imported Key Materials
+
+ - Managing CMKs
+
+ - Configuring SMN
+
+ - Using the Online Tool to Encrypt and Decrypt Small-Size Data
+
+ - Managing Tags
+
+ - Rotating CMKs
+
+ - Managing a Grant
+
+
++Parent topic: User Guide+Creating a Key
++This section describes how to create a custom key on the KMS console.
+Custom keys can be categorized into symmetric keys and asymmetric keys.
++Constraints
- You can create up to 100 custom keys, excluding default keys.
- A custom key is created using the AES-256 algorithm and is 256 bit long.
- Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
- Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
- KMS does not limit the number of times that a key can be called.
+Scenarios
- Encrypt data in OBS
- Encrypt data in EVS
- Encrypt data in IMS
- Use custom keys to directly encrypt and decrypt small volumes of data.
- DEK encryption and decryption for user applications
+Creating a Key
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click . Choose . The Key Management Service page is displayed.
- Click Create Bucket in the upper right corner.
- Configure parameters in the Create Key dialog box.Figure 1 Creating a key+
- Alias is the alias of the key to be created.+
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
- Key Algorithm: Select a key algorithm. For more information, see Table 1.
++
+Table 1 Key algorithms supported by KMS Key Type
+Algorithm Type
+Key Specifications
+Description
+Usage
+Symmetric key
+AES
+- AES_256
AES symmetric key
+Encrypts and decrypts a small amount of data or data keys.
+Asymmetric key
+RSA
+- RSA_2048
- RSA_3072
- RSA_4096
RSA asymmetric password
+Encrypts and decrypts a small amount of data or creates digital signatures.
+ECC
+- EC_P256
- EC_P384
Elliptic curve recommended by NIST
+Digital signature
+ - Usage: Select SIGN_VERIFY or ENCRYPT_DECRYPT.
- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
+ The key usage can only be configured during key creation and cannot be modified afterwards.
+ - (Optional) Description is the description of the custom key.+
You can enter up to 255 characters.
+
- Alias is the alias of the key to be created.
- (Optional) Add tags to the custom key as needed, and enter the tag key and tag value.+
- After creating a CMK, you can click the alias of the CMK to go to the CMK details page and add a tag to the CMK.
- The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
- A maximum of 20 tags can be added for one custom key.
- To delete a tag, click Delete next to it.
- Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created successfully.
In the key list, you can view the created keys. The default status of a key is Enabled.
+
+Related Operations
- For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section "Creating an EVS Disk" in Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
++ diff --git a/docs/kms/umn/kms_01_0179.html b/docs/kms/umn/kms_01_0179.html new file mode 100644 index 00000000..9f56720d --- /dev/null +++ b/docs/kms/umn/kms_01_0179.html @@ -0,0 +1,59 @@ + + +++Parent topic: Key Management Service+Viewing a CMK
++This section describes how to view the information about the custom key on the KMS console, including the key alias, status, ID, and creation time. The status of a key can be Enabled, Disabled, Scheduled deletion, or Pending import.
++Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Check the key list.
+
+
+Table 1 Key list parameters Parameter
+Description
+Alias/ID
+Alias of a key and the random ID of a key generated during its creation.
+Status
+Status of a CMK, which can be one of the following:
+- Enabled
The CMK is enabled.
+ - Disabled
The CMK is disabled.
+ - Pending deletion
The CMK is scheduled for deletion.
+ - Pending import
If your CMK does not have materials, its status is Pending import.
+
Key Algorithm and Usage
+Key algorithm selected during key creation and its usage
+Origin
+Source of key material, which can be one of the following:
+- External
The key is imported to the KMS from an external system.
+ - Key Management Service
The key is a default key or created in KMS.
+
Operation
+Operations you can perform on the key, such as disable, delete, import key material, or cancel deletion. You can also assign keys to projects.
+ - Enabled
- You can click the alias of a key to view its details.+
To change the alias or description of the CMK, click
+ next to the value of Alias or Description.- A default key (the alias suffix of which is /default) does not allow alias and description changes.
- The alias and description of a CMK cannot be changed if the CMK is in Pending deletion status.
