This topic describes how to create a customer master key (CMK) in the Key Management Service (KMS) console. CMKs are used to encrypt data.

Procedure

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create a CMK.
  3. In the left-side navigation pane, click Keys.
  4. Click Create Key.
  5. In the Create Key dialog box, configure the parameters based on your business requirements.
    Parameter Description
    KMS Instance The KMS instance that you use.
    Key Spec The type of the CMK. Valid values:
    • Types of symmetric keys
      • Aliyun_AES_256
      • Aliyun_SM4
    • Types of asymmetric keys
      • RSA_2048
      • RSA_3072
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note
    • Aliyun_SM4 and EC_SM2 types are supported only for regions in the Chinese mainland in which managed hardware security modules (HSMs) are used.
    • RSA_3072 is supported only by a dedicated KMS instance.
    Purpose The purpose of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias Name The alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs.

    For more information, see Overview.

    Protection Level Valid values:
    • Software: The CMK is protected by using a software module.
    • Hsm: The CMK is managed in an HSM, and the HSM safeguards the CMK.
    Description The description of the CMK.
    Rotation Period The interval of automatic rotation of symmetric keys. Valid values:
    • 30 Days.
    • 90 Days.
    • 180 Days.
    • 365 Days.
    • Disable: Automatic rotation is disabled.
    • Customize: You can customize an interval that ranges from 7 days to 730 days.
    Note You can configure this parameter only if you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
  6. Click Advanced and configure the Key Material Source parameter.
    Note The Advanced option appears only when you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
    • Alibaba Cloud KMS: KMS generates key material.
    • External: You must import key material from an external source. For more information, see Import key material.
      Note If you select External, you must also select I understand the implications of using the external key materials key.
  7. Click OK.
    After the CMK is created, you can view its detailed information, such as the CMK ID, status, and protection level.