This topic describes how to use Key Management Service (KMS) to create customer master keys (CMKs). CMKs are used to encrypt data.
Procedure
- Log on to the KMS console.
- In the top navigation bar, select the region where you want to create a CMK.
- In the left-side navigation pane, click Keys.
- Click Create Key.
- In the Create Key dialog box, configure parameters as prompted.
Parameter Description Key Spec Valid values: - Symmetric keys:
- Aliyun_AES_256
- Aliyun_SM4
- Asymmetric keys:
- RSA_2048
- EC_P256
- EC_P256K
- EC_SM2
Note Aliyun_SM4 and EC_SM2 types are used only in mainland China regions where Managed HSM is available.Purpose - Encrypt/Decrypt: The purpose of the CMK is to encrypt or decrypt data.
- Sign/Verify: The purpose of the CMK is to generate or verify a digital signature.
Alias Name The optional identifier of the CMK. For more information, see Overview. Protection Level - Software: Use a software module to protect the CMK.
- Hsm: Host the CMK in a hardware security module (HSM). Managed HSM uses the HSM as dedicated hardware to safeguard the CMK.
Description The description of the CMK. Rotation Period The automatic rotation period. Valid values: - 30 Days
- 90 Days
- 180 Days
- 365 Days
- Disable: Rotation is disabled.
- Customize: Customize a period that ranges from 7 days to 730 days.
Note You can specify this parameter only if Key Spec is set to Aliyun_AES_256 or Aliyun_SM4. - Symmetric keys:
- Click Advanced and specify Key Material Source.
- Alibaba Cloud KMS: Use KMS to generate key material.
- External: Import key material from an external source. For more information about how to import
key material, see Import key material.
Note If you select External, you must also select I understand the implications of using the external key materials key.
- Click OK.After the CMK is created, you can view its detailed information, such as the CMK ID, status, and protection level on the Keys page.