++ diff --git a/docs/kms/umn/kms_01_0182.html b/docs/kms/umn/kms_01_0182.html new file mode 100644 index 00000000..08667bad --- /dev/null +++ b/docs/kms/umn/kms_01_0182.html @@ -0,0 +1,19 @@ + + +++Parent topic: Managing CMKs+What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
+++Symptom
A message indicating lack of permissions is displayed when you attempt to perform operations on keys, such as view, create, or import keys.
++Possible Causes
Your account is not associated with the required KMS system policies.
++Solution
- Check whether your account has been associated with KMS Administrator and KMS CMKFullAccess policies.
For details about how to check your user groups and permissions, see the "User Groups and Authorization" section.
+If your account has been associated with required KMS system policies, go to 2.
+ - Associate your account with required system policies.
- For details about how to add administrator permissions, see the "User Groups and Authorization" section.
- For details about how to add a custom policy, see the "Creating a Custom KMS Policy" section.
++ diff --git a/docs/kms/umn/kms_01_0186.html b/docs/kms/umn/kms_01_0186.html new file mode 100644 index 00000000..07f9d81a --- /dev/null +++ b/docs/kms/umn/kms_01_0186.html @@ -0,0 +1,34 @@ + + +++Parent topic: KMS Related+Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
+++Symptom
By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.
++Solution
Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.
+- Switch to the root user.
sudo su -
+ - Run the following command and record the OpenSSL version:
openssl version
+ - Run the following commands to create the /root/build directory. This directory will be used to store the latest OpenSSL binary file.
mkdir $HOME/build
+mkdir -p $HOME/local/ssl
+cd $HOME/build
+ - Download the latest OpenSSL version from https://www.openssl.org/source/.
- Download and decompress the binary file.
- Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version downloaded in step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
+tar -zxf openssl-1.1.1d.tar.gz
+ - Use the gcc tool to patch the version, and compile the downloaded binary file.yum install patch make gcc -y++
If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.
+ - Run the following commands:
sed -i "/BIO_get_cipher_ctx(benc, &ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c
+ - Run the following commands to compile the OpenSSL enc.c file:
cd $HOME/build/openssl-1.1.1d/
+./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
+make -j$(grep -c ^processor /proc/cpuinfo)
+make install
+ - Configure the environment variable LD_LIBRARY_PATH to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the $HOME/local/ssl/lib/ directory, and cannot be directly executed in shell.
- Create a script named openssl.sh to load the $HOME/local/ssl/lib/ path before running the binary file.
cd $HOME/local/bin/
+echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
+ - Run the following command to configure an execute bit on the script:
chmod 755 ./openssl.sh
+ - Run the following command to start the patched OpenSSL version:
$HOME/local/bin/openssl.sh
+
++ diff --git a/docs/kms/umn/kms_01_0189.html b/docs/kms/umn/kms_01_0189.html new file mode 100644 index 00000000..c277abb4 --- /dev/null +++ b/docs/kms/umn/kms_01_0189.html @@ -0,0 +1,57 @@ + + +++Parent topic: KMS Related+Key Algorithms Supported by KMS
++++
+Table 1 Key algorithms supported by KMS Key Type
+Algorithm Type
+Key Specifications
+Description
+Usage
+Symmetric key
+AES
+- AES_256
AES symmetric key
+Encrypts and decrypts a small amount of data or data keys.
+Asymmetric key
+RSA
+- RSA_2048
- RSA_3072
- RSA_4096
RSA asymmetric password
+Encrypts and decrypts a small amount of data or creates digital signatures.
+ECC
+- EC_P256
- EC_P384
Elliptic curve recommended by NIST
+Digital signature
+++ diff --git a/docs/kms/umn/kms_01_0193.html b/docs/kms/umn/kms_01_0193.html deleted file mode 100644 index f20ab6cc..00000000 --- a/docs/kms/umn/kms_01_0193.html +++ /dev/null @@ -1,11 +0,0 @@ - - -++Parent topic: KMS Related+How Does KMS Protect My Keys?
