Before you use the encryption function, EVS must be granted the permission to access KMS. If you have the right to grant the permission, you can grant the permission directly. If you do not have the permission, contact a user with the security administrator permissions to add the security administrator permission for you. Then, you can grant the permission. For more information about EVS, see the Elastic Volume Service User Guide.
-
-
\ No newline at end of file
diff --git a/docs/kms/umn/dew_01_0009.html b/docs/kms/umn/dew_01_0009.html
index 8cdfbdbdc..55ccf85c9 100644
--- a/docs/kms/umn/dew_01_0009.html
+++ b/docs/kms/umn/dew_01_0009.html
@@ -1,21 +1,14 @@
+
-
-
\ No newline at end of file
diff --git a/docs/kms/umn/dew_01_0016.html b/docs/kms/umn/dew_01_0016.html
new file mode 100644
index 000000000..599e30113
--- /dev/null
+++ b/docs/kms/umn/dew_01_0016.html
@@ -0,0 +1,80 @@
+
+
+
Using KMS for Encryption
+
Interacting with Cloud Services
Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, cloud services use a specific custom key of yours to encrypt data.
+
The encryption process is as follows:
- Create a custom key on KMS.
- Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.
+
- Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
- Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.
+
+
When users download the data from a cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.
+
+
+
Table 1 Cloud services supported by KMSService
+ |
+How to Use
+ |
+Reference
+ |
+
|---|
+
+Object Storage Service (OBS)
+ |
+You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
+ |
+Object Storage Service Console Operation Guide
+ |
+
+Elastic Volume Service (EVS)
+ |
+If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.
+ |
+Elastic Volume Service User Guide
+ |
+
+Image Management Service (IMS)
+ |
+When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
+ |
+Image Management Service User Guide
+ |
+
+Scalable File Service (SFS)
+ |
+When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
+ |
+Scalable File Service User Guide
+ |
+
+Relational Database Service (RDS)
+ |
+When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.
+ |
+Relational Database Service User Guide
+ |
+
+Document Database Service (DDS)
+ |
+When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.
+ |
+Document Database Service User Guide
+ |
+
+
+
+
+
+
Working with User Applications
To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.
+
Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.
+
The encryption process is as follows:
- The application calls the create-key API of KMS to create a custom key.
- The application calls the create-datakey API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in 1.
+
+ - The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
- The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
+
+
For details, see the Key Management Service API Usage Guidelines.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0017.html b/docs/kms/umn/dew_01_0017.html
new file mode 100644
index 000000000..bc78b3d4f
--- /dev/null
+++ b/docs/kms/umn/dew_01_0017.html
@@ -0,0 +1,74 @@
+
+
+
Related Services
+
Related Services
KMS provides CMK management and encryption capabilities for cloud services. The following table lists the cloud services that can use KMS for encryption.
+
+
Table 1 Cloud services supported by KMSService
+ |
+How to Use
+ |
+Reference
+ |
+
|---|
+
+Object Storage Service (OBS)
+ |
+You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
+ |
+Object Storage Service Console Operation Guide
+ |
+
+Elastic Volume Service (EVS)
+ |
+If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.
+ |
+Elastic Volume Service User Guide
+ |
+
+Image Management Service (IMS)
+ |
+When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
+ |
+Image Management Service User Guide
+ |
+
+Scalable File Service (SFS)
+ |
+When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
+ |
+Scalable File Service User Guide
+ |
+
+Relational Database Service (RDS)
+ |
+When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.
+ |
+Relational Database Service User Guide
+ |
+
+Document Database Service (DDS)
+ |
+When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.
+ |
+Document Database Service User Guide
+ |
+
+
+
+
+
+
CTS
CTS provides you with a history of KMS operations. After the CTS service is enabled, you can view all generated traces to review and audit performed KMS operations. For details, see the Cloud Trace Service User Guide.
+
+
IAM
IAM provides permission management for KMS.
+
Only users who have KMS Administrator permissions can use KMS.
+
To apply for permissions, contact a user with Security Administrator permissions. For details, see Identity and Access Management User Guide.
+
+
SMN
Simple Message Notification (SMN) provides the notification function. When a selected event is triggered for the target secret, CSMS sends a notification through SMN.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0018.html b/docs/kms/umn/dew_01_0018.html
new file mode 100644
index 000000000..f6764252e
--- /dev/null
+++ b/docs/kms/umn/dew_01_0018.html
@@ -0,0 +1,358 @@
+
+
+
Permissions Management
+
If you want to assign different access permissions to employees in an enterprise for the DEW resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
+
With IAM, you can use your account to create IAM users for your employees, and grant permissions to control their access to specific resource types. For example, some software developers in your enterprise need to use DEW resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DEW resources.
+
If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of DEW.
+
Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
+
DEW is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing KMS.
+
You can grant users permissions by using roles and policies.
+
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
+
For details, see Table 1.
+
+
Table 1 DEW permissionsRole/Policy
+ |
+Description
+ |
+Type
+ |
+
|---|
+
+KMS Administrator
+ |
+Administrator permissions for the encryption key
+ |
+Role
+ |
+
+KMS CMKFullAccess
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMK Admin
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMKReadOnlyAccess
+ |
+Read-only permission for encryption keys
+ |
+Policy
+ |
+
+
+
+
+
+
Table 2 CSMS system policiesRole/Policy
+ |
+Description
+ |
+Type
+ |
+Dependency
+ |
+
|---|
+
+CSMS FullAccess
+ |
+All permissions of CSMS in DEW. Users with these permissions can perform all the operations allowed by policies.
+ |
+Policy
+ |
+None
+ |
+
+CSMS ReadOnlyAccess
+ |
+Read-only permissions of CSMS in DEW. Users with these permissions can perform all the operations allowed by policies.
+ |
+Policy
+ |
+None
+ |
+
+
+
+
+
Table 3 lists the common operations supported by each system-defined permission of DEW. Select the permissions as needed.
+
+
Table 3 Common operations supported by each system-defined policy or roleOperation
+ |
+KMS Administrator
+ |
+KMS CMKFullAccess
+ |
+
|---|
+
+Create a key
+ |
+√
+ |
+√
+ |
+
+Enable a key
+ |
+√
+ |
+√
+ |
+
+Disable a key
+ |
+√
+ |
+√
+ |
+
+Schedule key deletion
+ |
+√
+ |
+√
+ |
+
+Cancel scheduled key deletion
+ |
+√
+ |
+√
+ |
+
+Modify a key alias
+ |
+√
+ |
+√
+ |
+
+Modify key description
+ |
+√
+ |
+√
+ |
+
+Generate a random number
+ |
+√
+ |
+√
+ |
+
+Create a DEK
+ |
+√
+ |
+√
+ |
+
+Create a plaintext-free DEK
+ |
+√
+ |
+√
+ |
+
+Encrypt a DEK
+ |
+√
+ |
+√
+ |
+
+Decrypt a DEK
+ |
+√
+ |
+√
+ |
+
+Obtain parameters for importing a key
+ |
+√
+ |
+√
+ |
+
+Import key materials
+ |
+√
+ |
+√
+ |
+
+Delete key materials
+ |
+√
+ |
+√
+ |
+
+Create a grant
+ |
+√
+ |
+√
+ |
+
+Revoke a grant
+ |
+√
+ |
+√
+ |
+
+Retire a grant
+ |
+√
+ |
+√
+ |
+
+Query the grant list
+ |
+√
+ |
+√
+ |
+
+Query retirable grants
+ |
+√
+ |
+√
+ |
+
+Encrypt data
+ |
+√
+ |
+√
+ |
+
+Decrypt data
+ |
+√
+ |
+√
+ |
+
+Enable key rotation
+ |
+√
+ |
+√
+ |
+
+Modify key rotation interval
+ |
+√
+ |
+√
+ |
+
+Disable key rotation
+ |
+√
+ |
+√
+ |
+
+Query key rotation status
+ |
+√
+ |
+√
+ |
+
+Query CMK instances
+ |
+√
+ |
+√
+ |
+
+Query key tags
+ |
+√
+ |
+√
+ |
+
+Query project tags
+ |
+√
+ |
+√
+ |
+
+Batch add or delete key tags
+ |
+√
+ |
+√
+ |
+
+Add tags to a key
+ |
+√
+ |
+√
+ |
+
+Delete key tags
+ |
+√
+ |
+√
+ |
+
+Query the key list
+ |
+√
+ |
+√
+ |
+
+Query key details
+ |
+√
+ |
+√
+ |
+
+Query instance quantity
+ |
+√
+ |
+√
+ |
+
+Query quotas
+ |
+√
+ |
+√
+ |
+
+
+
+
+
+
Related Links
- Two types of permission policies are provided by default: default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control.
- Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0019.html b/docs/kms/umn/dew_01_0019.html
new file mode 100644
index 000000000..79dd65df1
--- /dev/null
+++ b/docs/kms/umn/dew_01_0019.html
@@ -0,0 +1,13 @@
+
+
+
Auditing Logs
+
+
+
diff --git a/docs/kms/umn/dew_01_0020.html b/docs/kms/umn/dew_01_0020.html
new file mode 100644
index 000000000..81c31c3af
--- /dev/null
+++ b/docs/kms/umn/dew_01_0020.html
@@ -0,0 +1,324 @@
+
+
+
Operations supported by CTS
+
The tables in this section describe the operations supported by CTS.
+
+
Table 1 DEW operations supported by CTSOperation
+ |
+Resource Type
+ |
+Event Name
+ |
+
|---|
+
+Creating a key
+ |
+CMK
+ |
+createKey
+ |
+
+Creating a DEK
+ |
+CMK
+ |
+createDataKey
+ |
+
+Creating a plaintext-free DEK
+ |
+CMK
+ |
+createDataKeyWithoutPlaintext
+ |
+
+Enabling a key
+ |
+CMK
+ |
+enableKey
+ |
+
+Disabling a key
+ |
+CMK
+ |
+disableKey
+ |
+
+Encrypting a DEK
+ |
+CMK
+ |
+encryptDatakey
+ |
+
+Decrypting a DEK
+ |
+CMK
+ |
+decryptDatakey
+ |
+
+Scheduling the deletion of a key
+ |
+CMK
+ |
+scheduleKeyDeletion
+ |
+
+Canceling the scheduled deletion of a key
+ |
+CMK
+ |
+cancelKeyDeletion
+ |
+
+Generating a random number
+ |
+RNG
+ |
+genRandom
+ |
+
+Modifying the key alias
+ |
+CMK
+ |
+updateKeyAlias
+ |
+
+Modifying the key description
+ |
+CMK
+ |
+updateKeyDescription
+ |
+
+Prompting risks about key deletion
+ |
+CMK
+ |
+deleteKeyRiskTips
+ |
+
+Importing key materials
+ |
+CMK
+ |
+importKeyMaterial
+ |
+
+Deleting key materials
+ |
+CMK
+ |
+deleteImportedKeyMaterial
+ |
+
+Creating a grant
+ |
+CMK
+ |
+createGrant
+ |
+
+Retiring a grant
+ |
+CMK
+ |
+retireGrant
+ |
+
+Revoking a grant
+ |
+CMK
+ |
+revokeGrant
+ |
+
+Encrypting data
+ |
+CMK
+ |
+encryptData
+ |
+
+Decrypting data
+ |
+CMK
+ |
+decryptData
+ |
+
+Adding a tag
+ |
+CMK
+ |
+dealUnifiedTags
+ |
+
+Deleting a tag
+ |
+CMK
+ |
+dealUnifiedTags
+ |
+
+Adding tags in batches
+ |
+CMK
+ |
+dealUnifiedTags
+ |
+
+Deleting tags in batches
+ |
+CMK
+ |
+dealUnifiedTags
+ |
+
+Enabling key rotation
+ |
+CMK
+ |
+enableKeyRotation
+ |
+
+Modifying the key rotation interval
+ |
+CMK
+ |
+updateKeyRotationInterval
+ |
+
+Disabling key rotation
+ |
+CMK
+ |
+disableKeyRotation
+ |
+
+Creating a secret
+ |
+CSMS
+ |
+createSecret
+ |
+
+Updating a secret
+ |
+CSMS
+ |
+updateSecret
+ |
+
+Deleting a secret
+ |
+CSMS
+ |
+forceDeleteSecret
+ |
+
+Creating a scheduled deletion for a secret
+ |
+CSMS
+ |
+scheduleDelSecret
+ |
+
+Canceling the scheduled deletion of a secret
+ |
+CSMS
+ |
+restoreSecretFromDeletedStatus
+ |
+
+Creating a secret status
+ |
+CSMS
+ |
+createSecretStage
+ |
+
+Updating a secret status
+ |
+CSMS
+ |
+updateSecretStage
+ |
+
+Deleting a secret status
+ |
+CSMS
+ |
+deleteSecretStage
+ |
+
+Creating a secret version
+ |
+CSMS
+ |
+createSecretVersion
+ |
+
+Downloading a secret backup
+ |
+CSMS
+ |
+backupSecret
+ |
+
+Restoring a secret backup
+ |
+CSMS
+ |
+restoreSecretFromBackupBlob
+ |
+
+Creating a secret event
+ |
+CSMS
+ |
+createSecretEvent
+ |
+
+Updating a secret event
+ |
+CSMS
+ |
+updateSecretEvent
+ |
+
+Deleting a secret event
+ |
+CSMS
+ |
+deleteSecretEvent
+ |
+
+Creating a resource tag
+ |
+CSMS
+ |
+createResourceTag
+ |
+
+Deleting a resource tag
+ |
+CSMS
+ |
+deleteResourceTag
+ |
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0022.html b/docs/kms/umn/dew_01_0022.html
new file mode 100644
index 000000000..08634a861
--- /dev/null
+++ b/docs/kms/umn/dew_01_0022.html
@@ -0,0 +1,28 @@
+
+
+
Using the Online Tool to Encrypt and Decrypt Small-Size Data
+
This section describes how to use the online tool to encrypt or decrypt small-size data (4 KB or smaller) on the KMS console.
+
Prerequisites
The custom key is in Enabled status.
+
+
Constraints
- Default keys cannot be used to encrypt or decrypt such data with the tool.
- Asymmetric keys cannot be used to encrypt or decrypt such data with the tool.
- You can call an API to use a default key to encrypt or decrypt small volumes of data. For details, see the Key Management Service API Reference.
- Use the current CMK to encrypt the data.
- Exercise caution when you delete a CMK. The online tool cannot decrypt data if the CMK used for encryption has been deleted.
- After an API is called to encrypt data, the online tool cannot be used to decrypt the data.
+
+
Encrypting Data
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
on the left and choose . - Click the name of the target custom key to access the key details page. Click the Tool tab.
- Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure 1.
Figure 1 Encrypting data
+ - Click Execute. Ciphertext of the data is displayed in the text box on the right.
- Use the current CMK to encrypt the data.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
+
+
+
+
Decrypting Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
- Click Decrypt and enter the data to be decrypted in the text box, as shown in Figure 2.
- The tool will identify the original encryption CMK and use it to decrypt the data.
- If the key has been deleted, the decryption will fail.
+
+Figure 2 Decrypting data
+ - Click Execute. Plaintext of the data is displayed in the text box on the right.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0023.html b/docs/kms/umn/dew_01_0023.html
new file mode 100644
index 000000000..bfc36dcd7
--- /dev/null
+++ b/docs/kms/umn/dew_01_0023.html
@@ -0,0 +1,19 @@
+
+
+
Managing Tags
+
+
+
diff --git a/docs/kms/umn/dew_01_0024.html b/docs/kms/umn/dew_01_0024.html
new file mode 100644
index 000000000..2d210987b
--- /dev/null
+++ b/docs/kms/umn/dew_01_0024.html
@@ -0,0 +1,55 @@
+
+
+
Adding a Tag
+
Tags are used to identify keys. You can add tags to custom keys so that you can classify custom keys, trace them, and collect their usage status according to the tags.
+
Constraints
Tags cannot be added to default keys.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management tab.
- Click Add Tag, as shown in Figure 1. In the Add Tag dialog box, enter the tag key and tag value. Table 1 describes the parameters.
Figure 1 Adding a tag
+
+ If you want to delete a tag from the tag list when adding multiple tags, locate the target tag and click Delete on the right.
+
+
+Table 1 Tag parametersParameter
+ |
+Description
+ |
+Value
+ |
+Example Value
+ |
+
|---|
+
+Tag key
+ |
+Name of a tag.
+The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
+A maximum of 20 tags can be added for one custom key.
+ |
+- Mandatory.
- The tag key must be unique for the same custom key.
- 128 characters limit.
- The value cannot start or end with a space.
- The following character types are allowed:
- English
- Numbers
- Special characters: _-@
+
+ |
+cost
+ |
+
+Tag value
+ |
+Value of the tag
+ |
+- This parameter can be empty.
- 255 characters limit.
