All Products
Search
Document Center

Key Management Service:Getting started with Key Management

Last Updated:Jan 22, 2024

Key Management Service allows you to create keys and use keys to perform data encryption and decryption. This helps ensure the security of your data. This topic describes how to create and use a key.

Overview

KMS provides software-protected keys, hardware-protected keys, and default keys to meet your business, security, and compliance requirements. For more information, see Overview of Key Management and Key types and specifications.

Default key

Service keys are created and managed by Alibaba Cloud services. Customer master keys (CMKs) are created and managed by yourself. In this example, a CMK is created and used.

Step 1: Create a CMK

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Default Key tab.

  3. Find the required key, click Enable in the Actions column, configure the parameters, and then click OK.

    Parameter

    Description

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Description

    The description of the key.

    Advanced Settings

    Key Material Source

    • Key Management Service: KMS generates key material.

    • External: KMS does not generate key material. You must import key material. For more information, see Import key material into a symmetric key.

      Note

      If you select External, you must read and select I understand the implications of using the external key materials.

Step 2: Use the CMK

You can use default keys in Alibaba Cloud services that are integrated with KMS. For more information about how to integrate Alibaba Cloud services with KMS, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS.

For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

Software-protected key

Prerequisites

A KMS instance of the software key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.

Step 1: Create a software-protected key

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list, and then click Create Key.

  3. In the Create Key panel, configure the parameters and click OK.

    Parameter

    Description

    Key Type

    The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.

    Important

    If you want to create a key to encrypt secrets, select Symmetric Key.

    Key Specifications

    The specification of the key.

      • Symmetric key specifications: Aliyun_AES_256

      • Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K

    Key Usage

    The usage of the key. Valid values:

    • ENCRYPT/DECRYPT: encrypts or decrypts data.

    • SIGN/VERIFY: signs data or verifies a digital signature.

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Tag

    The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.

    Note
    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each key.

    Automatic Rotation

    Specifies whether to enable automatic key rotation. Automatic key rotation is supported only for symmetric keys and is enabled by default. For more information, see Configure key rotation.

    Rotation Period

    The rotation period. Valid values: 7 to 365. Units: days.

    Description

    The description of the key.

Step 2: Use the software-protected key

You can integrate software-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.

  • Integrate a software-protected key into an Alibaba Cloud service for server-side encryption

    For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

  • Integrate a software-protected key into an application for data encryption and decryption

    KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.

    KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.

Hardware-protected key

Prerequisites

A KMS instance of the hardware key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.

Step 1: Create a hardware-protected key

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Keys tab, select a KMS instance of the hardware key management type from the Instance ID drop-down list, and then click Create Key.

  3. In the Create Key panel, configure the parameters and click OK.

    Parameter

    Description

    Key Type

    The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.

    Important

    If you want to create a key to encrypt secrets, select Symmetric Key.

    Key Specifications

    The specification of the key.

      • Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128

      • Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K

    Key Usage

    The usage of the key. Valid values:

    • ENCRYPT/DECRYPT: encrypts or decrypts data.

    • SIGN/VERIFY: signs data or verifies a digital signature.

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Tag

    The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.

    Note
    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each key.

    Description

    The description of the key.

    Advanced Settings

Step 2: Use the hardware-protected key

You can integrate hardware-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.

  • Integrate a software-protected key into an Alibaba Cloud service for server-side encryption

    For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

  • Integrate a software-protected key into an application for data encryption and decryption

    KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.

    KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.

References