This topic describes how to use the Managed HSM feature to create and use keys.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
Background information
Create a key in the KMS console
Use Alibaba Cloud CLI to create a key
Import external keys to a managed HSM
You can import a key from user-created key infrastructure to an HSM managed by Alibaba Cloud (referred to as managed HSM). The prerequisite is that you have set Protection Level to HSM when you create the external key. For more information about how to create an external key, see Import key material.
- Calls the GetParametersForImport operation. During this process, KMS generates a key pair in a managed HSM to import the external key based on the HSM protection level and returns the public key of the key pair.
- Calls the ImportKeyMaterial operation. During this process, KMS imports the encrypted external key material to the managed HSM and then obtains the plaintext of the key material by using the key unwrapping mechanism of the managed HSM. The plaintext of the key material can no longer be exported.
Manage and use keys
- Enable and disable keys.
- Manage the lifecycle of keys.
- Manage the aliases of keys.
- Manage the tags of keys.
- Call cryptographic API operations.
Integration with other Alibaba Cloud services
Keys in managed HSMs can be used to protect native data in other Alibaba Cloud services such as Elastic Compute Service (ECS), ApsaraDB for RDS, and Object Storage Service (OSS) over the standard API of KMS. The prerequisite is that the Alibaba Cloud service supports server-side encryption by using user-managed keys. To use this feature, you only need to configure a CMK for the Alibaba Cloud service to support server-side encryption and host the CMK in a managed HSM.