- The following character types are allowed:
- English
- Numbers
- Special characters: _-@
+
+ |
+100
+ |
+
+
+
+
- Click OK.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0026.html b/docs/kms/umn/dew_01_0026.html
new file mode 100644
index 000000000..f11ed8760
--- /dev/null
+++ b/docs/kms/umn/dew_01_0026.html
@@ -0,0 +1,13 @@
+
+
+
Modifying Tag Values
+
This section describes how to modify tag values on the KMS console.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management page.
- Click Edit of the target tag, and the Edit Tag dialog box is displayed.
- In the Edit Tag dialog box, enter a tag value, and click OK.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0027.html b/docs/kms/umn/dew_01_0027.html
new file mode 100644
index 000000000..13405bcbe
--- /dev/null
+++ b/docs/kms/umn/dew_01_0027.html
@@ -0,0 +1,13 @@
+
+
+
Deleting Tags
+
This section describes how to delete tags on the KMS console.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- Click the alias of the target custom key to view its details.
- Click Tags to go to the tag management page.
- Click Delete of the target tag, and the Delete Tag dialog box is displayed.
- In the Delete Tag dialog box, click Confirm.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0028.html b/docs/kms/umn/dew_01_0028.html
new file mode 100644
index 000000000..2b763df0b
--- /dev/null
+++ b/docs/kms/umn/dew_01_0028.html
@@ -0,0 +1,23 @@
+
+
+
Managing CMKs
+
+
+
diff --git a/docs/kms/umn/dew_01_0029.html b/docs/kms/umn/dew_01_0029.html
new file mode 100644
index 000000000..b4c881b40
--- /dev/null
+++ b/docs/kms/umn/dew_01_0029.html
@@ -0,0 +1,17 @@
+
+
+
Enabling a Key
+
This section describes how to use the KMS console to enable one or more custom keys. Only enabled custom keys can be used to encrypt or decrypt data. A new custom key is in the Enabled state by default.
+
Prerequisites
The custom key you want to enable is in Disabled status.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- Locate the target key in the list and click Enable in the Operation column.
- In the displayed dialog box, click OK to enable the key.
To enable multiple keys at a time, select them and click Enable in the upper left corner of the list.
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0030.html b/docs/kms/umn/dew_01_0030.html
new file mode 100644
index 000000000..1bf33a6e5
--- /dev/null
+++ b/docs/kms/umn/dew_01_0030.html
@@ -0,0 +1,20 @@
+
+
+
Disabling a Key
+
This section describes how to use the KMS console to disable one or more custom keys, thereby protecting data in urgent cases.
+
After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled key to encrypt or decrypt data, you must enable it by following instructions in Enabling a Key.
+
Prerequisites
The key you want to disable is in Enabled status.
+
+
Constraints
- Default keys created by KMS cannot be disabled.
- A disabled key is still billable. It will stop incurring charges if it is deleted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Locate the target key in the list and click Disable in the Operation column.
- In the displayed dialog box, select I understand the impact of disabling keys, and click OK.
To disable multiple keys at a time, select them and click Disable in the upper left corner of the list.
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0031.html b/docs/kms/umn/dew_01_0031.html
new file mode 100644
index 000000000..679573ce7
--- /dev/null
+++ b/docs/kms/umn/dew_01_0031.html
@@ -0,0 +1,24 @@
+
+
+
Deleting a Key
+
Before deleting the key, confirm that it is not in use and will not be used.
+
Prerequisites
The key to be deleted is in Enabled, Disabled, or Pending import status.
+
+
Constraints
- A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days.
Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by the CMK. Exercise caution when performing this operation.
+ - Default keys created by KMS cannot be scheduled for deletion.
+
+
Procedure
To schedule the deletion of multiple CMKs at a time, select them and click Delete in the upper left corner of the list. The following describes how to delete a single key.
+
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Locate the target key and click Delete in the Operation column.
- On the key deletion dialog box, enter the deletion delay time.
Figure 1 Setting scheduled deletion
+
+
- A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the CMK.
+
+
+ - Enter DELETE in the confirmation dialog box and click OK.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0032.html b/docs/kms/umn/dew_01_0032.html
new file mode 100644
index 000000000..3e9d967ed
--- /dev/null
+++ b/docs/kms/umn/dew_01_0032.html
@@ -0,0 +1,17 @@
+
+
+
Canceling the Scheduled Deletion of One or More CMKs
+
This section describes how to use the KMS console to cancel the scheduled deletion of one or more custom keys prior to deletion execution. After the cancellation, the key is in Disabled status.
+
Prerequisites
The CMK for which you want to cancel the scheduled deletion is in Pending deletion status.
+
+
Procedure
To cancel the deletion of multiple keys at a time, select them and click Cancel Deletion in the upper left corner of the list. The following describes how to cancel the scheduled deletion of a key.
+
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - In the row containing the target CMK, click Cancel Deletion.
- In the dialog box that is displayed, click OK.
- If a key is created on the KMS console, the status of the key changes to Disabled after its scheduled deletion is canceled. For details about how to enable the key, see Enabling a Key.
- If the CMK is created using imported materials, its status becomes Disabled after the cancellation. To enable the CMK, see Enabling a Key.
- If the CMK is created using imported materials and no key materials have been imported for it, its status becomes Pending import after the cancellation. To use the CMK, perform Creating CMKs Using Imported Key Materials.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0044.html b/docs/kms/umn/dew_01_0044.html
new file mode 100644
index 000000000..235790d39
--- /dev/null
+++ b/docs/kms/umn/dew_01_0044.html
@@ -0,0 +1,56 @@
+
+
+
What Is a Customer Master Key?
+
A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user on KMS. It is used to encrypt and protect DEKs. One CMK can be used to encrypt one or more DEKs.
+
CMKs are categorized into custom keys and default keys.
- Custom keys
Keys created or imported by users on the KMS console.
+ - Default keys
When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key with the alias suffix /default.
+You can use the management console to query but cannot disable or schedule the deletion of Default Master Keys.
+
+Table 1 Default master keysAlias
+ |
+Cloud Service
+ |
+
|---|
+
+obs/default
+ |
+Object Storage Service (OBS)
+ |
+
+evs/default
+ |
+Elastic Volume Service (EVS)
+ |
+
+ims/default
+ |
+Image Management Service (IMS)
+ |
+
+sfs/default
+ |
+Scalable File Service (SFS)
+ |
+
+rds/default
+ |
+Relational Database Service (RDS)
+ |
+
+dds/default
+ |
+Document Database Service (DDS)
+ |
+
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0045.html b/docs/kms/umn/dew_01_0045.html
new file mode 100644
index 000000000..32b926d58
--- /dev/null
+++ b/docs/kms/umn/dew_01_0045.html
@@ -0,0 +1,55 @@
+
+
+
What Is a Default Key?
+
A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default.
+
You can use the management console to query but cannot disable or schedule the deletion of default keys.
+
Default keys are hosted for free, and are charged based on the number of the API requests for them. If API requests exceed the free limit, the excess part will be charged.
+
+
Table 1 Default master keysAlias
+ |
+Cloud Service
+ |
+
|---|
+
+obs/default
+ |
+Object Storage Service (OBS)
+ |
+
+evs/default
+ |
+Elastic Volume Service (EVS)
+ |
+
+ims/default
+ |
+Image Management Service (IMS)
+ |
+
+sfs/default
+ |
+Scalable File Service (SFS)
+ |
+
+rds/default
+ |
+Relational Database Service (RDS)
+ |
+
+dds/default
+ |
+Document Database Service (DDS)
+ |
+
+
+
+
+
A default key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0046.html b/docs/kms/umn/dew_01_0046.html
new file mode 100644
index 000000000..b1689b80c
--- /dev/null
+++ b/docs/kms/umn/dew_01_0046.html
@@ -0,0 +1,12 @@
+
+
+
What Is a Data Encryption Key?
+
A data encryption key (DEK) is used to encrypt data.
+
Using KMS, you can create, encrypt, and decrypt DEKs. The KMS system does not save, manage, or track your DEKs, neither does it use the DEKs to encrypt or decrypt data.
+
+
+
diff --git a/docs/kms/umn/dew_01_0047.html b/docs/kms/umn/dew_01_0047.html
new file mode 100644
index 000000000..3d016cf2a
--- /dev/null
+++ b/docs/kms/umn/dew_01_0047.html
@@ -0,0 +1,13 @@
+
+
+
What Is Key Management Service?
+
KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.
+
It uses Hardware Security Modules (HSMs) to protect keys. All keys are protected by root keys in HSMs to avoid key leakage. The HSMs meet the FIPS 140-2 Level 3 security requirements.
+
It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
+
+
+
diff --git a/docs/kms/umn/dew_01_0049.html b/docs/kms/umn/dew_01_0049.html
new file mode 100644
index 000000000..f5cc4e888
--- /dev/null
+++ b/docs/kms/umn/dew_01_0049.html
@@ -0,0 +1,11 @@
+
+
+
Why Can't I Delete a CMK Immediately?
+
The decision to delete a CMK should be considered with great caution. Before deletion, confirm that the CMK's encrypted data has all been migrated. As soon as the CMK is deleted, you will not be able to decrypt data with it. Therefore, KMS offers a user-specified period of 7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, the CMK will be permanently deleted. However, prior to the scheduled day, you can still cancel the pending deletion. This is a means of precaution within KMS.
+
+
+
diff --git a/docs/kms/umn/dew_01_0050.html b/docs/kms/umn/dew_01_0050.html
new file mode 100644
index 000000000..0f9263cce
--- /dev/null
+++ b/docs/kms/umn/dew_01_0050.html
@@ -0,0 +1,66 @@
+
+
+
Which Cloud Services Can Use KMS for Encryption?
+
Object Storage Service (OBS), Elastic Volume Service (EVS), and Image Management Service (IMS) can use KMS for encryption.
+
Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Document Database Service (DDS), and Relational Database Service (RDS) can use KMS for encryption.
+
+
Table 1 Cloud services supported by KMSService
+ |
+How to Use
+ |
+Reference
+ |
+
|---|
+
+Object Storage Service (OBS)
+ |
+You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
+ |
+Object Storage Service Console Operation Guide
+ |
+
+Elastic Volume Service (EVS)
+ |
+If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.
+ |
+Elastic Volume Service User Guide
+ |
+
+Image Management Service (IMS)
+ |
+When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
+ |
+Image Management Service User Guide
+ |
+
+Scalable File Service (SFS)
+ |
+When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
+ |
+Scalable File Service User Guide
+ |
+
+Relational Database Service (RDS)
+ |
+When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.
+ |
+Relational Database Service User Guide
+ |
+
+Document Database Service (DDS)
+ |
+When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.
+ |
+Document Database Service User Guide
+ |
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0053.html b/docs/kms/umn/dew_01_0053.html
new file mode 100644
index 000000000..b107f5a8e
--- /dev/null
+++ b/docs/kms/umn/dew_01_0053.html
@@ -0,0 +1,22 @@
+
+
+
How Do Cloud Services Use KMS to Encrypt Data?
+
Services (such as OBS, IMS, EVS, SFS, DDS, and RDS) use the envelope encryption method provided by KMS to protect data.
+
Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.
+
+
Envelope Encryption and Decryption Principles
- Figure 1 illustrates the process for encrypting a local file.
Figure 1 Encrypting a local file
+The procedure is as follows:
- Create a CMK on KMS.
- Call the create-datakey API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.
- Use the plaintext DEK to encrypt the file. A ciphertext file is generated.
- Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
+
- Figure 2 illustrates the process for decrypting a local file.
Figure 2 Decrypting a local file
+The procedure is as follows:
- Obtain the ciphertext DEK and file from the persistent storage device or the storage service.
- Call the decrypt-datakey API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.
If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.
+ - Use the plaintext DEK to decrypt the ciphertext file.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0054.html b/docs/kms/umn/dew_01_0054.html
new file mode 100644
index 000000000..96644c02c
--- /dev/null
+++ b/docs/kms/umn/dew_01_0054.html
@@ -0,0 +1,23 @@
+
+
+
What Are the Benefits of Envelope Encryption?
+
Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.
+
Benefits:
+
- Advantages over CMK encryption in KMS
Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.
+A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
+Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.
+ - Advantages over encryption by using cloud services
- Security
Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
+During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.
+ - Trustworthiness
You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.
+If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.
+ - Performance and cost
To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.
+Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0055.html b/docs/kms/umn/dew_01_0055.html
new file mode 100644
index 000000000..9e99f79b0
--- /dev/null
+++ b/docs/kms/umn/dew_01_0055.html
@@ -0,0 +1,39 @@
+
+
+
What Are the Differences Between a Custom Key and a Default Key?
+
The following table describes the differences between a custom key and a default key.
+
+
Table 1 Differences between a custom key and a default keyItem
+ |
+Definition
+ |
+Difference
+ |
+
|---|
+
+Custom key
+ |
+A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.
+A custom key can be used to encrypt multiple DEKs.
+ |
+- It can be disabled and scheduled for deletion.
- It is billed per use after the being created or imported.
+ |
+
+Default key
+ |
+Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is /default.
+Example: evs/default
+ |
+- It cannot be disabled or scheduled for deletion.
+ |
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0056.html b/docs/kms/umn/dew_01_0056.html
new file mode 100644
index 000000000..fd415b743
--- /dev/null
+++ b/docs/kms/umn/dew_01_0056.html
@@ -0,0 +1,12 @@
+
+
+
Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
+
There is a limit on the number of custom keys that can be created on KMS.
+
You can create a maximum of 100 custom keys, including those in enabled, disabled, and pending deletion states. Default keys are not included.
+
+
+
diff --git a/docs/kms/umn/dew_01_0058.html b/docs/kms/umn/dew_01_0058.html
new file mode 100644
index 000000000..0057238ae
--- /dev/null
+++ b/docs/kms/umn/dew_01_0058.html
@@ -0,0 +1,12 @@
+
+
+
Can I Export a CMK from KMS?
+
No.
+
To ensure CMK security, users can only create and use CMKs in KMS.
+
+
+
diff --git a/docs/kms/umn/dew_01_0059.html b/docs/kms/umn/dew_01_0059.html
new file mode 100644
index 000000000..7d1857dcb
--- /dev/null
+++ b/docs/kms/umn/dew_01_0059.html
@@ -0,0 +1,13 @@
+
+
+
Can I Decrypt My Data if I Permanently Delete My Custom Key?
+
No.
+
If you have permanently deleted your custom key, the data encrypted using it cannot be decrypted. Before the scheduled deletion date of the custom key, you can cancel the scheduled deletion.
+
If the custom key is created using imported key material and only the key material is deleted, you can import the local backup of the key material to the custom key and reclaim the user data. If the key material is not backed up locally, user data cannot be reclaimed.
+
+
+
diff --git a/docs/kms/umn/dew_01_0060.html b/docs/kms/umn/dew_01_0060.html
new file mode 100644
index 000000000..8994d1bb1
--- /dev/null
+++ b/docs/kms/umn/dew_01_0060.html
@@ -0,0 +1,27 @@
+
+
+
How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
+
You can use the online tool to encrypt or decrypt data in the following procedures:
+
Encrypting Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click on the left and choose .
- Click the name of the target custom key to access the key details page. Click the Tool tab.
- Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure 1.
Figure 1 Encrypting data
+ - Click Execute. Ciphertext of the data is displayed in the text box on the right.
- Use the current CMK to encrypt the data.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
+
+
+
+
Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.
+
The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.
+
+
Decrypting Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click on the left and choose .
- You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
- Click Decrypt and enter the data to be decrypted in the text box, as shown in Figure 2.
- The tool will identify the original encryption CMK and use it to decrypt the data.
- If the key has been deleted, the decryption will fail.
+
+Figure 2 Decrypting data
+ - Click Execute. Plaintext of the data is displayed in the text box on the right.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0062.html b/docs/kms/umn/dew_01_0062.html
new file mode 100644
index 000000000..18afe1130
--- /dev/null
+++ b/docs/kms/umn/dew_01_0062.html
@@ -0,0 +1,12 @@
+
+
+
Can I Update CMKs Created by KMS-Generated Key Materials?
+
No.
+
Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.
+
+
+
diff --git a/docs/kms/umn/dew_01_0088.html b/docs/kms/umn/dew_01_0088.html
new file mode 100644
index 000000000..54d492e89
--- /dev/null
+++ b/docs/kms/umn/dew_01_0088.html
@@ -0,0 +1,42 @@
+
+
+
Overview
+
A custom key contains key metadata (key ID, key name, description, key status, and creation date) and key materials used for encrypting and decrypting data.
- When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
- If you want to use your own key material, you can use the KMS console to create a custom key whose key material source is external, and import the key material to the custom key.
+
+
Important Notes
- Security
You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key materials function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
+ - Availability and durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
+Differences between the imported key material and the key material generated by KMS are shown in Table 1.
+
+Table 1 Differences between the imported key material and the key material generated by KMSKey Material Source
+ |
+Difference
+ |
+
|---|
+
+Imported keys
+ |
+
+ |
+
+Keys created in KMS
+ |
+- The key material cannot be manually deleted.
- Symmetric keys can be rotated.
- You cannot set the expiration time for key material.
+ |
+
+
+
+
- Association
When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.
+ - Uniqueness
If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0089.html b/docs/kms/umn/dew_01_0089.html
new file mode 100644
index 000000000..36819a7f9
--- /dev/null
+++ b/docs/kms/umn/dew_01_0089.html
@@ -0,0 +1,281 @@
+
+
+
Importing Key Materials
+
If you want to use your own key materials instead of the KMS-generated materials, you can use the console to import your key materials to KMS. CMKs created using imported materials and KMS-generated materials are managed together by KMS.
+
This section describes how to import key materials on the KMS console.
+
+
Step 1: Creating a Key Using External Materials
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click Create Key in the upper right corner of the page to create an empty key whose Source is External. For details about more parameters, see Step 5.
+
+
Step 2: Downloading the Wrapping Key and Importing Token
The key management function provides two download modes:
- Download the wrapping key and import token by calling the API.
- Download the wrapping key from the KMS console. The import token is automatically passed by the console. Therefore, do not close or exit the Import Key Material dialog box after the key material is downloaded. Otherwise, the imported token will automatically become invalid.
+
+
+
Downloading the Wrapping Key By Calling APIs
- Call the get-parameters-for-import API to obtain the wrapping key and import token.
- public_key: content of the wrapping key (Base-64 encoding) returned after the API call
- import_token: content of the import token (Base-64 encoding) returned after the API call
+The following example describes how to obtain the wrapping key and import token of a CMK (ID:
43f1ffd7-18fb-4568-9575-602e009b7ee8; algorithm:
RSAES_OAEP_SHA_256).
- Example request
{
+ "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
+ "wrapping_algorithm":"RSAES_OAEP_SHA_256"
+}
+ - Example response
{
+ "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
+ "public_key":"public key base64 encoded data",
+ "import_token":"import token base64 encoded data",
+ "expiration_time":1501578672
+}
+
+
- Save the wrapping key and convert its format. Only the key material encrypted using the converted wrapping key can be imported to the management console.
- Copy the content of the wrapping key public_key, paste it to a .txt file, and save the file as PublicKey.b64.
- Use OpenSSL to run the following command to perform Base-64 coding on the content of the PublicKey.b64 file to generate binary data, and save the converted file as PublicKey.bin:
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
+
+ - Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
+
+
Downloading the Wrapping Key on the KMS Console
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - In the Custom Keys tab, locate the key created by Step 1: Creating a Key Using External Materials and click Import Key Material in the Operation column.
- In the Download the Import Items area, select a key wrapping algorithm based on Key wrapping algorithm.
Figure 1 Obtaining the wrapping key and import token
+
+
+Table 1 Key wrapping algorithmsAlgorithm
+ |
+Description
+ |
+Configuration
+ |
+
|---|
+
+RSAES_OAEP_SHA_256
+ |
+RSA algorithm that uses OAEP and has the SHA-256 hash function
+ |
+Select an algorithm based on your HSM functions.
+If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.
+ |
+
+
+
+
- Click Download Key Material to download the wrapping key file, as shown in Figure 2.
Figure 2 Downloading a file
+- wrappingKey_KeyID is the wrapping key. It is encoded in binary format and used to encrypt the wrapping key of the key material.
- Import token: You do not need to download it. The import wizard automatically transfers the import token. If you close the wizard before completing the import, the token will automatically become invalid.
+
The wrapping key expires in 24 hours. If the wrapping key is invalid, download it again.
+
The console automatically passes the import token. Therefore, do not close or exit the Import Key Material dialog box after the key material is downloaded. Otherwise, the imported token will automatically become invalid.
+
After downloading wrapping key, use it to encrypt the key material. Then, import the key material in the Import Key Material dialog box. For details, see Importing Key Materials.
+
+
+
Step 3: Using Wrapping Key to Encrypt Key Materials
Symmetric and asymmetric key encryption modes generate different key materials.
- Symmetric key: The key material is EncryptedKeyMaterial.bin.
- Asymmetric key: EncryptedKeyMaterial.bin (temporary key material) and out_rsa_private_key.der (private key ciphertext)
+
+
+
Symmetric Keys
- Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.
If you need to run the openssl pkeyutl command, ensure your OpenSSL version is 1.0.2 or later.
+
+- To generate a key material for a 256-bit symmetric key, on the agent where OpenSSL has been installed, run the following command to generate the key material and save it as PlaintextKeyMaterial.bin:
+
- Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
If the wrapping key was downloaded from the console, replace PublicKey.bin in the following command with the wrapping key name wrappingKey_keyID.
+
+Table 2 Encrypting the generated key material using the downloaded wrapping keyWrapping Key Algorithm
+ |
+Key Material Encryption
+ |
+
|---|
+
+RSAES_OAEP_SHA_256
+ |
+openssl pkeyutl -in PlaintextKeyMaterial.bin -inkey PublicKey.bin -out EncryptedKeyMaterial.bin -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+ |
+
+
+
+
+
+
+
Asymmetric Keys
- Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.
If you need to run the openssl pkeyutl command, ensure your OpenSSL version is 1.0.2 or later.
+
+- To generate a key material for a 256-bit symmetric key, on the agent where OpenSSL has been installed, run the following command to generate the key material and save it as PlaintextKeyMaterial.bin:
- RSA and ECC asymmetric keys
- Generate a hexadecimal AES256 key.
openssl rand -out 0xPlaintextKeyMaterial.bin -hex 32
+ - Convert the hexadecimal AES256 key to the binary format.
cat 0xPlaintextKeyMaterial.bin | xxd -r -ps > PlaintextKeyMaterial.bin
+
+
+ - Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
If the wrapping key was downloaded from the console, replace PublicKey.bin in the following command with the wrapping key name wrappingKey_keyID.
+
+Table 3 Encrypting the generated key material using the downloaded wrapping keyWrapping Key Algorithm
+ |
+Key Material Encryption
+ |
+
|---|
+
+RSAES_OAEP_SHA_256
+ |
+openssl pkeyutl -in PlaintextKeyMaterial.bin -inkey PublicKey.bin -out EncryptedKeyMaterial.bin -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+ |
+
+
+
+
- To import an asymmetric key, generate an asymmetric private key, use the temporary key material (EncryptedKeyMaterial.bin) to encrypt the private key, and import the encrypted file as the private key ciphertext.
- Take the RSA4096 algorithm as an example.
- Generate a private key.
openssl genrsa -out pkcs1_rsa_private_key.pem 4096
+ - Convert the format to PKCS8.
openssl pkcs8 -topk8 -inform PEM -in pkcs1_rsa_private_key.pem -outform pem -nocrypt -out rsa_private_key.pem
+ - Convert the PKCS8 format to the DER format.
openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private_key.pem -out rsa_private_key.der -nocrypt
+ - Use a temporary key material to encrypt the private key.
openssl enc -id-aes256-wrap-pad -K $(cat 0xPlaintextKeyMaterial.bin) -iv A65959A6 -in rsa_private_key.der -out out_rsa_private_key.der
+ By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first. For details, see FAQs.
+
+
+
+
+
+
+
Step 4: Importing Key Materials
The import method varies depending on the key material download method.
+
+
+
Importing Existing Key Materials
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - In the Custom Keys tab, locate the key created by Step 1: Creating a Key Using External Materials and click Import Key Material in the Operation column.
- In the Download the Import Items area, select a key wrapping algorithm based on Key wrapping algorithm.
Figure 3 Obtaining the wrapping key and import token
+
+
+Table 4 Key wrapping algorithmsAlgorithm
+ |
+Description
+ |
+Configuration
+ |
+
|---|
+
+RSAES_OAEP_SHA_256
+ |
+RSA algorithm that uses OAEP and has the SHA-256 hash function
+ |
+Select an algorithm based on your HSM functions.
+If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.
+ |
+
+
+
+
- Click Use Existing Key Material. In the Import Key Material area, enter Key Material.
Figure 4 Importing key materials
+
+
+Table 5 Key material descriptionScenario
+ |
+Description
+ |
+
|---|
+
+Symmetric key
+ |
+Use the key material encrypted by wrapping key.
+For example, the EncryptedKeyMaterial.bin file in Step 3: Using Wrapping Key to Encrypt Key Materials.
+ |
+
+Asymmetric key
+ |
+Use the temporary key material and private key ciphertext encrypted by wrapping key.
+For example, the temporary key material EncryptedKeyMaterial.bin and private key ciphertext out_rsa_private_key.der in Step 3: Using Wrapping Key to Encrypt Key Materials.
+ |
+
+
+
+
- Click Next. In the Import Key Token area, set parameters based on Table 6.
+
Table 6 Parameters for importing a key tokenParameter
+ |
+Description
+ |
+
|---|
+
+Key ID
+ |
+Random ID of a CMK generated during the CMK creation
+ |
+
+Key import token
+ |
+Enter the import token obtained in Downloading the Wrapping Key By Calling APIs.
+ |
+
+Key material expiration mode
+ |
+
+ |
+
+
+
+
- Click OK. When the Key imported successfully message is displayed in the upper right corner, the materials are imported.
Key materials can be successfully imported when they match the corresponding CMK ID and token.
+
+Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is Enabled.
+
+
+
Importing Key Materials
- In the Import Key Material dialog box (Step 6) on the management console, add the Key Material file in the Import Key Material configuration item.
Figure 5 Importing key materials
+
+
+Table 7 Key material descriptionScenario
+ |
+Description
+ |
+
|---|
+
+Symmetric key
+ |
+Use the key material encrypted by wrapping key.
+For example, the EncryptedKeyMaterial.bin file in Step 3: Using Wrapping Key to Encrypt Key Materials.
+ |
+
+Asymmetric key
+ |
+Use the temporary key material and private key ciphertext encrypted by wrapping key.
+For example, the temporary key material EncryptedKeyMaterial.bin and private key ciphertext out_rsa_private_key.der in Step 3: Using Wrapping Key to Encrypt Key Materials.
+ |
+
+
+
+
- Click Next to go to the Import Key Token step. Configure the parameters as described in Table 8.
+
Table 8 Parameters for importing a key tokenParameter
+ |
+Description
+ |
+
|---|
+
+Key ID
+ |
+Random ID of a CMK generated during the CMK creation
+ |
+
+Key material expiration mode
+ |
+
+ |
+
+
+
+
- Click OK. When the Key imported successfully message is displayed in the upper right corner, the materials are imported.
Key material can be successfully imported when it matches the corresponding key ID.
+
+Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is Enabled.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0090.html b/docs/kms/umn/dew_01_0090.html
new file mode 100644
index 000000000..cd6ab22a0
--- /dev/null
+++ b/docs/kms/umn/dew_01_0090.html
@@ -0,0 +1,21 @@
+
+
+
Deleting Key Materials
+
When importing key materials, you can specify their expiration time. After the key material expires, KMS deletes it, and the status of the custom key changes to Pending import. You can manually delete the key materials as needed. The effect of expiration of the key material is the same as that of manual deletion of the key material.
+
This section describes how to delete imported key materials on the KMS console.
+
- To re-import a deleted key material, ensure the imported material is the same as the deleted one.
- Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.
+
+
Prerequisites
- You have imported key materials for a CMK.
- The material source of the CMK is External.
- The CMK status is Enabled or Disabled.
+
+
Constraints
- To re-import a deleted key material, ensure the imported material is the same as the deleted one.
- Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.
- After the deletion, the CMK will become unavailable and its status will change to Pending import.
- The key materials of asymmetric keys cannot be directly deleted. To delete them, perform the instructions in Deleting a Key.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Locate the target key material and click Delete Key Material.
- In the displayed dialog box, enter DELETE, and click OK. When Key material deleted successfully is displayed in the upper right corner, the key materials are deleted.
After the deletion, the key will become unavailable and its status changes to Pending import.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0091.html b/docs/kms/umn/dew_01_0091.html
new file mode 100644
index 000000000..87014ef9d
--- /dev/null
+++ b/docs/kms/umn/dew_01_0091.html
@@ -0,0 +1,19 @@
+
+
+
Service Overview
+
+
+
diff --git a/docs/kms/umn/dew_01_0092.html b/docs/kms/umn/dew_01_0092.html
new file mode 100644
index 000000000..785967034
--- /dev/null
+++ b/docs/kms/umn/dew_01_0092.html
@@ -0,0 +1,55 @@
+
+
+
FAQs
+
+
+
diff --git a/docs/kms/umn/dew_01_0094.html b/docs/kms/umn/dew_01_0094.html
new file mode 100644
index 000000000..50e2efe45
--- /dev/null
+++ b/docs/kms/umn/dew_01_0094.html
@@ -0,0 +1,68 @@
+
+
+
About Key Rotation
+
Purpose of Key Rotation
Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
+
The purposes of key rotation are:
+
- To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
+ - To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
+ - To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
+
+
+
Key Rotation Methods
You can use either of the following key rotation methods:
+
- Manual key rotation
Method 1: Create a key B to replace the currently used key A.
+Method 2: Modify the key A and use it.
+Example:
+Take OBS as an example. To manually rotate a key, create a custom key on the KMS console. Replace the old custom key with the new one on the OBS console.
+Figure 1 Manual key rotation
+ - Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.
+Automatic key rotation has the following characteristics:
+- Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
+Figure 2 Key rotation
+
+
KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key.
- KMS uses the latest version of the custom key to encrypt data.
- When decrypting data, KMS uses the custom key version that was used to encrypt the data.
+
+
+
+
Rotation Modes
+
Table 1 Key rotation modesKey Type
+ |
+Rotation Mode
+ |
+
|---|
+
+Default key
+ |
+Cannot be rotated.
+ |
+
+Custom key
+ |
+Keys can be rotated automatically or manually, depending on the key algorithm type.
+- Symmetric key: Can be automatically or manually rotated.
- Asymmetric key: Can only be manually rotated.
+ |
+
+Disabled CMK
+ |
+Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a custom key is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the custom key has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Disabling One or More CMKs.
+ |
+
+CMKs in pending deletion state
+ |
+KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the custom key has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
+For more information, see Scheduling the Deletion of One or More Keys.
+ |
+
+
+
+
+
You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0095.html b/docs/kms/umn/dew_01_0095.html
new file mode 100644
index 000000000..aa5d71e96
--- /dev/null
+++ b/docs/kms/umn/dew_01_0095.html
@@ -0,0 +1,19 @@
+
+
+
Managing a Grant
+
+
+
diff --git a/docs/kms/umn/dew_01_0096.html b/docs/kms/umn/dew_01_0096.html
new file mode 100644
index 000000000..42a1a6ac3
--- /dev/null
+++ b/docs/kms/umn/dew_01_0096.html
@@ -0,0 +1,65 @@
+
+
+
Creating a Grant
+
You can create grants for other users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.
+
Prerequisites
- You have obtained the ID of the grantee (user to whom permissions are to be authorized).
- The target custom key is in Enabled status.
+
+
Constraints
- The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
- A maximum of 100 grants can be created for a custom key.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click the name of the target custom key to go to its details page and create a grant on it.
- Click the Grants tab.
- Click Create Grant. The Create Grant dialog box is displayed.
Figure 1 Creating a grant
+ - In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted. For details, see Table 1.
A grantee can perform the authorized operations only by calling the necessary APIs. For details, see the Key Management Service API Reference.
+
+
+Table 1 Parameters for creating a grantParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+User or Tenant
+ |
+Whether a user or an account is authorized.
+- User
User ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane, and copy the value of IAM User ID.
+After the authorization is complete, the IAM user can use the specified keys.
+ - Account
Account ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane and copy the value of Account ID.
+After the authorization is complete, all IAM users under the account can use the specified keys.
+
+ |
+d9a6b2bdaedd4ba586cabe6372d1b312
+ |
+
+Grant Name
+ |
+You can name the grant.
+ NOTE: - You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
+
+ |
+test
+ |
+
+Operations
+ |
+The following permissions can be authorized:
+ NOTE: - You can create multiple grants on a custom key to provide different permissions to the same user. The user's permissions on the custom key are the combination of all the grants.
- This parameter cannot be left blank.
- Selecting only Create Grant is not allowed.
+
+- Create Data Key Without Plaintext
- Create Data Key
- Encrypt Data Key
- Decrypt Data Key
- Query Key Information
- Create Grant
- Retire Grant
- A grantee can retire a grant if the grantee does not need that permission.
- If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.
+ - Encrypt Data
- Decrypt Data
+ |
+-
+ |
+
+
+
+
- Click OK. When message "Grant created successfully" is displayed in the upper right corner, the grant has been created.
In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0097.html b/docs/kms/umn/dew_01_0097.html
new file mode 100644
index 000000000..40270e211
--- /dev/null
+++ b/docs/kms/umn/dew_01_0097.html
@@ -0,0 +1,50 @@
+
+
+
Querying a Grant
+
You can view the details about a custom key grant on the KMS console, such as the grant ID, grantee user ID, granted operation, and creation time.
+
Prerequisites
You have created a grant.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click the alias of the target custom key to view its details.
- Click Grant to view the created grant of the current custom key. Table 1 describes the parameters.
+
Table 1 ParametersParameter
+ |
+Description
+ |
+
|---|
+
+Grant Name
+ |
+Name of the grant when created
+ |
+
+Grantee ID
+ |
+ID of the authorized user or account.
+ |
+
+Granted To
+ |
+Whether permissions are granted to a user or account.
+ |
+
+Granted Operations
+ |
+Authorized operations (such as Create Data Key) on the custom key
+ |
+
+Created
+ |
+Time when the grant is created
+ |
+
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0098.html b/docs/kms/umn/dew_01_0098.html
new file mode 100644
index 000000000..f82a85259
--- /dev/null
+++ b/docs/kms/umn/dew_01_0098.html
@@ -0,0 +1,21 @@
+
+
+
Revoking a Grant
+
You can revoke a grant on the KMS console in either of the following scenarios:
+
- A grantee does not need the custom key grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)
- You do not want the grantee to have the grant.
+
When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.
+
This section describes how to revoke a grant on the KMS console.
+
Prerequisites
You have created a grant.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click the alias of the target custom key to view its details.
- In the Grants tab, locate the target grant and click Revoke Grant in the Operation column.
- Enter DELETE in the confirmation dialog box and click OK.
In the displayed dialog box, click
OK. If
Grant grant ID revoked successfully is displayed in the upper right corner, the grant has been revoked.
You can call the API to verify that the key grant has been revoked. For example, if the grant to create a data key is revoked for a user, an error will be reported when the user calls the API to create a data key.
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0101.html b/docs/kms/umn/dew_01_0101.html
index 7982199c9..41885c9e6 100644
--- a/docs/kms/umn/dew_01_0101.html
+++ b/docs/kms/umn/dew_01_0101.html
@@ -1,20 +1,13 @@
Encrypting Data in RDS
-
+
-
-
\ No newline at end of file
diff --git a/docs/kms/umn/dew_01_0102.html b/docs/kms/umn/dew_01_0102.html
new file mode 100644
index 000000000..63b748cb3
--- /dev/null
+++ b/docs/kms/umn/dew_01_0102.html
@@ -0,0 +1,11 @@
+
+
+
When Should I Use a CMK Created with Imported Key Materials?
+
- If you do not want to use KMS-generated key materials, you can import your own key materials to create a CMK. Such a CMK allows deletion of only the key materials when you do not need it. In addition, when you find that the key materials are mis-deleted, you can import the same materials to the CMK.
- You can also import local key materials to KMS when you want to use the same keys on cloud and on-premises. This practice has proved useful when user migrate local encrypted data to the cloud.
+
+
+
diff --git a/docs/kms/umn/dew_01_0103.html b/docs/kms/umn/dew_01_0103.html
new file mode 100644
index 000000000..1c0f224ed
--- /dev/null
+++ b/docs/kms/umn/dew_01_0103.html
@@ -0,0 +1,74 @@
+
+
+
What Types of Keys Can I Import?
+
The following table lists the types of keys that can be imported.
+
+
Table 1 Key algorithms supported by KMSKey Type
+ |
+Algorithm Type
+ |
+Key Specifications
+ |
+Description
+ |
+Application Scenario
+ |
+
|---|
+
+Symmetric key
+ |
+AES
+ |
+AES_256
+ |
+AES symmetric key
+ |
+- Data encryption and decryption
- DEKs encryption and decryption
NOTE: You can encrypt and decrypt a small amount of data using the online tool on the console.
+ You need to call APIs to encrypt and decrypt a large amount of data.
+
+
+ |
+
+Digest key
+ |
+SHA
+ |
+
+ |
+Digest key
+ |
+- Data tampering prevention
- Data integrity verification
+ |
+
+Asymmetric key
+ |
+RSA
+ |
+
+ |
+RSA asymmetric password
+ |
+- Digital signature and signature verification
- Data encryption and decryption
NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
+
+
+ |
+
+ECC
+ |
+
+ |
+Elliptic curve recommended by NIST
+ |
+Digital signature and signature verification
+ |
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0104.html b/docs/kms/umn/dew_01_0104.html
new file mode 100644
index 000000000..ad39dbc02
--- /dev/null
+++ b/docs/kms/umn/dew_01_0104.html
@@ -0,0 +1,13 @@
+
+
+
What Should I Do When I Accidentally Delete Key Materials?
+
You can import the backup key materials from your local device again.
+
Before importing key materials, you are advised to back up the materials. The materials to be re-imported must be consistent with the mis-deleted materials.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0115.html b/docs/kms/umn/dew_01_0115.html
new file mode 100644
index 000000000..4dbe34469
--- /dev/null
+++ b/docs/kms/umn/dew_01_0115.html
@@ -0,0 +1,16 @@
+
+
+
Advantages
+
Extensive Service Integration
- By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
- By integrating with Cloud Trace Service (CTS), you can use CTS to view recent KMS operation records.
+
+
Regulatory Compliance
Keys are generated by third-party validated HSMs. Access to keys is controlled and key operations involving keys are traceable by logs, compliant with international laws and regulations.
+
+
Easy to Use
You can use and manage keys easily using the console or APIs, needless to purchase hardware encryption devices.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0116.html b/docs/kms/umn/dew_01_0116.html
index 07b0d78c3..a369489b5 100644
--- a/docs/kms/umn/dew_01_0116.html
+++ b/docs/kms/umn/dew_01_0116.html
@@ -1,20 +1,13 @@
Encrypting Data in SFS
-
+
-
-
\ No newline at end of file
diff --git a/docs/kms/umn/dew_01_0121.html b/docs/kms/umn/dew_01_0121.html
new file mode 100644
index 000000000..7ac4677f3
--- /dev/null
+++ b/docs/kms/umn/dew_01_0121.html
@@ -0,0 +1,23 @@
+
+
+
KMS
+
+
+
diff --git a/docs/kms/umn/dew_01_0133.html b/docs/kms/umn/dew_01_0133.html
new file mode 100644
index 000000000..b781bac2a
--- /dev/null
+++ b/docs/kms/umn/dew_01_0133.html
@@ -0,0 +1,13 @@
+
+
+
Permission Control
+
+
+
diff --git a/docs/kms/umn/dew_01_0135.html b/docs/kms/umn/dew_01_0135.html
new file mode 100644
index 000000000..c0009ce19
--- /dev/null
+++ b/docs/kms/umn/dew_01_0135.html
@@ -0,0 +1,66 @@
+
+
+
Creating a User and Authorizing the User the Permission to Access DEW
+
This section describes IAM's fine-grained permissions management for your DEW resources. With IAM, you can:
+
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
+
If your account does not need individual IAM users, skip this chapter.
+
This section describes the procedure for granting permissions (see Figure 1).
+
Prerequisites
Before granting permissions to a user group, you need to understand the available DEW permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in DEW.
+
+
Table 1 DEW permissionsRole/Policy
+ |
+Description
+ |
+Type
+ |
+
|---|
+
+KMS Administrator
+ |
+Administrator permissions for the encryption key
+ |
+Role
+ |
+
+KMS CMKFullAccess
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMK Admin
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMKReadOnlyAccess
+ |
+Read-only permission for encryption keys
+ |
+Policy
+ |
+
+
+
+
+
+
+
Tenant Guest Roles
If you have configured Tenant Guest permissions for the IAM account, apart from the read-only permissions for all cloud services except Identity and Access Management (IAM), you also have the following KMS permissions:
+
- kms:cmk:create: Create a key.
- kms:cmk:createDataKey: Create a DEK.
- kms:cmk:createDataKeyWithoutPlaintext: Create a plaintext-free DEK.
- kms:cmk:encryptDataKey: Encrypt the DEK.
- kms:cmk:decryptDataKey: Decrypt a DEK.
- kms:cmk:retireGrant: Retire a grant.
- kms:cmk:decryptData: Decrypt data.
- kms:cmk:encryptData: Encrypt data.
- kms::generateRandom: Generate a random number.
+
If you want to configure the Tenant Guest role for an IAM user but do not want to have the preceding permissions, you need to configure a custom deny policy for the IAM user. For details about how to configure a custom policy, see Creating a Custom KMS Policy.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0138.html b/docs/kms/umn/dew_01_0138.html
new file mode 100644
index 000000000..e969178ca
--- /dev/null
+++ b/docs/kms/umn/dew_01_0138.html
@@ -0,0 +1,19 @@
+
+
+
Rotating CMKs
+
+
+
diff --git a/docs/kms/umn/dew_01_0139.html b/docs/kms/umn/dew_01_0139.html
new file mode 100644
index 000000000..aacecd877
--- /dev/null
+++ b/docs/kms/umn/dew_01_0139.html
@@ -0,0 +1,25 @@
+
+
+
Enabling Key Rotation
+
This section describes how to enable rotation for a key on the KMS console.
+
By default, automatic key rotation is disabled for a custom key. Every time you enable key rotation, KMS automatically rotates custom keys based on the rotation period you set.
+
Prerequisites
- The key is enabled.
- The Origin of the key is KMS.
- Only symmetric keys can be rotated.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- Click the custom key name to access it details page.
- Click the Rotation Policy tab. The rotation switch is displayed.
- Click
to enable key rotation. - In the displayed Enable Rotation Policy dialog box, set the rotation period and click OK.
- Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
- After the setting takes effect, the new rotation period starts.
- Configure the period based on how often a custom key is used. If it is frequently used, configure a short period. Otherwise, set a long one.
- A disabled custom key is never rotated, even if rotation is enabled for it.
- KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
- You can click
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
+
+
+ - Enable key rotation. The key rotation details are displayed.
Figure 1 Key rotation details
+ You can click 
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0142.html b/docs/kms/umn/dew_01_0142.html
new file mode 100644
index 000000000..ded63be56
--- /dev/null
+++ b/docs/kms/umn/dew_01_0142.html
@@ -0,0 +1,19 @@
+
+
+
Creating CMKs Using Imported Key Materials
+
+
+
diff --git a/docs/kms/umn/dew_01_0161.html b/docs/kms/umn/dew_01_0161.html
new file mode 100644
index 000000000..4944e21ab
--- /dev/null
+++ b/docs/kms/umn/dew_01_0161.html
@@ -0,0 +1,68 @@
+
+
+
Creating a Custom KMS Policy
+
Custom policies can be created as a supplement to the system policies of DEW. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
+
You can create custom policies in either of the following ways:
+
- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical DEW custom policies.
+
Example Custom Policies of DEW
- Example: authorizing users to create and import keys
{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:cmk:create",
+ "kms:cmk:getMaterial",
+ "kms:cmkTag:create",
+ "kms:cmkTag:batch",
+ "kms:cmk:importMaterial"
+ ]
+ }
+ ]
+}
+
+
+
- Example: authorizing users to use keys
{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:dek:crypto",
+ "kms:cmk:get",
+ "kms:cmk:crypto",
+ "kms:cmk:generate",
+ "kms:cmk:list"
+ ]
+ }
+ ]
+}
+ - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:task:list"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:dek:crypto",
+ "kms:cmk:get",
+ "kms:cmk:crypto",
+ "kms:cmk:generate",
+ "kms:cmk:list"
+ ]
+ }
+ ]
+}
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0177.html b/docs/kms/umn/dew_01_0177.html
new file mode 100644
index 000000000..92fc84e05
--- /dev/null
+++ b/docs/kms/umn/dew_01_0177.html
@@ -0,0 +1,29 @@
+
+
+
Key Management Service
+
+
+
diff --git a/docs/kms/umn/dew_01_0178.html b/docs/kms/umn/dew_01_0178.html
new file mode 100644
index 000000000..5aaed4aab
--- /dev/null
+++ b/docs/kms/umn/dew_01_0178.html
@@ -0,0 +1,64 @@
+
+
+
Creating a Key
+
This section describes how to create a custom key on the KMS console.
+
Custom keys can be categorized into symmetric keys and asymmetric keys.
+
Constraints
- You can create up to 100 custom keys, excluding default keys.
- A custom key is created using the AES-256 algorithm and is 256 bit long.
- Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
- Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
- KMS does not limit the number of times that a key can be called.
+
+
Scenarios
- Encrypt data in OBS.
- Encrypt data in EVS.
- Encrypt data in IMS.
- Use custom keys to directly encrypt and decrypt small volumes of data.
- DEK encryption and decryption for user applications
- Message authentication code generation and verification
+
+
Creating a Key
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose . - Click Create Key in the upper right corner.
- Configure the parameters as follows:
Figure 1 Creating a key
+
+Table 1 Key parameter configurationParameter
+ |
+Description
+ |
+
|---|
+
+Name
+ |
+Name of the key you are creating.
+ NOTE: - You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
+
+ |
+
+Key Algorithm
+ |
+Select a key algorithm.
+ |
+
+Usage
+ |
+Key usage. The value cannot be changed after the key is created. The value can be SIGN_VERIFY, ENCRYPT_DECRYPT, or GENERATE_VERIFY_MAC.
+- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
+ |
+
+Key Material Source
+ |
+
+ |
+
+Advanced settings
+ |
+
+ |
+
+
+
+
- Click OK.
+
+
Related Operations
- For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service (OBS) User Guide.
- For details about how to encrypt data on EVS disks, see section "Creating an EVS Disk" in Elastic Volume Service (EVS) User Guide.
- For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service (IMS) User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0179.html b/docs/kms/umn/dew_01_0179.html
new file mode 100644
index 000000000..4a868dc6d
--- /dev/null
+++ b/docs/kms/umn/dew_01_0179.html
@@ -0,0 +1,59 @@
+
+
+
Viewing a Key
+
This section describes how to view the information about the custom key on the KMS console, including thekey name/ID and the creation time. The status of a key can be Enabled, Disabled, Scheduled deletion, or Pending import.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
on the left and choose .
- Check the key list.
+
Table 1 Key list parametersParameter
+ |
+Description
+ |
+
|---|
+
+Name/ID
+ |
+Name of a key and the random ID of a key generated during its creation.
+ |
+
+Status
+ |
+Status of a CMK, which can be one of the following:
+- Enabled
The CMK is enabled.
+ - Disabled
The CMK is disabled.
+ - Pending deletion
The CMK is scheduled for deletion.
+ - Pending import
If your CMK does not have materials, its status is Pending import.
+
+ |
+
+Created
+ |
+Creation time of the CMK
+ |
+
+Key Algorithm and Usage
+ |
+Key algorithm selected during key creation and its usage
+ |
+
+Origin
+ |
+Source of key material, which can be one of the following:
+
+ |
+
+
+
+
- You can click the key alias to view its details.
To change the alias or description of the CMK, click 
next to the value of Name or Description.
+
- A default key (the alias suffix of which is /default) does not allow name and description changes.
- The name and description of a CMK cannot be changed if the CMK is in Pending deletion status.
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0182.html b/docs/kms/umn/dew_01_0182.html
new file mode 100644
index 000000000..8cf307d82
--- /dev/null
+++ b/docs/kms/umn/dew_01_0182.html
@@ -0,0 +1,19 @@
+
+
+
What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
+
Symptom
A message indicating lack of permissions is displayed when you attempt to perform operations on keys, such as view, create, or import keys.
+
+
Possible Causes
Your account is not associated with the required KMS system policies.
+
+
Solution
- Check whether your account has been associated with KMS Administrator and KMS CMKFullAccess policies.
For details about how to check your user groups and permissions, see the "User Groups and Authorization" section.
+If your account has been associated with required KMS system policies, go to Step 2.
+ - Associate your account with required system policies.
- For details about how to add administrator permissions, see the "User Groups and Authorization" section.
- For details about how to add a custom policy, see the "Creating a Custom KMS Policy" section.
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0186.html b/docs/kms/umn/dew_01_0186.html
new file mode 100644
index 000000000..932a574dd
--- /dev/null
+++ b/docs/kms/umn/dew_01_0186.html
@@ -0,0 +1,34 @@
+
+
+
Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
+
Symptom
By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.
+
+
Solution
Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.
+
- Switch to the root user.
sudo su -
+ - Run the following command and record the OpenSSL version:
openssl version
+ - Run the following commands to create the /root/build directory. This directory will be used to store the latest OpenSSL binary file.
mkdir $HOME/build
+mkdir -p $HOME/local/ssl
+cd $HOME/build
+ - Download the latest OpenSSL version from https://www.openssl.org/source/.
- Download and decompress the binary file.
- Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version downloaded in step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
+tar -zxf openssl-1.1.1d.tar.gz
+ - Use the gcc tool to patch the version, and compile the downloaded binary file.
yum install patch make gcc -y If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.
+
+
+ - Run the following commands:
sed -i "/BIO_get_cipher_ctx(benc, &ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c
+ - Run the following commands to compile the OpenSSL enc.c file:
cd $HOME/build/openssl-1.1.1d/
+./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
+make -j$(grep -c ^processor /proc/cpuinfo)
+make install
+ - Configure the environment variable LD_LIBRARY_PATH to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the $HOME/local/ssl/lib/ directory, and cannot be directly executed in shell.
- Create a script named openssl.sh to load the $HOME/local/ssl/lib/ path before running the binary file.
cd $HOME/local/bin/
+echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
+ - Run the following command to configure an execute bit on the script:
chmod 755 ./openssl.sh
+ - Run the following command to start the patched OpenSSL version:
$HOME/local/bin/openssl.sh
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0189.html b/docs/kms/umn/dew_01_0189.html
new file mode 100644
index 000000000..48ead8f76
--- /dev/null
+++ b/docs/kms/umn/dew_01_0189.html
@@ -0,0 +1,73 @@
+
+
+
Key Algorithms Supported by KMS
+
+
Table 1 Key algorithms supported by KMSKey Type
+ |
+Algorithm Type
+ |
+Key Specifications
+ |
+Description
+ |
+Application Scenario
+ |
+
|---|
+
+Symmetric key
+ |
+AES
+ |
+AES_256
+ |
+AES symmetric key
+ |
+- Data encryption and decryption
- DEKs encryption and decryption
NOTE: You can encrypt and decrypt a small amount of data using the online tool on the console.
+ You need to call APIs to encrypt and decrypt a large amount of data.
+
+
+ |
+
+Digest key
+ |
+SHA
+ |
+
+ |
+Digest key
+ |
+- Data tampering prevention
- Data integrity verification
+ |
+
+Asymmetric key
+ |
+RSA
+ |
+
+ |
+RSA asymmetric password
+ |
+- Digital signature and signature verification
- Data encryption and decryption
NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
+
+
+ |
+
+ECC
+ |
+
+ |
+Elliptic curve recommended by NIST
+ |
+Digital signature and signature verification
+ |
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/dew_01_0199.html b/docs/kms/umn/dew_01_0199.html
index fa288c872..eaafdf7c2 100644
--- a/docs/kms/umn/dew_01_0199.html
+++ b/docs/kms/umn/dew_01_0199.html
@@ -1,21 +1,14 @@
Encrypting Data in DDS
-
diff --git a/docs/kms/umn/kms_01_0003.html b/docs/kms/umn/kms_01_0003.html
deleted file mode 100644
index e19c80739..000000000
--- a/docs/kms/umn/kms_01_0003.html
+++ /dev/null
@@ -1,29 +0,0 @@
-
-
-
Concepts
-
-
-
diff --git a/docs/kms/umn/kms_01_0004.html b/docs/kms/umn/kms_01_0004.html
deleted file mode 100644
index 3b6eedc18..000000000
--- a/docs/kms/umn/kms_01_0004.html
+++ /dev/null
@@ -1,13 +0,0 @@
-
-
-
KMS
-
Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs).
-
This service uses hardware security modules (HSMs) to protect CMKs. HSMs help you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage caused by human error.
-
KMS implements access control and log-based tracking on all operations involving CMKs. Additionally, it provides use records of all CMKs, meeting your audit and regulatory compliance requirements.
-
-
-
diff --git a/docs/kms/umn/kms_01_0005.html b/docs/kms/umn/kms_01_0005.html
deleted file mode 100644
index 5448ae427..000000000
--- a/docs/kms/umn/kms_01_0005.html
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
CMK
-
A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or multiple DEKs.
-
CMKs are categorized into custom keys and default keys.
-
-
-
diff --git a/docs/kms/umn/kms_01_0006.html b/docs/kms/umn/kms_01_0006.html
deleted file mode 100644
index c615c3268..000000000
--- a/docs/kms/umn/kms_01_0006.html
+++ /dev/null
@@ -1,54 +0,0 @@
-
-
-
Default Key
-
A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The name of a default key ends with /default.
-
You can use the management console to query the status of Default Master Keys, but cannot disable or schedule the deletion of default keys.
-
-
Table 1 Default keysKey Name
- |
-Cloud Service
- |
-
|---|
-
-obs/default
- |
-Object Storage Service (OBS)
- |
-
-evs/default
- |
-Elastic Volume Service (EVS)
- |
-
-ims/default
- |
-Image Management Service (IMS)
- |
-
-sfs/default
- |
-Scalable File Service (SFS)
- |
-
-rds/default
- |
-Relational Database Service (RDS)
- |
-
-kps/default
- |
-Key Pair Service (KPS)
- |
-
-
-
-
-
A Default Master Key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0007.html b/docs/kms/umn/kms_01_0007.html
deleted file mode 100644
index 90a697ae8..000000000
--- a/docs/kms/umn/kms_01_0007.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
DEK
-
Data Encryption Keys (DEKs) are used by users to encrypt data.
-
-
-
diff --git a/docs/kms/umn/kms_01_0008.html b/docs/kms/umn/kms_01_0008.html
deleted file mode 100644
index 833c416d0..000000000
--- a/docs/kms/umn/kms_01_0008.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
HSM
-
A Hardware Security Module (HSM) securely produces, stores, manages, and uses keys and provides encryption services.
-
-
-
diff --git a/docs/kms/umn/kms_01_0009.html b/docs/kms/umn/kms_01_0009.html
deleted file mode 100644
index cf5af500d..000000000
--- a/docs/kms/umn/kms_01_0009.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
Envelope Encryption
-
Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes." As a result, CMKs are not used to directly encrypt and decrypt data.
-
-
-
diff --git a/docs/kms/umn/kms_01_0010.html b/docs/kms/umn/kms_01_0010.html
deleted file mode 100644
index 968b05fae..000000000
--- a/docs/kms/umn/kms_01_0010.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
TRNG
-
A true random number generator (TRNG) is a device that generates unpredictable random numbers by physical procedures instead of computer programs.
-
-
-
diff --git a/docs/kms/umn/kms_01_0012.html b/docs/kms/umn/kms_01_0012.html
deleted file mode 100644
index 23023619a..000000000
--- a/docs/kms/umn/kms_01_0012.html
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
Project
-
A project is used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
-
Multiple projects can be created for one account.
-
-
-
diff --git a/docs/kms/umn/kms_01_0013.html b/docs/kms/umn/kms_01_0013.html
deleted file mode 100644
index 9a066da29..000000000
--- a/docs/kms/umn/kms_01_0013.html
+++ /dev/null
@@ -1,17 +0,0 @@
-
-
-
Accessing and Using KMS
-
-
-
diff --git a/docs/kms/umn/kms_01_0014.html b/docs/kms/umn/kms_01_0014.html
deleted file mode 100644
index 0e098aebb..000000000
--- a/docs/kms/umn/kms_01_0014.html
+++ /dev/null
@@ -1,14 +0,0 @@
-
-
-
How to Access KMS
-
The cloud service provides a web-based service management platform. You can access KMS using HTTPS-compliant APIs or the management console.
-
- Management console
If you have registered with the cloud service, you can log in to the management console directly. In the upper left corner of the console, click 
. Select a region or project. Choose .
- - API
You can access KMS using APIs. For details, see Key Management Service (KMS) API Reference.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0015.html b/docs/kms/umn/kms_01_0015.html
deleted file mode 100644
index 69a1fba72..000000000
--- a/docs/kms/umn/kms_01_0015.html
+++ /dev/null
@@ -1,27 +0,0 @@
-
-
-
How to Use KMS
-
Working with OBS
Users can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When users upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When users download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to users in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption.
-
For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service User Guide.
-
-
Working with EVS
If you enable the encryption function when creating an EVS disk and select a CMK provided by KMS to encrypt the EVS disk, data stored to the EVS disk is automatically encrypted.
-
For details about how to use the encryption function of EVS, see the Elastic Volume Service User Guide.
-
-
Working with IMS
When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
-
For details about how to use the private image encryption function of Image Management Service (IMS), see the Image Management Service User Guide.
-
-
Working with SFS
When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.
-
For details about how to use the encryption function of SFS, see the Scalable File Service User Guide.
-
-
Working with RDS
When creating a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. The enablement of disk encryption will enhance data security.
-
For details about how to use the disk encryption function of RDS, see the Relational Database Service User Guide.
-
-
Working with User Applications
To encrypt plaintext data, a user application can call the necessary KMS APIs to generate a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the necessary KMS APIs to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs. For details, see the Key Management Service API Reference.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0016.html b/docs/kms/umn/kms_01_0016.html
deleted file mode 100644
index 366491e23..000000000
--- a/docs/kms/umn/kms_01_0016.html
+++ /dev/null
@@ -1,229 +0,0 @@
-
-
-
Related Services
-
OBS
Object Storage Service (OBS) is a scalable service that provides secure, reliable, and cost-effective cloud storage for massive amounts of data. KMS provides central management and control capabilities of CMKs for OBS. It is used for server-side encryption with KMS-managed keys (SSE-KMS) on OBS.
-
-
EVS
Elastic Volume Service (EVS) offers scalable block storage for cloud servers. With high reliability, high performance, and rich specifications, EVS disks can be used for distributed file systems, development and test environments, data warehouse applications, and high-performance computing (HPC) scenarios to meet diverse service requirements. KMS provides central management and control capabilities of CMKs for EVS. It is used for encryption in EVS.
-
-
IMS
Image Management Service (IMS) allows you to manage the entire lifecycle of your images. KMS provides central management and control capabilities of CMKs for Image Management Service (IMS). It is used for private image encryption in IMS.
-
-
SFS
Scalable File Service (SFS) provides high-performance file storage (NAS) that can be expanded on demand. KMS provides central management and control capabilities of CMKs for SFS. It is used for file system encryption in SFS.
-
-
RDS
Relational Database Service (RDS) is a cloud relational database that is reliable, scalable, easy to manage, and immediately ready for use. KMS provides central management and control capabilities of CMKs for RDS. It is used for disk encryption in RDS.
-
-
DDS
Document Database Service (DDS) is a MongoDB-compatible database service that is secure, highly available, reliable, scalable, and easy to use. It provides DB instance creation, scaling, redundancy, backup, restoration, monitoring, and alarm reporting functions with just a few clicks on the DDS console. KMS provides central management and control capabilities of CMKs for DDS. It is used for disk encryption in DDS.
-
-
CTS
Cloud Trace Service (CTS) provides you with a history of KMS operations. After the CTS service is enabled, you can view all generated traces to review and audit performed KMS operations. For details, see the Cloud Trace Service User Guide.
-
-
Table 1 KMS operations supported by CTSOperation
- |
-Resource Type
- |
-Trace Name
- |
-
|---|
-
-Create a key
- |
-CMK
- |
-createKey
- |
-
-Create a DEK
- |
-CMK
- |
-createDataKey
- |
-
-Create a plaintext-free DEK
- |
-CMK
- |
-createDataKeyWithoutPlaintext
- |
-
-Enable a key
- |
-CMK
- |
-enableKey
- |
-
-Disable a key
- |
-CMK
- |
-disableKey
- |
-
-Encrypt a DEK
- |
-CMK
- |
-encryptDatakey
- |
-
-Decrypt a DEK
- |
-CMK
- |
-decryptDatakey
- |
-
-Schedule key deletion
- |
-CMK
- |
-scheduleKeyDeletion
- |
-
-Cancel scheduled key deletion
- |
-CMK
- |
-cancelKeyDeletion
- |
-
-Generate random numbers
- |
-RNG
- |
-genRandom
- |
-
-Modify a key alias
- |
-CMK
- |
-updateKeyAlias
- |
-
-Modify key description
- |
-CMK
- |
-updateKeyDescription
- |
-
-Prompt risks about CMK deletion
- |
-CMK
- |
-deleteKeyRiskTips
- |
-
-Import key materials
- |
-CMK
- |
-importKeyMaterial
- |
-
-Delete key materials
- |
-CMK
- |
-deleteImportedKeyMaterial
- |
-
-Create a grant
- |
-CMK
- |
-createGrant
- |
-
-Retire a grant
- |
-CMK
- |
-retireGrant
- |
-
-Revoke a grant
- |
-CMK
- |
-revokeGrant
- |
-
-Encrypt data
- |
-CMK
- |
-encryptData
- |
-
-Decrypt data
- |
-CMK
- |
-decryptData
- |
-
-Add a tag
- |
-CMK
- |
-dealUnifiedTags
- |
-
-Delete a tag
- |
-CMK
- |
-dealUnifiedTags
- |
-
-Add tags in batches
- |
-CMK
- |
-dealUnifiedTags
- |
-
-Delete tags in batches
- |
-CMK
- |
-dealUnifiedTags
- |
-
-Enable key rotation
- |
-CMK
- |
-enableKeyRotation
- |
-
-Modify key rotation interval
- |
-CMK
- |
-updateKeyRotationInterval
- |
-
-Disable key rotation
- |
-CMK
- |
-disableKeyRotation
- |
-
-
-
-
-
-
IAM
Identity and Access Management (IAM) provides the permission management function for KMS.
-
Only users who have KMS Administrator permissions can use KMS.
-
To apply for permissions, contact a user with Security Administrator permissions. For details, see the Identity and Access Management User Guide.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0018.html b/docs/kms/umn/kms_01_0018.html
deleted file mode 100644
index 88d7d1ce8..000000000
--- a/docs/kms/umn/kms_01_0018.html
+++ /dev/null
@@ -1,27 +0,0 @@
-
-
-
Key Management
-
-
-
diff --git a/docs/kms/umn/kms_01_0019.html b/docs/kms/umn/kms_01_0019.html
deleted file mode 100644
index 26b0cdebd..000000000
--- a/docs/kms/umn/kms_01_0019.html
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
Creating CMKs Using Imported Key Material
-
-
-
diff --git a/docs/kms/umn/kms_01_0020.html b/docs/kms/umn/kms_01_0020.html
deleted file mode 100644
index 196162036..000000000
--- a/docs/kms/umn/kms_01_0020.html
+++ /dev/null
@@ -1,20 +0,0 @@
-
-
-
Deleting a Key Material
-
Scenario
When importing key material, you can specify the expiration time. After the key material expires, KMS deletes it, and the status of the custom key changes to Pending import. You can manually delete the key material as needed. The effect of expiration of the key material is the same as that of manual deletion of the key material.
-
This section describes how to delete imported key material on the management console.
-
-
Constraints
- To re-import a deleted key material, ensure the imported material is the same as the deleted one.
- Data encrypted using a custom key cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.
- After the deletion, the key will become unavailable and its status will change to Pending import.
-
-
Prerequisites
- You have imported the key material for a key.
- The material source of the key is External.
- The key status is Enabled or Disabled.
-
-
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Choose . The key management page is displayed.
- Locate the target key material and choose in the Operation column.
- In the displayed dialog box, click Yes.
After the deletion, the key will become unavailable and its status changes to Pending import.
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0021.html b/docs/kms/umn/kms_01_0021.html
index 576a11d01..3813337ea 100644
--- a/docs/kms/umn/kms_01_0021.html
+++ b/docs/kms/umn/kms_01_0021.html
@@ -1,77 +1,70 @@
Configuring SMN
-
Scenario
This section describes how to configure the Simple Message Notification (SMN) function on the Cloud Trace Service (CTS) console.
-
Decryption will fail if the key used for encryption has been scheduled for deletion. You will receive messages about the decryption failure on terminals (SMS, email, HTTP, or HTTPS) if the SMN function has been configured in CTS.
+
Scenario
This section describes how to configure the Simple Message Notification (SMN) function on the Cloud Trace Service (CTS) console.
+
Decryption will fail if the key used for encryption has been scheduled for deletion. You will receive messages about the decryption failure on terminals (SMS, email, HTTP, or HTTPS) if the SMN function has been configured in CTS.
-
Prerequisites
- CTS has been enabled.
- You have subscribed to SMN.
+
Prerequisites
- CTS has been enabled.
- You have subscribed to SMN.
-
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose Management & Deployment > Cloud Trace Service to go to the CTS console.
- In the navigation pane on the left, click Tracker List.
- If the desired tracker is not enabled, click Enable. In the dialog box that is displayed, click OK to enable the tracker. If the tracker is already enabled, skip this step.
- In the navigation pane on the left, click Key Event Notifications.
- Click Create Key Event Notification at the upper right corner of the page. The creation page is displayed.
- In the Basic Information area, enter a notification name. See Figure 1 for details.
Figure 1 Configuring basic information
- - Select operation types in the Operation area. See Figure 2 for details.
Figure 2 Selecting operation types
+Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose Management & Deployment > Cloud Trace Service to go to the CTS console.
- In the navigation pane on the left, click Tracker List.
- If the desired tracker is not enabled, click Enable. In the dialog box that is displayed, click OK to enable the tracker. If the tracker is already enabled, skip this step.
- In the navigation pane on the left, click Key Event Notifications.
- Click Create Key Event Notification at the upper right corner of the page. The creation page is displayed.
- In the Basic Information area, enter a notification name. See Figure 1 for details.
Figure 1 Configuring basic information
+ - Select operation types in the Operation area. See Figure 2 for details.
