Private key stores help you manage and use keys in hardware security modules (HSMs). This topic describes how to create a private key store.
- An HSM cluster is created.
- An HSM instance is added to the HSM cluster. We recommend that you add two or more HSM instances to ensure the high availability of the HSM cluster.
- The HSM cluster is initialized. After you initialize the HSM cluster, it enters the initialized state. The ClusterOwnerCertificate that you configure when you initialize the cluster is used as the security domain certificate for Key Management Service (KMS) to access the HSM cluster. For more information, see Initialize the cluster.
- A crypto user named
kmsuseris created and a password is set for the
kmsuseruser. KMS uses this user to access your HSM cluster, create keys, and perform cryptographic operations. For more information, see Create a crypto user.
- Log on to the KMS console.
- In the upper-left corner of the page, select the region in which you want to create
a private key store.For more information about the regions that support private key stores, see Supported regions.
- In the left-side navigation pane, click KeyStores.
- Click Create KeyStore.
- In the Create KeyStore dialog box, set the following parameters:
- Name: Enter the name of the private key store.
- HSM cluster: Select the HSM cluster in Alibaba Cloud Data Encryption Service.
- Description: Enter the description of the private key store.
- Password: Enter the password that is set for the
kmsuseruser in Alibaba Cloud Data Encryption Service.
- Security domain certificate: Enter security information or upload the security domain certificate for the HSM cluster in Alibaba Cloud Data Encryption Service.
- Click OK.
What to do next
By default, the private key store enters the disconnected state after it is created. To create a customer master key (CMK) in the private key store, you must connect to the private key store first. For more information, see the following topics: