Overview

Important Notes

• Security

  You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.

• Availability and Durability

  Before importing the key material into KMS, you need to ensure the availability and durability of the key material.

  Differences between the imported key material and the key material generated by KMS are shown in Table 1.

  Table 1 Differences between the imported key material and the key material generated by KMS

  Key Material Source	Difference
  Imported keys	You can delete the key material, but cannot delete the custom key and its metadata. Such keys cannot be rotated. When importing the key material, you can set the expiration time of the key material. After the key material expires, the KMS automatically deletes the key material within 24 hours, but does not delete the custom key and its metadata. It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key materials or key material mis-deletion.
  Keys created in KMS	The key material cannot be manually deleted. Symmetric keys can be rotated. You cannot set the expiration time for key material.

• Association

  When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.

• Uniqueness

  If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.