Key Management Service allows you to create keys and use keys to perform data encryption and decryption. This helps ensure the security of your data. This topic describes how to create and use a key.
Overview
KMS provides software-protected keys, hardware-protected keys, and default keys to meet your business, security, and compliance requirements. For more information, see Overview of Key Management and Key types and specifications.
Default key
Service keys are created and managed by Alibaba Cloud services. Customer master keys (CMKs) are created and managed by yourself. In this example, a CMK is created and used.
Step 1: Create a CMK
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Default Key tab.
Find the required key, click Enable in the Actions column, configure the parameters, and then click OK.
Parameter
Description
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Description
The description of the key.
Advanced Settings
Key Material Source
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import key material. For more information, see Import key material into a symmetric key.
NoteIf you select External, you must read and select I understand the implications of using the external key materials.
Step 2: Use the CMK
You can use default keys in Alibaba Cloud services that are integrated with KMS. For more information about how to integrate Alibaba Cloud services with KMS, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS.
For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Software-protected key
Prerequisites
A KMS instance of the software key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.
Step 1: Create a software-protected key
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secrets, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256
Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K
Key Purpose
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Automatic Rotation
Specifies whether to enable automatic key rotation. Automatic key rotation is supported only for symmetric keys and is enabled by default. For more information, see Configure key rotation.
Rotation Period
The rotation period. Valid values: 7 to 365. Units: days.
Description
The description of the key.
Step 2: Use the software-protected key
You can integrate software-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.
Integrate a software-protected key into an Alibaba Cloud service for server-side encryption
For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Integrate a software-protected key into an application for data encryption and decryption
KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.
KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.
Hardware-protected key
Prerequisites
A KMS instance of the hardware key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.
Step 1: Create a hardware-protected key
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the hardware key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secrets, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128
Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Purpose
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Description
The description of the key.
Advanced Settings
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import the key material. For more information, see Import key material into a symmetric key and Import key material into an asymmetric key.
NoteRead and select I understand the implications of using the external key materials.
Step 2: Use the hardware-protected key
You can integrate hardware-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.
Integrate a software-protected key into an Alibaba Cloud service for server-side encryption
For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Integrate a software-protected key into an application for data encryption and decryption
KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.
KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.