--The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
--- diff --git a/docs/kms/umn/kms_01_0196.html b/docs/kms/umn/kms_01_0196.html deleted file mode 100644 index 9cf67c1a..00000000 --- a/docs/kms/umn/kms_01_0196.html +++ /dev/null @@ -1,11 +0,0 @@ - - ---Parent topic: FAQs-User Guide
- --- diff --git a/docs/kms/umn/kms_01_0198.html b/docs/kms/umn/kms_01_0198.html deleted file mode 100644 index ff440fa8..00000000 --- a/docs/kms/umn/kms_01_0198.html +++ /dev/null @@ -1,11 +0,0 @@ - - --
-
- Key Management
-
-
Is There a Limit on the Number of CMKs That I Can Create on KMS?
--Yes.
--- diff --git a/docs/kms/umn/kms_01_0199.html b/docs/kms/umn/kms_01_0199.html new file mode 100644 index 00000000..4b36849e --- /dev/null +++ b/docs/kms/umn/kms_01_0199.html @@ -0,0 +1,14 @@ + + +--Parent topic: FAQs-Encrypting Data in DDS
++- When a user creates a database instance from DDS, the user can select Disk encryption and use the key provided by KMS to encrypt the disk of the database instance. For more information, see the Document Database Service User Guide.Figure 1 Encrypting data in DDS+
You can use a custom key created on the KMS console for encryption.
+
- You can also call the required API of DDS to purchase encrypted DB instances. For details, see Document Database Service API Reference.
++ diff --git a/docs/kms/umn/kms_01_0215.html b/docs/kms/umn/kms_01_0215.html new file mode 100644 index 00000000..d54d86db --- /dev/null +++ b/docs/kms/umn/kms_01_0215.html @@ -0,0 +1,15 @@ + + +++Parent topic: Cloud Services with KMS Integrated+What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
++The basic length of the ciphertext returned by the encrypt-data API is 124 bytes. The ciphertext consists of multiple fields, including the key ID, encryption algorithm, key version, and ciphertext digest.
+The plaintext has 16 bytes in each block. A block with fewer than 16 bytes will be padded. Ciphertext length = 124 + Ceil(plaintext length/16) x 16. The conversion result is encoded using Base64.
+Take 4-byte plaintext input as an example. The calculation result is 124 + Ceil(4/16) x 16 = 140. The 140 bytes are converted into 188 bytes after Base64 encoding.
++ Ceil is a round-up function. Ceil(a) = 1. The value range of a is (0,1].
+++ diff --git a/docs/kms/umn/kms_01_0222.html b/docs/kms/umn/kms_01_0222.html new file mode 100644 index 00000000..a78d9f97 --- /dev/null +++ b/docs/kms/umn/kms_01_0222.html @@ -0,0 +1,42 @@ + + +++Parent topic: KMS Related+Personal Data Protection Mechanism
++To ensure that your personal data, such as the username, password, and mobile phone number, will not be leaked or obtained by unauthorized or unauthenticated entities or people, KMS controls access to the data and records logs for operations performed on the data.
++Personal Data to Be Collected
Table 1 lists the personal data generated or collected by KMS.
+ + ++Storage Mode
Tenant IDs are not sensitive data and are stored in plaintext.
++Access Permission Control
Users can view only logs related to their own services.
++Log Records
KMS records logs for all operations, such as editing, querying, and deleting, performed on personal data. The logs are uploaded to Cloud Trace Service (CTS). You can view only the logs generated for operations you performed.
+++ diff --git a/docs/kms/umn/kms_01_0227.html b/docs/kms/umn/kms_01_0227.html new file mode 100644 index 00000000..b09a3060 --- /dev/null +++ b/docs/kms/umn/kms_01_0227.html @@ -0,0 +1,11 @@ + + +++Parent topic: Service Overview+How Does KMS Protect My Keys?
++The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
+++ diff --git a/docs/kms/umn/kms_01_0299.html b/docs/kms/umn/kms_01_0299.html new file mode 100644 index 00000000..00ee5b6e --- /dev/null +++ b/docs/kms/umn/kms_01_0299.html @@ -0,0 +1,85 @@ + + +++Parent topic: KMS Related+Key Management Service
++Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs).
+KMS uses hardware security modules (HSMs) to protect CMKs. HSMs help you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage.
+It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
+ ++ +
+Table 1 Basic concepts Item
+Definition
+Customer Master Key
+(CMK)
+A CMK is a main encryption key created by a user using KMS. It is used to encrypt and protect data encryption keys (DEKs). One CMK can be used to encrypt one or more DEKs.