Figure 2 Selecting operation types
-Table 1 Parameters for operation typesParameter
+Table 1 Parameters for operation typesParameter
|
-Description
+ | Description
|
-Example Value
+ | Example Value
|
|---|
-Operation Type
+ | Operation Type
|
-SMN sends messages to users when deletion, creation, or login operations are performed on keys.
+ | SMN sends messages to users when deletion, creation, or login operations are performed on keys.
|
-Delete
+ | Delete
|
- In the User area, specify the user who performs the specified operations. See Figure 3 for details.
- You can select All users so that SMN notifications are sent when specified operations are performed by any user.
- You can also select Specified users and add users to the User List. Then SMN notifications are sent when the specified operations are performed by specified users.
+ - In the User area, specify the user who performs the specified operations. See Figure 3 for details.
- You can select All users so that SMN notifications are sent when specified operations are performed by any user.
- You can also select Specified users and add users to the User List. Then SMN notifications are sent when the specified operations are performed by specified users.
-Figure 3 Specifying users
- - In the Topic area, configure whether to send notifications. See Figure 4 for details.
Figure 4 Configuring SMN
+Figure 3 Specifying users
+ - In the Topic area, configure whether to send notifications. See Figure 4 for details.
Figure 4 Configuring SMN
-Table 2 Parameters for configuring the SMN notificationParameter
+Table 2 Parameters for configuring the SMN notificationParameter
|
-Description
+ | Description
|
-Configuration
+ | Configuration
|
|---|
-Send Notification
+ | Send Notification
|
-Specifies whether notifications will be sent.
-- Select Yes to activate notification.
- Select No to deactivate notification.
+ | Specifies whether notifications will be sent.
+- Select Yes to activate notification.
- Select No to deactivate notification.
|
-Yes
+ | Yes
|
-SMN Topic
+ | SMN Topic
|
-You can select an existing topic or click Topic to create a topic.
-For details about topics, see the Simple Message Notification User Guide.
+ | You can select an existing topic or click Topic to create a topic.
+For details about topics, see the Simple Message Notification User Guide.
|
-KMS
+ | KMS
|
- Click OK. The SMN notification is configured.
+- Click OK. The SMN notification is configured.
-
-
\ No newline at end of file
diff --git a/docs/kms/umn/kms_01_0022.html b/docs/kms/umn/kms_01_0022.html
deleted file mode 100644
index 1be1c3275..000000000
--- a/docs/kms/umn/kms_01_0022.html
+++ /dev/null
@@ -1,36 +0,0 @@
-
-
-Encrypting and Decrypting Small-Size Data Online
-This section describes how to use an online tool to encrypt and decrypt data less than or equal to 4 KB on the KMS console.
- PrerequisitesThe desired custom key is in Enabled status.
-
- Constraints- Default keys cannot be used to encrypt or decrypt such data with the tool.
- Asymmetric keys cannot be used to encrypt or decrypt such data with the tool.
- You can call an API to use a default key to encrypt or decrypt small volumes of data. For details, see the Key Management Service API Reference.
- Use the current CMK to encrypt the data.
- Exercise caution when you delete a CMK. The online tool cannot decrypt data if the CMK used for encryption has been deleted.
- After an API is called to encrypt data, the online tool cannot be used to decrypt the data.
-
- Encrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to access the key details page. Click the Tool tab.
- Click Encrypt. In the text box on the left, enter the data to be encrypted.
Figure 1 Encrypting data
-
- - Click Execute. The data encryption result is displayed in the text box on the right.
- The key you clicked is used for encryption.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-
-
-
- Decrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of an enabled key (excepting Default Master Keys) to access its details page.
- Click the Tool tab.
- Click Decrypt. In the text box on the left, enter the data to be decrypted.
- The online tool automatically identifies the key used for data encryption, and uses it to decrypt data.
- If the key has been deleted, the decryption will fail.
-
-Figure 2 Decrypting data
-
- - Click Execute. The data decryption result is displayed in plaintext in the text box on the right.
To copy the decrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-
-
-
- Managing Tags
-
-
-
diff --git a/docs/kms/umn/kms_01_0024.html b/docs/kms/umn/kms_01_0024.html
deleted file mode 100644
index a8dbc8ff6..000000000
--- a/docs/kms/umn/kms_01_0024.html
+++ /dev/null
@@ -1,61 +0,0 @@
-
-
-Adding a Tag
-ScenarioTags are used to identify custom keys. You can add tags to custom keys so that you can classify custom keys, trace them, and collect their usage status according to the tags.
-
- ConstraintsTags cannot be added to default keys.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click Tags to go to the tag management page.
Figure 1 Managing tags
- - Click Add Tag. In the Add Tag dialog box, enter the tag key and tag value. Table 1 describes the parameters.
Figure 2 Adding a Tag
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
-
-
-Table 1 Tag parametersParameter
- |
-Description
- |
-Value
- |
-Example Value
- |
-
|---|
-
-Tag key
- |
-Name of a tag.
-The same tag (including tag key and tag value) can be used for different keys. However, under the same custom key, one tag key can have only one tag value.
-A maximum of 20 tags can be added for one custom key.
- |
-- Mandatory.
- Each tag key must be unique under the same custom key.
- Contains a maximum of 36 characters.
- Only digits, letters, underscores (_), and hyphens (-) are allowed.
- |
-cost
- |
-
-Tag value
- |
-Value of the tag
- |
-- This parameter can be empty.
- Can contain a maximum of 43 characters.
- Only digits, letters, underscores (_), and hyphens (-) are allowed.
- |
-100
- |
-
-
-
- - Click OK to complete.
-
- Searching for a Custom Key by Tag
-ScenarioThis section describes how to search for tags through KMS. You can search for tags of all custom keys that meet the search criteria in the current project.
-
- PrerequisitesTags have been added.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the search box, enter the tag key and tag value.
Figure 1 Searching for tags
- - The list displays the custom keys that meet the search criteria.
Figure 2 Search results
- - Multiple tags can be added for one search, 20 at most. If multiple tags are added, only custom keys that meet the combined search criteria are displayed.
- If you want to delete an added tag from the search criteria, click
 next to the tag. - You can click Reset to reset the search criteria.
-
-
-
- Modifying Tag Values
-ScenarioThis section describes how to modify tag values on the KMS management console.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click Tags to go to the tag management page.
Figure 1 Managing tags
- - Click Edit of the target tag, and the Edit Tag dialog box is displayed.
Figure 2 Editing a tag
- - In the Edit Tag dialog box, enter a tag value, and click OK to complete the editing.
-
- Deleting Tags
-ScenarioThis section describes how to delete tags on the KMS management console.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click Tags to go to the tag management page.
Figure 1 Managing tags
- - Click Delete of the target tag, and the Delete Tag dialog box is displayed.
- In the Delete Tag dialog box, click Yes to complete the deletion.
-
- Managing a Grant
-
-
-
diff --git a/docs/kms/umn/kms_01_0029.html b/docs/kms/umn/kms_01_0029.html
deleted file mode 100644
index 3b61c3c5c..000000000
--- a/docs/kms/umn/kms_01_0029.html
+++ /dev/null
@@ -1,70 +0,0 @@
-
-
-Creating a Grant
-ScenarioYou can create grants for other users to use the custom key. You can create a maximum of 100 grants for a custom key.
- The owner of a custom key can create a grant for the custom key on the KMS management console or by making the API calls. A user, who has been granted with the grant creation permission by the owner of the custom key, can create grants for the custom key only by making the API calls.
-
- Prerequisites- You have obtained the user ID of the grantee (user to whom permissions are to be authorized).
- The desired custom key is in Enabled status.
-
- ConstraintsThe owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its grant details.
Figure 1 Grants tab
- - Click Create Grant. The Create Grant dialog box is displayed.
Figure 2 Creating a grant
- - In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted.
A grantee can perform the authorized operations only by calling the necessary API. For details, see the Key Management Service API Reference.
-
-
-Table 1 Parameter descriptionParameter
- |
-Description
- |
-Example Value
- |
-
|---|
-
-Key ID
- |
-ID of a custom key (automatically read by the system)
- |
--
- |
-
-Grantee
- |
-The user ID of the grantee is required.
- NOTE: The user IDs are provided by grantees who can obtain their IDs by clicking their portraits and choosing My Credential > User ID.
-
- |
-d9a6b2bdaedd4ba586cabe6372d1b312
- |
-
-Granted Operations
- |
-The following permissions can be authorized:
- NOTE: - You can create multiple grants on a custom key to provide different permissions to the same user. The user's permissions on the custom key are the combination of all the grants.
- This parameter cannot be left blank.
- Create Grant cannot be selected exclusively.
-
-- Create Data Key Without Plaintext
- Create Data Key
- Encrypt Data Key
- Decrypt Data Key
- Query Key Information
- Create Grant
- Retire Grant
- A grantee can retire a grant if the grantee does not need that permission.
- If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.
-
- |
--
- |
-
-
-
- - Click OK. When message Grant of key alias created successfully is displayed in the upper right corner, the grant has been created.
In the list of grants, you can view the grant ID, grantee ID, granted operation, and creation time of the grant.
-
-
- Querying a Grant
-ScenarioThis section describes how to view the details about a grant, such as the grant ID, grantee user ID, granted operation, and creation time.
-
- PrerequisitesYou have created a grant.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Information about the custom key and grants created on it are displayed, as shown in .
Table 1 provides more details.
-
-Table 1 Parameter descriptionParameter
- |
-Description
- |
-
|---|
-
-Grant ID
- |
-Randomly generated unique identification of a grant
- |
-
-Grantee
- |
-ID of an authorized user.
- |
-
-Granted Operations
- |
-Authorized operations (such as Create Data Key) on the custom key
- |
-
-Creation Time
- |
-Creation time of the grant
- |
-
-Operation
- |
-Operations that can be performed on a grant. For example, you can revoke a grant.
- |
-
-
-
- - Click a grant ID to view the grant details. shows an example.
-
- Revoking a Grant
-ScenarioYou can revoke a grant in either of the following scenarios:
- - A grantee does not need the custom key grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)
- You do not want the grantee to have the grant.
- When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.
- This section describes how to revoke a grant.
-
- PrerequisitesYou have created a grant.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- In the row containing the desired grantee, click Revoke Grant in the Operation column.
- In the dialog box that is displayed, click Yes. When Grant grant_ID revoked successfully is displayed in the upper right corner, the grant has been revoked.
-
- Managing CMKs
-
-
-
diff --git a/docs/kms/umn/kms_01_0033.html b/docs/kms/umn/kms_01_0033.html
deleted file mode 100644
index e8e80ca11..000000000
--- a/docs/kms/umn/kms_01_0033.html
+++ /dev/null
@@ -1,29 +0,0 @@
-
-
-Changing the Name and Description of a Key
-ScenarioKey names help you find custom keys more easily.
- This section describes how to change the name and description of a custom key on the KMS management console.
- - The name and description of the default master key cannot be modified. The name of the default master key ends with /default.
- The name and description of a key cannot be changed if the key is in Pending deletion status.
-
-
- Prerequisites- The custom key is in Enabled, Disabled, or Pending import status.
-
-
- Enabling a Key
-ScenarioThis section describes how to use the management console to enable one or multiple custom keys. Only enabled keys can be used to encrypt/decrypt data. A new custom key is in the Enabled state by default.
-
- PrerequisitesThe key you want to enable is in Disabled status.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired key, click Enable.
Figure 1 Enabling a single key
- - In the dialog box that is displayed, click Yes to enable the key.
To enable multiple keys at a time, select them and click Enable in the upper left corner of the list.
-
-
-
- Disabling a Key
-ScenarioThis section describes how to use the management console to disable one or multiple custom keys, thereby protecting data in urgent cases.
- After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled key to encrypt or decrypt data, you must enable it by following instructions in Enabling a Key.
- Default keys created by KMS cannot be disabled.
-
-
- PrerequisitesThe key you want to disable is in Enabled status.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired key, click Disable.
Figure 1 Disabling a single key
- - In the dialog box that is displayed, select I understand the impact of disabling keys and click OK.
To disable multiple keys at a time, select them and click Disable in the upper left corner of the list.
-
-
-
- Canceling the Scheduled Deletion of a Key
-ScenarioThis section describes how to use the management console to cancel the scheduled deletion of a custom key prior to deletion execution.
-
- PrerequisitesThe key for which you want to cancel the scheduled deletion is in Pending deletion status.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired key, click Cancel Deletion.
Figure 1 Canceling the scheduled deletion of a single key
- - In the displayed dialog box, click Yes to cancel the scheduled deletion for the key.
- If the key is created using KMS generated material, its status becomes Disabled after the cancelation. To enable the key, see Enabling a Key.
- If the key is created using imported material, its status becomes Disabled after the cancelation. To enable the key, see Enabling a Key.
- If the key is created using imported material and no key material has been imported for it, its status becomes Pending import after the cancelation. To use the key, perform Creating CMKs Using Imported Key Material.
- To cancel the deletion of multiple keys at a time, select them and click Cancel Deletion in the upper left corner of the list.
-
-
-
- FAQs
-
-
-
diff --git a/docs/kms/umn/kms_01_0038.html b/docs/kms/umn/kms_01_0038.html
deleted file mode 100644
index 060e978a8..000000000
--- a/docs/kms/umn/kms_01_0038.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-What Is a Data Encryption Key?
-A data encryption key (DEK) is used to encrypt data.
- Why Can't I Delete a CMK Immediately?
-The decision to delete a CMK should be taken with caution. Before deletion, confirm that the CMK's encrypted data has all been migrated. Once the CMK is deleted, you will not be able to decrypt data with it. Therefore, KMS offers a waiting period of 7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, the CMK will be permanently deleted. However, prior to the scheduled day, you can still cancel the deletion.
- Which Cloud Services Can Use KMS for Encryption?
-Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), and Relational Database Service (RDS) can use KMS for encryption.
- Change History
-
- Released On
- |
-Description
- |
-
|---|
-
-2025-03-26
- |
-This is the twenty-second official release.
-- Modified section "How to Access KMS".
- Added section "Encrypting and Decrypting Small-Size Data Online".
- Modified section "How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?".
- |
-
-2025-03-21
- |
-This is the twenty-first official release.
-Updated section "Importing a Key Material".
- |
-
-2025-02-18
- |
-This is the twentieth official release.
-- Updated some screenshots.
- Modified section "User Permissions".
- Modified section "Importing a Key Material".
- Added section "Key Alias".
- |
-
-2023-06-15
- |
-This is the nineteenth official release.
-Added section "How Does KMS Protect My Keys?"
- |
-
-2022-09-30
- |
-This issue is the eighteenth official release.
-Optimized the content in section "Creating a Custom KMS Policy".
- |
-
-2021-11-30
- |
-This issue is the seventeenth official release.
-- Deleted description about DSS in "Application Scenarios" and "Accessing and Using KMS".
- Added examples for creating a key and using a custom key policy in "Creating a Custom KMS Policy".
- |
-
-2021-10-20
- |
-This issue is the sixteenth official release.
-- Added description about DSS in "Application Scenarios" and "Accessing and Using KMS".
- Added description about fine-grained authorization in "Permissions Management".
- |
-
-2021-09-22
- |
-This is the fifteenth official release.
-- Updated screenshots in "Managing Tags".
- Updated screenshots in "Managing a Grant".
- |
-
-2020-08-18
- |
-This is the fourteenth official release.
-- Modified the operation name of batchCreateKeyTags in section "Related Services".
- Updated the description in section "Creating a Key".
- |
-
-2020-06-29
- |
-This is the thirteenth official release.
-- Modified operations and information displayed on the rotation setting page in section "Enabling Key Rotation".
- Added the section "Disabling Key Rotation".
- |
-
-2019-12-10
- |
-This is the twelfth official release.
-- Added section "Enabling Key Rotation".
- Added the description about enabling key rotation to section "Functions".
- Added the description of enabling key rotation, changing the key rotation period, and disabling key rotation to section "Related Services".
- Updated screenshots.
- |
-
-2018-09-05
- |
-This is the eleventh official release.
-Updated screenshots.
- |
-
-2018-07-30
- |
-This is the tenth official release.
-- Added section "Adding a Tag".
- Added section "Searching for Tags".
- Added section "Modifying Tag Values".
- Added section "Deleting Tags".
- Modified contents in section "Functions": added description about adding, editing, and deleting tags.
- Modified section "Related Services": added descriptions about the operations of adding tags, deleting tags, adding tags in batches, and deleting tags in batches.
- Modified section "Creating a Key": added the procedure for adding a tag.
- Modified section "Importing Key Material": added the procedure for adding a tag.
- Accepted in OTC 3.1.
- Added description about RSAES_OAEP_SHA_256 and RSAES_OAEP_SHA_1 algorithms.
- Added the description about using KMS encryption for RDS.
- Added description about the relationship between KMS and RDS, as well as how to use RDS together with KMS.
- |
-
-2018-06-15
- |
-This is the ninth official release.
