After an application is connected to a dedicated KMS instance of the Standard edition, the instance uses a hardware security module (HSM) to implement resource isolation and cryptographic isolation. This helps provide reliable, secure, and compliant capabilities to encrypt and protect your business data. An HSM cluster is a tenant-specific cryptographic resource pool. This topic describes how to enable a dedicated KMS instance of the Standard edition, how to create a customer master key (CMK), and how to connect applications to the instance.

Prerequisites

  • A dedicated KMS instance of the Standard edition is purchased. For more information, see Purchase a dedicated KMS instance.
  • The dedicated KMS instance of the Standard edition is connected to an HSM cluster in Data Encryption Service within the Alibaba Cloud account of the dedicated KMS instance. Make sure that the following configurations are complete in Data Encryption Service: For more information, see Getting started with Data Encryption Service.
    • An HSM cluster is created, and HSMs are added to the cluster.
    • The HSM cluster is initialized and activated. The HSM cluster contains two or more HSMs in different zones. The status of the cluster is Activated. The ClusterOwnerCertificate file that you configured when you initialized the cluster is used as the security domain certificate that is required by Dedicated KMS to access the HSM cluster.
    • A crypto user named kmsuser is created, and a password is specified for the user kmsuser. Dedicated KMS uses the user kmsuser to access the HSM cluster, create keys, and perform cryptographic operations.

Step 1: Enable the dedicated KMS instance of the Standard edition

  1. Log on to the KMS console.
  2. On the Dedicated KMS page, find the dedicated KMS instance of the Standard edition and click Enable in the Actions column.
  3. In the Connect to HSM dialog box, specify the HSM cluster.
    Note An HSM cluster can be bound to only one dedicated KMS instance of the Standard edition.
  4. Configure an access credential.
    • Username: the username of the crypto user. In this example, the value is fixed as kmsuser.
    • Password: the password of the user kmsuser. The password is specified when the user kmsuser is created.
    • Security domain certificate: a certificate authority (CA) certificate in the PEM format. You can download the ClusterOwnerCertificate file on the Cluster Details page of the Data Encryption Service console.
  5. Click Connect to HSM.
    Wait a few minutes and refresh the page. If the status of the instance changes to Enabled, the dedicated KMS instance of the Standard edition is enabled.

Step 2: Create a CMK for the dedicated KMS instance of the Standard edition

  1. On the Dedicated KMS page, find the dedicated KMS instance of the Standard edition and click Manage in the Actions column.
  2. On the User master key tab, click Create Key. In the Create Key dialog box, configure the parameters.
    Parameter Description
    Key Spec The type of the CMK. Valid values:
    • Types of symmetric CMKs:
      • Aliyun_AES_256
      • Aliyun_AES_128
      • Aliyun_AES_192
    • Types of asymmetric CMKs:
      • RSA_2048
      • RSA_3072
      • RSA_4096
      • EC_P256
      • EC_P256K
      • HMAC_SHA256
      • HMAC_SHA512
    Purpose The usage of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias Name The identifier of the CMK. The value can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
    Description The description of the CMK.
    Advanced
    • Key Material Source
      • Alibaba Cloud KMS: Dedicated KMS generates key material.
      • External: Dedicated KMS does not generate key material. You must import key material from an external source. For more information, see Import symmetric key material.
        Note If you select External, you must read and select I understand the implications of using the external key materials key.
    • Secondary Purpose: If you set Key Spec to an asymmetric CMK type, you can specify the secondary purpose of the CMK.
  3. Click OK.

Step 3: Connect applications to the dedicated KMS instance of the Standard edition

  1. Create an application access point (AAP) to manage access from applications to the dedicated KMS instance of the Standard edition.
    1. On the Dedicated KMS page, find the dedicated KMS instance of the Standard edition and click Details in the Actions column.
    2. In the Applications access Dedicated KMS section, click Create an application access point.
    3. In the Configure Application Access Credential and Permissions panel, configure the parameters and click Create.
      1. Enter a name in Name of Application Access Point.
      2. Configure the parameters below Access Control Policies.
        • Accessible Resources: The default value is Key/*. This value indicates that applications can access all keys of the dedicated KMS instance.
        • Allowed IP Addresses: The network types and IP addresses that are allowed for access to the dedicated KMS instance. You can enter private IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).
    4. In the Application Access Credential dialog box, copy the password and client key from Password and Credential.
      • Password: Click Copy to obtain the password.
      • Credential: Click Download to save the client key.

        The client key consists of keyID and PrivateKeyData. The value of PrivateKeyData is Base64-encoded in the PKCS12 format. Example: 

        {
  "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
  "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
}
        Note Dedicated KMS does not save the password or the client key. You can obtain the password and the client key only after you create the client key. You must keep them confidential.
    5. Click Close.
  2. Obtain the CA certificate to verify the dedicated KMS instance.
    In the Applications access Dedicated KMS section, click Download below Configure CA Certificate for Dedicated KMS Instance to download a CA certificate file in the PEM format.

What to do next

You can use Dedicated KMS SDK to call the API operations of Dedicated KMS. For more information, see Dedicated KMS SDK for Java, Dedicated KMS SDK for PHP, Dedicated KMS SDK for Go, and Dedicated KMS SDK for Python.