+Default Key
+
+A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default. For details about the corresponding cloud services, see Default Master Keys.
+You can use the management console to query the status of Default Master Keys, but cannot disable or schedule the deletion of default keys.
+Data Encryption Key
+(DEK)
+A data encryption key (DEK) is a key used for encrypting data.
+Hardware Security Module (HSM)
+A hardware device that securely produces, stores, manages, and uses keys and provides encryption services.
+True Random Number Generator (TRNG)
+A device that generates random numbers through physical processes instead of computer programs.
+Project
+A project is used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
+Multiple projects can be created for one account.
++
+Table 2 Default keys Alias
+Cloud Service
+obs/default
+Object Storage Service (OBS)
+evs/default
+Elastic Volume Service (EVS)
+ims/default
+Image Management Service (IMS)
++ A default key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
+++ diff --git a/docs/kms/umn/kms_01_0330.html b/docs/kms/umn/kms_01_0330.html new file mode 100644 index 00000000..1fe92a14 --- /dev/null +++ b/docs/kms/umn/kms_01_0330.html @@ -0,0 +1,11 @@ + + +++Parent topic: Service Overview+Does an Imported Key Support Rotation?
++Imported keys do not support rotation. After the imported key materials are deleted, ensure that the same key materials are imported.
+++ diff --git a/docs/kms/umn/kms_01_194.html b/docs/kms/umn/kms_01_194.html deleted file mode 100644 index 67823b2d..00000000 --- a/docs/kms/umn/kms_01_194.html +++ /dev/null @@ -1,32 +0,0 @@ - - -++Parent topic: KMS Related+Creating a Key
---Scenario
This section describes how to create a CMK on the KMS management console. You can create up to 100 CMKs, excluding Default Master Keys.
-The CMK is perfectly suited for but not limited to the following scenarios:-- Server-side encryption on OBS
- Encryption of data on EVS disks
- Encryption of private images on IMS
- File system encryption on SFS
- Disk encryption for database instances in RDS
- DEK encryption and decryption for user applications
- Aliases of Default Master Keys end with /default. It is not allowed to use aliases ending with /default for your CMKs.
--Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click Create Key in the upper right corner of the page. In the dialog box that is displayed, enter the alias and description of the key.Figure 1 Create Key dialog box-
- Alias is the alias of the CMK to be created.
- (Optional) Description is the description of the CMK.
- (Optional) Add tags as needed, and enter the tag key and tag value.-
- When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK. The page with key details is displayed. Then you can add tags to the CMK.
- The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
- A maximum of 10 tags can be added for one CMK.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
- Click OK.
In the CMK list, you can view created CMKs. The default status of a CMK is Enabled.
-
-Related Operations
- For details about how to upload objects with server-side encryption, see section Uploading a File with Server-Side Encryption in the Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section Creating an EVS Disk in the Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section Encrypting an Image in the Image Management Service User Guide.
- For details about how to encrypt the file system on SFS, see section Creating a File System in the Scalable File Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section Creating an RDS MySQL DB Instance in the Relational Database Service User Guide.
- For details about how to create a DEK and a plaintext-free DEK, see sections Creating a DEK and Creating a Plaintext-Free DEK in .
- For details about how to encrypt and decrypt a DEK for a user application, see sections Encrypting a DEK and Decrypting a DEK in .
-- - - \ No newline at end of file diff --git a/docs/kms/umn/kms_01_7774.html b/docs/kms/umn/kms_01_7774.html new file mode 100644 index 00000000..c355535c --- /dev/null +++ b/docs/kms/umn/kms_01_7774.html @@ -0,0 +1,15 @@ + + +--Parent topic: Key Management-Disabling Key Rotation
++This section describes how to disable rotation for a key on the KMS console.
++Prerequisites
- The key is enabled.
- The Origin of the key is KMS.
- Key rotation has been enabled.
+Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of a symmetric key.
- Click Rotation Policy and the dialog box is displayed.
- Click
to disable key rotation. - In the displayed confirmation dialog box, click OK.
- Check the rotation status.
++ diff --git a/docs/kms/umn/kms_01_7775.html b/docs/kms/umn/kms_01_7775.html new file mode 100644 index 00000000..08aa0f88 --- /dev/null +++ b/docs/kms/umn/kms_01_7775.html @@ -0,0 +1,61 @@ + + +++Parent topic: Rotating CMKs+Key Types
++CMKs include custom keys and default keys. This section describes how to create, view, enable, disable, schedule the deletion, and cancel the deletion of custom keys.
+Custom keys can be categorized into symmetric keys and asymmetric keys.
+Symmetric keys are most commonly used for data encryption protection. Asymmetric keys are used for digital signature verification or sensitive information encryption in systems where the trust relationship is not mutual. An asymmetric key consists of a public key and a private key. The public key can be sent to anyone. The private key must be securely stored and only accessible to trusted users.
+An asymmetric key can be used to generate and verify a signature. To securely transfer data, a signer sends the public key to a receiver, uses the private key to sign data, and then sends the data and signature to the receiver. The receiver can use the public key to verify the signature.
+ ++
+Table 1 Key algorithms supported by KMS Key Type
+Algorithm Type
+Key Specifications
+Description
+Usage
+Symmetric key
+AES
+- AES_256
AES symmetric key
+Encrypts and decrypts a small amount of data or data keys.
+Asymmetric key
+RSA
+- RSA_2048
- RSA_3072
- RSA_4096
RSA asymmetric password
+Encrypts and decrypts a small amount of data or creates digital signatures.
+ECC
+- EC_P256
- EC_P384
Elliptic curve recommended by NIST
+Digital signature
+++ diff --git a/docs/kms/umn/kms_01_9996.html b/docs/kms/umn/kms_01_9996.html deleted file mode 100644 index a0f9e0b8..00000000 --- a/docs/kms/umn/kms_01_9996.html +++ /dev/null @@ -1,68 +0,0 @@ - - -++Parent topic: Key Management Service+Creating a Custom KMS Policy
--Custom policies can be created as a supplement to the system policies of KMS. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
-You can create custom policies in either of the following ways:
-- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
-Example Custom Policies
- Example: authorizing users to create and import keys
{ - "Version": "1.1", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:cmk:create", - "kms:cmk:getMaterial", - "kms:cmkTag:create", - "kms:cmkTag:batch", - "kms:cmk:importMaterial" - ] - } - ] -}-
- Example: authorizing users to use keys
{ - "Version": "1.1", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:dek:crypto", - "kms:cmk:get", - "kms:cmk:crypto", - "kms:cmk:generate", - "kms:cmk:list" - ] - } - ] -}- - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
-{ - "Version": "1.1", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "rds:task:list" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kms:dek:crypto", - "kms:cmk:get", - "kms:cmk:crypto", - "kms:cmk:generate", - "kms:cmk:list" - ] - } - ] -}-
-- diff --git a/docs/kms/umn/kms_01_9997.html b/docs/kms/umn/kms_01_9997.html deleted file mode 100644 index a76acefe..00000000 --- a/docs/kms/umn/kms_01_9997.html +++ /dev/null @@ -1,48 +0,0 @@ - - ---Parent topic: Permissions Management-Creating a User and Authorizing the User the Permission to Access KMS
--This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:
-- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
If your account does not need individual IAM users, you may skip over this chapter.
-This section describes the procedure for granting permissions (see Figure 1).
--Prerequisites
Before authorizing permissions to a user group, you need to know which KMS permissions can be added to the user group. System-defined roles and policies supported by DEW describes the KMS system policies.
- - --Authorization Process
-Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
-Create a user on the IAM console and add the user to the user group created in 1.
-Log in to the console as newly created user, and verify that the user only has read permissions for DEW.
