Key Management Service allows you to create keys and use keys to perform data encryption and decryption. This helps ensure the security of your data. This topic describes how to create and use a key.
Overview
KMS provides software-protected keys, hardware-protected keys, and default keys to meet your business, security, and compliance requirements. For more information, see Overview of Key Management and Key types and specifications.
Default key
Service keys are created and managed by Alibaba Cloud services. Customer master keys (CMKs) are created and managed by yourself. In this example, a CMK is created and used.
Step 1: Create a CMK
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Default Key tab.
Find the required key, click Enable in the Actions column, configure the parameters, and then click OK.
Parameter
Description
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Description
The description of the key.
Advanced Settings
Key Material Source
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import key material. For more information, see Import key material into a symmetric key.
NoteIf you select External, you must read and select I understand the implications of using the external key materials.
Step 2: Use the CMK
You can use default keys in Alibaba Cloud services that are integrated with KMS. For more information about how to integrate Alibaba Cloud services with KMS, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS.
For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Software-protected key
Prerequisites
A KMS instance of the software key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.
Step 1: Create a software-protected key
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secret values, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256
Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Automatic Rotation
Specifies whether to enable automatic key rotation. Automatic key rotation is supported only for symmetric keys and is enabled by default. For more information, see Configure key rotation.
Rotation Period
The rotation period. Valid values: 7 to 365. Units: days.
Description
The description of the key.
Advanced Settings
The policy settings of the key.
Default Policy: If the key is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.
If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the key.
If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.
Keys created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the keys.
Keys created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the keys.
Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the key, select Custom Policy.
ImportantAdministrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.
An administrator can manage the key. Cryptographic operations are not supported. You can select RAM users and RAM roles within the current Alibaba Cloud account.
A user can use the key to perform cryptographic operations. You can select RAM users and RAM roles within the current Alibaba Cloud account.
A cross-account user can use the key for encryption and decryption. You can select RAM users and RAM roles within other Alibaba Cloud accounts.
RAM user: The name of the RAM user is in the
acs:ram::<userId>:user/<ramuser>
format. Example:acs:ram::119285303511****:user/testpolicyuser
.RAM role: The name of the RAM role is in the
acs:ram::<userId>:role/<ramrole>
format. Example:acs:ram::119285303511****:role/testpolicyrole
.NoteAfter you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the key in RAM. Then, the RAM user or RAM role can use the key.
For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.
Step 2: Use the software-protected key
You can integrate software-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.
Integrate a software-protected key into an Alibaba Cloud service for server-side encryption
For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Integrate a software-protected key into an application for data encryption and decryption
KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.
KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.
Hardware-protected key
Prerequisites
A KMS instance of the hardware key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.
Step 1: Create a hardware-protected key
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the hardware key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secret values, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128
Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Description
The description of the key.
Advanced Settings
Policy Settings
Default Policy: If the key is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.
If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the key.
If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.
Keys created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the keys.
Keys created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the keys.
Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the key, select Custom Policy.
ImportantAdministrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.
An administrator can manage the key. Cryptographic operations are not supported. You can select RAM users and RAM roles within the current Alibaba Cloud account.
A user can use the key to perform cryptographic operations. You can select RAM users and RAM roles within the current Alibaba Cloud account.
A cross-account user can use the key for encryption and decryption. You can select RAM users and RAM roles within other Alibaba Cloud accounts.
RAM user: The name of the RAM user is in the
acs:ram::<userId>:user/<ramuser>
format. Example:acs:ram::119285303511****:user/testpolicyuser
.RAM role: The name of the RAM role is in the
acs:ram::<userId>:role/<ramrole>
format. Example:acs:ram::119285303511****:role/testpolicyrole
.NoteAfter you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the key in RAM. Then, the RAM user or RAM role can use the key.
For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.
Key Material Source
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import the key material. For more information, see Import key material into a symmetric key and Import key material into an asymmetric key.
NoteIf you select External, you must read and select I understand the implications of using the external key materials.
Step 2: Use the hardware-protected key
You can integrate hardware-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.
Integrate a software-protected key into an Alibaba Cloud service for server-side encryption
For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.
Integrate a software-protected key into an application for data encryption and decryption
KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.
KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.