-- Added the description about using KMS encryption for SFS.
- Added description about relationships between KMS and SFS, as well as how to use these services together with KMS.
- Updated screenshots.
- Modified section "Importing Key material": updated the screenshots.
- Modified section "Deleting Key material": added related descriptions.
- Modified section "Configuring SMN-Enabled Event Notification": updated screenshots.
- Modified section "Importing Key Material": added the description about how to obtain the wrapping key and import token calling the API.
- Updated screenshots.
- |
-
-2018-03-30
- |
-This is the eighth official release.
-- Updated screenshots.
- Added section "Importing a CMK".
- Added section "Overview".
- Added section "Importing Key Material".
- Added section "Deleting Key Material".
- Added the description of importing and deleting keys to section "Related Services".
- Updated screenshots.
- |
-
-2017-11-30
- |
-This is the seventh official release.
-Updated a screenshot in section "Scheduling the Deletion of One or Multiple CMKs."
- |
-
-2017-10-30
- |
-This is the sixth official release.
-- Added operations creating a grant, retiring a grant, and revoking a grant to the table of supported KMS operations in section "Related Services."
- Added section "Configuring SMN."
- Added section "Creating a Grant."
- Added section "Querying a Grant."
- Added section "Revoking a Grant."
- |
-
-2017-08-30
- |
-This is the fifth official release.
-- Added section "Project."
- Added the step of selecting a project.
- Updated some screenshots.
- |
-
-2017-06-30
- |
-This is the fourth official release.
-- Added operations changing the alias of a CMK, changing the description of a CMK, and prompting risks about CMK deletion to table "KMS operations that CTS supports" in section "Related Services."
- Added section "Changing the Alias and Description of a CMK."
- |
-
-2017-03-31
- |
-This is the third official release.
-- Added section "Glossary".
- Added section "User Permissions."
- |
-
-2017-01-20
- |
-This is the second official release.
-- Added definitions of OBS, EVS, and IMS and optimized description about application scenarios.
- Optimized description about SSE-KMS and description about KMS operations that CTS supports.
- Added description about how to create a DEK and a plaintext-free DEK.
- Added description about relationships between KMS, EVS and IMS as well as how to use these services together with KMS.
- Added description about how to encrypt data on EVS disks.
- Added description about how to encrypt private images.
- |
-
-2016-12-30
- |
-This is the first official release.
- |
-
-
-
-
- Glossary
-For details about the glossaries in this document, see Glossary.
- Key Management
-
-
-
diff --git a/docs/kms/umn/kms_01_0046.html b/docs/kms/umn/kms_01_0046.html
deleted file mode 100644
index e0b4f6a84..000000000
--- a/docs/kms/umn/kms_01_0046.html
+++ /dev/null
@@ -1,32 +0,0 @@
-
-
-Application Scenarios
-KMS can manage CMKs used for data encryption and decryption in Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Relational Database Service (RDS), and user applications.
- - For OBS, KMS applies to object encryption on OBS.
OBS is an object-based storage service that provides customers with massive, secure, reliable, and cost-effective data storage capabilities, including but not limited to bucket creation, modification, deletion, and management, as well as object upload, download, deletion, and general management. OBS can store all file types, and is suitable for individual subscribers, websites, enterprises, and developers. For details about OBS, see Object Storage Service (OBS) User Guide.
-
- - For EVS, KMS applies to data encryption in EVS disks.
Based on a distributed architecture, an EVS disk is a virtual block storage device that can be elastically scaled up and down. EVS disks can be operated online. Using them is the same as using common server hard disks. Compared with traditional hard disks, EVS disks have higher data reliability and I/O throughput and are easier to use. EVS disks can be used in file systems, databases, and system software applications that require block storage devices. For more information about EVS, see the Elastic Volume Service User Guide.
-
- - For IMS, KMS applies to the creation of encrypted private images.
IMS provides easy-to-use self-service image management functions. You can apply for a cloud server using either a private image or a public image. You can also create a private image using an existing ECS or an external image file. For more information about IMS, see the Image Management Service User Guide.
-
- - For SFS, KMS applies to data encryption for files in SFS.
SFS provides high-performance file storage that is scalable on demand. It can be shared with multiple cloud servers. For more information, see the Scalable File Service User Guide.
-
- - For RDS, KMS applies to disk encryption in RDS database instances.
RDS is an online relational database service based on the cloud computing platform. RDS is out-of-box, reliable, scalable, and easy to manage. For more information about RDS, see the Relational Database Service User Guide.
-
- - For user applications
To encrypt plaintext data, a user application can call the necessary KMS API to generate a DEK, which can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the necessary KMS APIs to create custom keys. DEKs can be stored in ciphertext after being encrypted with the custom keys. Figure 1 shows envelope encryption working principles.
-To ensure the security of the user's encrypted data, KMS does not save DEKs in plaintext or ciphertext. Instead, it manages users' custom keys so that users can obtain and use DEKs securely.
-Figure 1 Envelope encryption working principles
-
- Functions
-KMS provides the following functions:
- - Manages custom keys.
You can perform the following operations on custom keys on the KMS console or via APIs: - Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of custom keys
- Importing keys and deleting key material
- Modifying the name and description of a custom key
- Using the online tool to encrypt and decrypt small-size data
- Creating, querying, and revoking a grant
- Adding, searching for, editing, and deleting tags
- Enabling key rotation
-
- - Creates, encrypts, and decrypts DEKs, and retires a grant on a key.
By calling APIs, you can create, encrypt, and decrypt DEKs, and retire a grant on a key. For details, see the Key Management Service API Reference.
- - Generates hardware true random numbers.
You can generate 512-bit hardware true random numbers using a KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for keys and encryption parameters. For details, see .
-
- Key Algorithms Supported by KMSSymmetric keys created on the KMS console use the AES-256 algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.
-
- Table 1 Key algorithms supported by KMSKey Type
- |
-Algorithm Type
- |
-Key Specifications
- |
-Description
- |
-Application Scenario
- |
-
|---|
-
-Symmetric key
- |
-AES
- |
-AES_256
- |
-AES symmetric key
- |
-- Data encryption and decryption
- DEKs encryption and decryption
NOTE: You can encrypt and decrypt a small amount of data using the the online tool on the console.
- You need to call APIs to encrypt and decrypt a large amount of data.
-
-
- |
-
-Digest key
- |
-SHA
- |
-
- |
-Digest key
- |
-- Data tampering prevention
- Data integrity verification
- |
-
-Asymmetric key
- |
-RSA
- |
-
- |
-RSA asymmetric password
- |
-- Digital signature and signature verification
- Data encryption and decryption
NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
-
-
- |
-
-ECC
- |
-
- |
-Elliptic curve recommended by NIST
- |
-Digital signature and signature verification
- |
-
-
-
-
- Key wrapping algorithms describes the cryptographic key wrapping algorithms supported by imported keys.
-
- Table 2 Key wrapping algorithmsAlgorithm
- |
-Description
- |
-Example Value
- |
-
|---|
-
-RSAES_OAEP_SHA_256
- |
-RSA cryptographic algorithm that uses OAEP and has the SHA-256 hash function
- |
-The RSAES_OAEP_SHA_256 encryption key is recommended.
- |
-
-
-
-
-
- Overview
-The custom key contains key metadata (key ID, key name, description, key status, and creation date) and key materials used for encrypting and decrypting data. - When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
- If you want to use your own key material, you can use the KMS console to create a custom key whose key material source is external, and import the key material to the custom key.
-
- Important Notes- Security
You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
- - Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
-Differences between the imported key material and the key material generated by KMS are shown in Table 1.
-
-Table 1 Differences between the imported key material and the key material generated by KMSKey Material Source
- |
-Difference
- |
-
|---|
-
-Imported keys
- |
-
- |
-
-Keys created in KMS
- |
-- The key material cannot be manually deleted.
- Symmetric keys can be rotated.
- You cannot set the expiration time for key material.
- |
-
-
-
- - Association
When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.
- - Uniqueness
If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
-
-
- Importing a Key Material
-ScenarioIf you want to use your own key material instead of the KMS-generated material, you can use the console to import your key material to KMS. The keys created using imported material and KMS-generated material are managed together by KMS.
- This section describes how to import key material through KMS Console.
- - A key using imported material works in the same way as one using KMS-generated material, that is, you enable and disable them as well as schedule their deletion and cancel their scheduled deletion in the same way.
- You can only import 256-bit symmetric keys.
-
-
- Prerequisites- You have prepared the key material to be imported.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Locate the target key in the list and click Import Key Material in the Operation column.
Figure 1 Importing a Key Material
-
-Table 1 Key wrapping algorithmsAlgorithm
- |
-Description
- |
-Example Value
- |
-
|---|
-
-RSAES_OAEP_SHA_256
- |
-RSA cryptographic algorithm that uses OAEP and has the SHA-256 hash function
- |
-Choose an algorithm from the drop-down list box.
-- If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt the key material.
- If the HSMs do not support OAEP, use RSAES_PKCS1_V1_5 to encrypt the key material.
- The RSAES_OAEP_SHA_1 cryptographic algorithm is no longer secure. Exercise caution when performing this operation.
- |
-
-RSAES_PKCS1_V1_5
- |
-RSA cryptographic algorithm (v1.5) of Public-Key Cryptography Standards number 1 (PKCS #1)
- |
-
-RSAES_OAEP_SHA_1
- |
-RSA cryptographic algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
- |
-
-
-
- If you stop a key material import process and want to try again, click Import Key Material in the row of the required custom key, and import key material in the dialog box that is displayed.
-
- - Click Download and Continue, download the wrapping key, as shown in Figure 2.
Figure 2 Downloaded files
-- wrappingKey_Key ID: wrapping key used to encrypt the key material
The wrapping key expires in 24 hours. If the wrapping key is invalid, download it again.
-
-
-Alternatively, you can obtain the wrapping key and import token by calling the API. - Call the get-parameters-for-import API to obtain the wrapping key and import token.
- public_key: content of the wrapping key (Base-64 encoding) returned after the API call
- import_token: content of the import token (Base-64 encoding) returned after the API call
-The following example describes how to obtain the wrapping key and import token of a CMK (ID: 43f1ffd7-18fb-4568-9575-602e009b7ee8; algorithm: RSAES_OAEP_SHA_256).
-- Request example
{
- "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
- "wrapping_algorithm":"RSAES_OAEP_SHA_256"
-}
- - Response example:
{
- "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
- "public_key":"public key base64 encoded data",
- "import_token":"import token base64 encoded data",
- "expiration_time":1501578672
-}
-
- - Save the wrapping key, and convert its format according to the following procedure. Only the key material that is encrypted using the converted wrapping key can be imported to the management console.
- Copy the content of the wrapping key public_key, save it to the .txt file as PublicKey.b64.
- Run the following command to convert the Base-64 coding of the PublicKey.b64 file to binary data, and save the converted file as PublicKey.bin:
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
-
- - Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
- - You use the downloaded wrappingKey file to encrypt the key material to be imported.
- Method 1: Use the downloaded wrapping key to encrypt the key material on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to encrypt a key material and use the downloaded wrapping key to encrypt the key material.
If you need to run the openssl pkeyutl command, the OpenSSL version must be 1.0.2 or later.
-
-Generate a key material (256-bit symmetric key) and save it as PlaintextKeyMaterial.bin. - If the AES256 symmetric key algorithm is used, run the following command on the client where the OpenSSL tool has been installed:
openssl rand -out PlaintextKeyMaterial.bin 32
- - Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
Replace PublicKey.bin in the command with the name of the wrapping key wrappingKey_key ID_download time downloaded in 5.
-
-Table 2 Encrypting the generated key material using the downloaded wrapping keyWrapping Key Algorithm
- |
-Key Materials Encryption
- |
-
|---|
-
-RSAES_OAEP_SHA_256
- |
-openssl pkeyutl
--in PlaintextKeyMaterial.bin
--inkey PublicKey.bin
--out EncryptedKeyMaterial.bin
--keyform der
--pubin -encrypt
--pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
- |
-
-RSAES_PKCS1_V1_5
- |
-openssl rsautl -encrypt
--in PlaintextKeyMaterial.bin
--pkcs
--inkey PublicKey.bin
--keyform der
--pubin
--out EncryptedKeyMaterial.bin
- |
-
-RSAES_OAEP_SHA_1
- |
-openssl pkeyutl
--in PlaintextKeyMaterial.bin
--inkey PublicKey.bin
--out EncryptedKeyMaterial.bin
--keyform der
--pubin -encrypt
--pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1
- |
-
-
-
-
-
- - Go to the Import Key Material page. Configure the parameters as described in Table 3.
Figure 3 Importing a Key Material
-
-Table 3 Parameters for importing key materialParameter
- |
-Description
- |
-
|---|
-
-Key ID
- |
-Random ID of a key generated during key creation
- |
-
-Key material
- |
-- Use the key material encrypted by the wrappingKey file downloaded in 5.
- |
-
-
-
- - Click Next to go to the Import Key Token step. Configure the parameters as described in Table 4.
Figure 4 Importing a key token
-
-Table 4 Parameters for importing a key tokenParameter
- |
-Description
- |
-
|---|
-
-Key ID
- |
-Random ID of a key generated during key creation
- |
-
-Key material expiration mode
- |
-
- |
-
-
-
- - Click OK.
Key material can be successfully imported when it matches the corresponding key ID and token.
-
-Your imported material is displayed in the list of custom keys. The default status of an imported key is Enabled.
-
-
- Deleting a Key
-ScenarioThis section describes how to use the management console to schedule the deletion of one or multiple unwanted custom keys.
- If deletion is scheduled for a key, the deletion will not take effect immediately. Instead, it will take effect after a waiting period of 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the key. Once the scheduled deletion has taken effect, the key will be deleted permanently and you will not be able to decrypt data encrypted by it. Therefore, you are advised to exercise caution when performing this operation.
- Before deleting the key, confirm that it is not in use and will not be used.
- - You can configure the SMN notification function to receive notifications when OBS fails to use the key to decrypt data before the deletion date. If you want to use the key again, cancel its deletion on the console. For SMN configuration instructions, see Configuring SMN.
- You can choose to go to the EVS page. In the search bar, select KMS key ID and enter the key ID to check whether the key is being used by EVS.
- You can choose Computing > Image Management Service to go to the IMS page. Select the Private Image tab. In the search bar, select KMS key ID and enter the key ID to check whether the key is being used by IMS.
- You can choose to go to the SFS page. In the search bar, select KMS key ID and enter the key ID to check whether the key is being used by SFS.
- You can choose Database > Relational Database Service to view the database instance list, and click the name of the target database instance. On the details page of the database instance, check whether the key to be deleted is in use.
- Default Master Keys created by KMS cannot be scheduled for deletion.
-
-
- Prerequisites- The key to be deleted is in Enabled, Disabled, or Pending Import status.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- In the row containing the desired key, click Delete.
Figure 1 Scheduling the deletion for a single key
- - On the key deletion dialog box, enter the deletion delay time.
Figure 2 Scheduling a deletion time
- - Click Yes to schedule the deletion.
To delete multiple keys at a time, select them and click Delete in the upper left corner of the list.
-
-
-
- What Is Key Management Service?
-Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs).
- This service uses hardware security modules (HSMs) to protect CMKs. HSMs help you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage caused by human error. KMS implements access control and log-based tracking on all operations involving CMKs. Additionally, it provides CMK operation records, meeting your audit and regulatory compliance requirements.
- What Is a Customer Master Key?
-A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or multiple DEKs.
- CMKs are categorized into custom keys and default keys. - Custom keys
Keys created or imported by users on the KMS console.
- - Default keys
When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key whose name ends with /default.
-On the KMS console, you can query Default Master Keys, but can neither disable them nor schedule their deletion.
-
-Table 1 Default Master KeysKey Name
- |
-Cloud Service
- |
-
|---|
-
-obs/default
- |
-Object Storage Service (OBS)
- |
-
-evs/default
- |
-Elastic Volume Service (EVS)
- |
-
-ims/default
- |
-Image Management Service (IMS)
- |
-
-sfs/default
- |
-Scalable File Service (SFS)
- |
-
-
-
-
-
- Will a Key Be Charged After It Is Scheduled to Delete?
-No.
- The pending period of a key from its scheduling till its deletion is not charged.
- However, if you cancel the scheduled deletion, the charging resumes from the time when the key is scheduled to be deleted.
- Key Rotation Overview
-Purpose of Key RotationKeys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
- The purposes of key rotation are:
- - To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
- - To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
- - To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
-
-
- Key Rotation MethodsYou can use either of the following key rotation methods:
- - Manual key rotation
Method 1: Create a key B to replace the currently used key A.
-Method 2: Modify the key A and use it.
-Example:
-Take OBS as an example. To manually rotate a key, create a custom key on the KMS console. Replace the old custom key with the new one on the OBS console.
-Figure 1 Manual key rotation
- - Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.