-
-- diff --git a/docs/kms/umn/kms_01_9998.html b/docs/kms/umn/kms_01_9998.html deleted file mode 100644 index 6dec60fa..00000000 --- a/docs/kms/umn/kms_01_9998.html +++ /dev/null @@ -1,17 +0,0 @@ - - ---Parent topic: Permissions Management-Permissions Management
- --- diff --git a/docs/kms/umn/kms_01_9999.html b/docs/kms/umn/kms_01_9999.html deleted file mode 100644 index 1a9c9179..00000000 --- a/docs/kms/umn/kms_01_9999.html +++ /dev/null @@ -1,310 +0,0 @@ - - --
-
- Creating a User and Authorizing the User the Permission to Access KMS
-
- - Creating a Custom KMS Policy
-
-
--Parent topic: Key Management-Permissions Management
--If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
-With IAM, you can use your account to create IAM users for your employees, and assign permissions to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access KMS but not to delete KMS or its resources, then you can create an IAM policy to assign the developers the permission to access KMS but prevent them from deleting KMS related data.
-If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of KMS.
--KMS Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to and can perform specified operations on cloud services based on the permissions.
-KMS is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing KMS.
-You can grant users permissions by using roles and policies.
-- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
For more information, see Table 1.
- --
-Table 1 KMS permissions Role/Policy Name
-Description
-Type
-KMS Administrator
-Administrator permissions for the encryption key
-System role
-KMS CMKFullAccess
-All permissions for the encryption keys
-System policy
-The following table describes the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
- --
-Table 2 Common operations supported by each system-defined policy or role Operation
-KMS Administrator
-KMS CMKFullAccess
-Create a key
-√
-√
-Enable a key
-√
-√
-Disable a key
-√
-√
-Schedule key deletion
-√
-√
-Cancel scheduled key deletion
-√
-√
-Modify a key alias
-√
-√
-Modify key description
-√
-√
-Generate a random number
-√
-√
-Create a DEK
-√
-√
-Create a plaintext-free DEK
-√
-√
-Encrypt a DEK
-√
-√
-Decrypt a DEK
-√
-√
-Obtain parameters for importing a key
-√
-√
-Import key materials
-√
-√
-Delete key materials
-√
-√
-Create a grant
-√
-√
-Revoking a grant
-√
-√
-Retire a grant
-√
-√
-Query the grant list
-√
-√
-Query retirable grants
-√
-√
-Encrypt data
-√
-√
-Decrypt data
-√
-√
-Enable key rotation
-√
-√
-Modify key rotation interval
-√
-√
-Disable key rotation
-√
-√
-Query key rotation status
-√
-√
-Query CMK instances
-√
-√
-Query key tags
-√
-√
-Query project tags
-√
-√
-Batch add or delete key tags
-√
-√
-Add tags to a key
-√
-√
-Delete key tags
-√
-√
-Query the key list
-√
-√
-Query key details
-√
-√
-Query instance quantity
-√
-√
-Query quotas
-√
-√
--- diff --git a/docs/kms/umn/public_sys-resources/imageclose.gif b/docs/kms/umn/public_sys-resources/imageclose.gif deleted file mode 100644 index 3a3344af..00000000 Binary files a/docs/kms/umn/public_sys-resources/imageclose.gif and /dev/null differ diff --git a/docs/kms/umn/public_sys-resources/imageclosehover.gif b/docs/kms/umn/public_sys-resources/imageclosehover.gif deleted file mode 100644 index 8699d5e3..00000000 Binary files a/docs/kms/umn/public_sys-resources/imageclosehover.gif and /dev/null differ diff --git a/docs/kms/umn/public_sys-resources/imagemax.gif b/docs/kms/umn/public_sys-resources/imagemax.gif deleted file mode 100644 index 99c07dc2..00000000 Binary files a/docs/kms/umn/public_sys-resources/imagemax.gif and /dev/null differ diff --git a/docs/kms/umn/public_sys-resources/imagemaxhover.gif b/docs/kms/umn/public_sys-resources/imagemaxhover.gif deleted file mode 100644 index d01d77d6..00000000 Binary files a/docs/kms/umn/public_sys-resources/imagemaxhover.gif and /dev/null differ diff --git a/docs/kms/umn/public_sys-resources/macFFBgHack.png b/docs/kms/umn/public_sys-resources/macFFBgHack.png deleted file mode 100644 index ec811470..00000000 Binary files a/docs/kms/umn/public_sys-resources/macFFBgHack.png and /dev/null differ--Parent topic: Service Overview-
- You can click the alias of a CMK to view its details.
- To reduce the amount of data encrypted by each key.
- In the User area, specify the user who performs the specified operations. See Figure 3 for details.