-Automatic key rotation has the following characteristics:
-- Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
-Figure 2 Key rotation
-
- KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key. - KMS uses the latest version of the custom key to encrypt data.
- When decrypting data, KMS uses the custom key version that was used to encrypt the data.
-
-
-
- Rotation Modes
- Table 1 Key rotation modesKey Type
- |
-Rotation Mode
- |
-
|---|
-
-Default master key
- |
-Cannot be rotated.
- |
-
-User-defined key (imported CMK)
- |
-Can only be manually rotated.
-For more information about user-defined keys, see Custom Key Overview.
- |
-
-Symmetric key
- |
-Can be automatically or manually rotated.
- |
-
-Asymmetric key
- |
-Can only be manually rotated.
- |
-
-Disabled CMK
- |
-Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a master key is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
-For more information, see Disabling a Key.
- |
-
-CMK in pending deletion state
- |
-Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.
-For more information, see Scheduling the Deletion of One or More Keys.
- |
-
-
-
-
- You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
-
-
- Disabling Key Rotation
-ScenarioThis section describes how to disable rotation for a key on the KMS console.
-
- Prerequisites- The key is in Enabled status.
- The Origin of the key is KMS.
- Key rotation has been enabled.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click
 to disable key rotation. - In the displayed Disable Rotation Policy dialog box, click Yes.
Figure 1 Disabling Key Rotation
- - Check the rotation status, as shown in Figure 2.
Figure 2 Key rotation
-
-
- Querying a Key
-ScenarioThis section describes how to use the management console to view the information about a custom key, such as its name, status, ID, and creation time. The status of a key can be Enabled, Disabled, Pending deletion, or Pending import.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- View key details in the key list.
Figure 1 Key list
- - Enter the key name in the search box above the key list. Press Enter.
- You can click
 at the upper right corner on top of the key list to show or hide columns of the list.
-
-Table 1 describes the parameters of a key list.
-
-Table 1 Key list parametersParameter
- |
-Description
- |
-
|---|
-
-Name/ID
- |
-Name of a key and the random ID of a key generated during its creation
- |
-
-Status
- |
-Status of a key, which can be one of the following:
-- Enabled
The key is enabled.
- - Disabled
The key is disabled.
- - Pending deletion
The key is scheduled for deletion.
- - Pending import
If a key does not have any key material, its status is Pending import.
-
- |
-
-Creation Time
- |
-Creation time of the key
- |
-
-Key Algorithm and Usage
- |
-Key algorithm selected during key creation and its usage
- |
-
-Expiration Time
- |
-Expiration time of the key material. When the material expires, the custom key becomes an empty key.
- |
-
-Origin
- |
-Source of key material, which can be one of the following:
-
- |
-
-Operation
- |
-Operations you can perform on the CMK, such as disable, delete, import key material, or cancel deletion. You can also assign keys to projects.
- |
-
-
-
- - Click the key name to view its details.
Figure 2 Viewing key details
- To change the alias or description of the CMK, click  next to Name or Description.
- - The name and description of the default key cannot be modified. The name of the default key ends with /default.
- The name and description of a key cannot be changed if the key is in Pending deletion status.
-
-
-
- Advantages
-Extensive Service Integration- By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
- By integrating with Cloud Trace Service (CTS), you can use CTS to view recent KMS operation records.
-
- Regulatory ComplianceKeys are generated by third-party validated HSMs. Access to keys is controlled and key operations involving keys are traceable by logs, compliant with international laws and regulations.
-
- Easy to UseYou can use and manage keys easily using the console or APIs, needless to purchase hardware encryption devices.
-
- What Are the Differences Between a Custom Key and a Default Key?
-The following table describes the differences between a custom key and a default key.
-
- Table 1 Differences between a custom key and a default keyItem
- |
-Definition
- |
-Difference
- |
-
|---|
-
-Custom key
- |
-A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.
-A custom key can be used to encrypt multiple DEKs.
- |
-- It can be disabled and scheduled for deletion.
- It is billed per use after the being created or imported.
- |
-
-Default key
- |
-Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is /default.
-Example: evs/default
- |
-- It cannot be disabled or scheduled for deletion.
- |
-
-
-
-
- Can I Export a CMK from KMS?
-No.
- To ensure CMK security, users can only create and use CMKs in KMS.
- What Are the Benefits of Envelope Encryption?
-Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.
- Benefits:
- - Advantages over CMK encryption in KMS
Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.
-A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
-Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.
- - Advantages over encryption by using cloud services
- Security
Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
-During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.
- - Trustworthiness
You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.
-If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.
- - Performance and cost
To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.
-Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.
-
-
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
-You can use the online tool to encrypt or decrypt data in the following procedures:
- Encrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to access the key details page. Click the Tool tab.
- Click Encrypt. In the text box on the left, enter the data to be encrypted.
Figure 1 Encrypting data
-
- - Click Execute. The data encryption result is displayed in the text box on the right.
- The key you clicked is used for encryption.
- To clear your input, click Clear.
- To copy the encrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-
-
-
- Decrypting Data- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the alias of an enabled key (excepting Default Master Keys) to access its details page.
- Click the Tool tab.
- Click Decrypt. In the text box on the left, enter the data to be decrypted.
- The online tool automatically identifies the key used for data encryption, and uses it to decrypt data.
- If the key has been deleted, the decryption will fail.
-
-Figure 2 Decrypting data
-
- - Click Execute. The data decryption result is displayed in plaintext in the text box on the right.
To copy the decrypted data, click Copy to Clipboard. You can then paste and save it to a local file.
-
-
-
- Service Overview
-
-
-
diff --git a/docs/kms/umn/kms_01_0114.html b/docs/kms/umn/kms_01_0114.html
deleted file mode 100644
index 6a2206351..000000000
--- a/docs/kms/umn/kms_01_0114.html
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-Can I Update CMKs Created by KMS-Generated Key Materials?
-No.
- Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.
- Rotating Keys
-
-
-
diff --git a/docs/kms/umn/kms_01_0139.html b/docs/kms/umn/kms_01_0139.html
deleted file mode 100644
index 192ab0e90..000000000
--- a/docs/kms/umn/kms_01_0139.html
+++ /dev/null
@@ -1,33 +0,0 @@
-
-
-Enabling Key Rotation
-ScenarioThis section describes how to enable rotation for a key on the KMS console.
- By default, automatic key rotation is disabled for a CMK. Every time you enable key rotation, KMS automatically rotates CMKs based on the rotation period you set.
-
- Prerequisites- The key is enabled.
- The Origin of the key is KMS.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click Rotation Policy. The dialog box is displayed, as shown in Figure 1.
Figure 1 Key rotation
- - Click
 to enable key rotation. - In the Enable Rotation Policy dialog box, set the rotation period and click OK.
Figure 2 Setting the rotation period
-Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
-After the setting takes effect, the new rotation period starts.
-Configure the period based on how often a custom key is used. If it is frequently used, configure a short period; otherwise, set a long one.
- - After rotation is enabled, the rotation details will be displayed, as shown in Figure 3.
Figure 3 Key rotation details
-After rotation is enabled, the key will be rotated based on your set period.
- - A disabled custom key is never rotated, even if rotation is enabled for it.
- KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
- You can click
 to change the rotation period. After the period is changed, KMS rotates the key by the new period.
-
-
-
- How Does KMS Protect My Keys?
-The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
- Creating a Key
-ScenarioThis section describes how to create a custom key on the KMS management console. You can create up to 100 custom keys, excluding default keys.
- CMKs can be used for: - Server-side encryption on OBS
- Encryption of data on EVS disks
- Encryption of private images on IMS
- File system encryption on SFS
- Disk encryption for database instances in RDS
- DEK encryption and decryption for user applications
-
-
- Constraints- You can create up to 100 custom keys, excluding default keys.
- Names of default keys end with /default. When configuring names for your custom keys, the value cannot end with /default.
-
- Procedure- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click Create Key in the upper right corner. In the displayed dialog box, enter the alias, names, tags, and description of the key.
Figure 1 Creating a Key
-- Name: Name of the key to be created
- Key Algorithm: Key algorithm supported by KMS. See the following table for details.
-
Table 1 Key algorithms supported by KMSKey Type
- |
-Algorithm Type
- |
-Key Specifications
- |
-Description
- |
-Application Scenario
- |
-
|---|
-
-Symmetric key
- |
-AES
- |
-AES_256
- |
-AES symmetric key
- |
-- Data encryption and decryption
- DEKs encryption and decryption
NOTE: You can encrypt and decrypt a small amount of data using the the online tool on the console.
- You need to call APIs to encrypt and decrypt a large amount of data.
-
-
- |
-
-Digest key
- |
-SHA
- |
-
- |
-Digest key
- |
-- Data tampering prevention
- Data integrity verification
- |
-
-Asymmetric key
- |
-RSA
- |
-
- |
-RSA asymmetric password
- |
-- Digital signature and signature verification
- Data encryption and decryption
NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
-
-
- |
-
-ECC
- |
-
- |
-Elliptic curve recommended by NIST
- |
-Digital signature and signature verification
- |
-
-
-
- - Usage: Select SIGN_VERIFY, GENERATE_VERIFY_MAC, or ENCRYPT_DECRYPT.
- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
- The key usage can only be configured during key creation and cannot be modified afterwards.
-
- - (Optional) Description is the description of the custom key.
- (Optional) Tags: Add tags to the custom key as needed, and enter the tag key and tag value.
- If a custom key has been created without any tag, you can add a tag to the custom key later as necessary. Click the name of the custom key. The page with key details is displayed. Then you can add tags to the custom key.
- The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
- A maximum of 20 tags can be added for one custom key.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
-
-
- - Click OK.
In the custom key list, you can view created custom keys. The default status of a custom key is Enabled.
-
-
- Related Operations- For details about how to upload objects with server-side encryption, see section Uploading a File with Server-Side Encryption in the Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section Creating an EVS Disk in the Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section Encrypting an Image in the Image Management Service User Guide.
- For details about how to encrypt the file system on SFS, see section Creating a File System in the Scalable File Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section Creating an RDS MySQL DB Instance in the Relational Database Service User Guide.
- For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in .
- For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in .
-
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
-There is a limit on the number of custom keys that can be created on KMS.
- You can create a maximum of 100 custom keys, including those in enabled, disabled, and pending deletion states. Default keys are not included.
- Creating a Custom KMS Policy
-Custom policies can be created as a supplement to the system policies of KMSfilter. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
- You can create custom policies in either of the following ways:
- - Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical KMS custom policies.
- Example Custom Policies of KMS- Example: authorizing users to create and import keys
{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "kms:cmk:create",
- "kms:cmk:getMaterial",
- "kms:cmkTag:create",
- "kms:cmkTag:batch",
- "kms:cmk:importMaterial"
- ]
- }
- ]
-}
-
-
- - Example: authorizing users to use keys
{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "kms:dek:crypto",
- "kms:cmk:get",
- "kms:cmk:crypto",
- "kms:cmk:generate",
- "kms:cmk:list"
- ]
- }
- ]
-}
- - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
-{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:task:list"
- ]
- },
- {
- "Effect": "Allow",
- "Action": [
- "kms:dek:crypto",
- "kms:cmk:get",
- "kms:cmk:crypto",
- "kms:cmk:generate",
- "kms:cmk:list"
- ]
- }
- ]
-}
-
- Creating a User and Authorizing the User the Permission to Access KMS
-This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:
- - Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
- If your account does not need individual IAM users, skip this chapter.
- This section describes the procedure for granting permissions (see Figure 1).
- PrerequisitesBefore granting permissions to a user group, you need to understand the available KMS permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in KMS.
-
- Table 1 KMS permissionsRole/Policy
- |
-Description
- |
-Type
- |
-
|---|
-
-KMS Administrator
- |
-Administrator permissions for the encryption key
- |
-Role
- |
-
-KMS CMKFullAccess
- |
-All permissions for the encryption keys
- |
-Policy
- |
-
-KMS CMK Admin
- |
-All permissions for the encryption keys
- |
-Policy
- |
-
-KMS CMKReadOnlyAccess
- |
-Read-only permission for encryption keys
- |
-Policy
- |
-
-
-
-
-
- Authorization ProcessFigure 1 Authorizing the KMS access permission to a user
- Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
-Create a user on the IAM console and add the user to the user group created in 1.
-- .
Log in to the console as newly created user, and verify that the user only has the assigned permissions.
-
-
- Tenant Guest RolesIf you have configured Tenant Guest permissions for the IAM account, apart from the read-only permissions for all cloud services except Identity and Access Management (IAM), you also have the following KMS permissions:
- - kms:cmk:create: Create a key.
- kms:cmk:createDataKey: Create a DEK.
- kms:cmk:createDataKeyWithoutPlaintext: Create a plaintext-free DEK.
- kms:cmk:encryptDataKey: Encrypt the DEK.
- kms:cmk:decryptDataKey: Decrypt a DEK.
- kms:cmk:retireGrant: Retire a grant.
- kms:cmk:decryptData: Decrypt data.
- kms:cmk:encryptData: Encrypt data.
- kms::generateRandom: Generate a random number.
- If you want to configure the Tenant Guest role for an IAM user but do not want to have the preceding permissions, you need to configure a custom deny policy for the IAM user. For details about how to configure a custom policy, see Creating a Custom KMS Policy.
-
- Permissions Management
-
-
-
diff --git a/docs/kms/umn/kms_01_9999.html b/docs/kms/umn/kms_01_9999.html
deleted file mode 100644
index 4a7881c6b..000000000
--- a/docs/kms/umn/kms_01_9999.html
+++ /dev/null
@@ -1,325 +0,0 @@
-
-
-KMS Permission Management
-If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
- With IAM, you can use your account to create IAM users for your employees, and grant permissions to control their access to specific resource types. For example, some software developers in your enterprise need to use KMS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using KMS resources.
- If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of KMS.
-
- KMS PermissionsBy default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
- KMS is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing KMS.
- You can grant users permissions by using roles and policies.
- - Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
- For details, see Table 1.
-
- Table 1 KMS permissionsRole/Policy
- |
-Description
- |
-Type
- |
-
|---|
-
-KMS Administrator
- |
-Administrator permissions for the encryption key
- |
-Role
- |
-
-KMS CMKFullAccess
- |
-All permissions for the encryption keys
- |
-Policy
- |
-
-KMS CMK Admin
- |
-All permissions for the encryption keys
- |
-Policy
- |
-
-KMS CMKReadOnlyAccess
- |
-Read-only permission for encryption keys
- |
-Policy
- |
-
-
-
-
- Table 2 lists the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
-
- Table 2 Common operations supported by each system-defined policy or roleOperation
- |
-KMS Administrator
- |
-KMS CMKFullAccess
- |
-
|---|
-
-Create a key
- |
-√
- |
-√
- |
-
-Enable a key
- |
-√
- |
-√
- |
-
-Disable a key
- |
-√
- |
-√
- |
-
-Schedule key deletion
- |
-√
- |
-√
- |
-
-Cancel scheduled key deletion
- |
-√
- |
-√
- |
-
-Modify a key alias
- |
-√
- |
-√
- |
-
-Modify key description
- |
-√
- |
-√
- |
-
-Generate a random number
- |
-√
- |
-√
- |
-
-Create a DEK
- |
-√
- |
-√
- |
-
-Create a plaintext-free DEK
- |
-√
- |
-√
- |
-
-Encrypt a DEK
- |
-√
- |
-√
- |
-
-Decrypt a DEK
- |
-√
- |
-√
- |
-
-Obtain parameters for importing a key
- |
-√
- |
-√
- |
-
-Import key materials
- |
-√
- |
-√
- |
-
-Delete key materials
- |
-√
- |
-√
- |
-
-Create a grant
- |
-√
- |
-√
- |
-
-Revoke a grant
- |
-√
- |
-√
- |
-
-Retire a grant
- |
-√
- |
-√
- |
-
-Query the grant list
- |
-√
- |
-√
- |
-
-Query retirable grants
- |
-√
- |
-√
- |
-
-Encrypt data
- |
-√
- |
-√
- |
-
-Decrypt data
- |
-√
- |
-√
- |
-
-Enable key rotation
- |
-√
- |
-√
- |
-
-Modify key rotation interval
- |
-√
- |
-√
- |
-
-Disable key rotation
- |
-√
- |
-√
- |
-
-Query key rotation status
- |
-√
- |
-√
- |
-
-Query CMK instances
- |
-√
- |
-√
- |
-
-Query key tags
- |
-√
- |
-√
- |
-
-Query project tags
- |
-√
- |
-√
- |
-
-Batch add or delete key tags
- |
-√
- |
-√
- |
-
-Add tags to a key
- |
-√
- |
-√
- |
-
-Delete key tags
- |
-√
- |
-√
- |
-
-Query the key list
- |
-√
- |
-√
- |
-
-Query key details
- |
-√
- |
-√
- |
-
-Query instance quantity
- |
-√
- |
-√
- |
-
-Query quotas
- |
-√
- |
-√
- |
-
-
-
-
-
- |
|---|
|
|---|
