yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

KMS UMN 20251111 version

Browse Source 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
This commit is contained in:
Qin, Weiwei
2026-01-19 09:05:54 +00:00
committed by zuul
parent 04ae6632a7
commit 3e4721c813
238 changed files with 4477 additions and 3698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1096
docs/kms/umn/ALL_META.TXT.json
View File

File diff suppressed because it is too large Load Diff

718
docs/kms/umn/CLASS.TXT.json
View File

File diff suppressed because it is too large Load Diff

105
docs/kms/umn/dew_01_0001.html Normal file
View File

File diff suppressed because it is too large Load Diff

26
docs/kms/umn/dew_01_0006.html Normal file
View File

@ -0,0 +1,26 @@
<a name="dew_01_0006"></a><a name="dew_01_0006"></a>
<h1 class="topictitle1">Application Scenarios</h1>
<div id="body1556591517287"><div class="section" id="dew_01_0006__section1467212190348"><h4 class="sectiontitle">Small Data Encryption and Decryption</h4><p id="dew_01_0006__p6668104818103">You can use the online tool on the KMS console or call KMS APIs to directly encrypt or decrypt a small amount of data, such as passwords, certificates, or phone numbers. Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.</p>
<p id="dew_01_0006__p126681748131013"><a href="#dew_01_0006__fig392517461568">Figure 1</a> shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.</p>
<div class="fignone" id="dew_01_0006__fig392517461568"><a name="dew_01_0006__fig392517461568"></a><a name="fig392517461568"></a><span class="figcap"><b>Figure 1 </b>Encrypting and decrypting an HTTPS certificate</span><br><span><img id="dew_01_0006__image5926154614620" src="en-us_image_0232856156.png"></span></div>
<div class="p" id="dew_01_0006__p13651172210545">The procedure is as follows:<ol id="dew_01_0006__ol13350843171120"><li id="dew_01_0006__li466854815108">Create a CMK on KMS.</li><li id="dew_01_0006__li96687482103">Call the <span class="parmvalue" id="dew_01_0006__parmvalue8668154817107"><b>encrypt-data</b></span> API of KMS and use the CMK to encrypt the plaintext certificate.</li><li id="dew_01_0006__li186684482106">Deploy the certificate onto a server.</li><li id="dew_01_0006__li10355843131113">The server calls the <span class="parmvalue" id="dew_01_0006__parmvalue1435617431119"><b>decrypt-data</b></span> API of KMS to decrypt the ciphertext certificate.</li></ol>
</div>
</div>
<div class="section" id="dew_01_0006__section179202519344"><h4 class="sectiontitle">Large Data Encryption and Decryption</h4><p id="dew_01_0006__p8143185161117">If you want to encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use the envelope encryption method, where the data does not need to be transferred over the network.</p>
<ul id="dew_01_0006__ul1143183433611"><li id="dew_01_0006__li1543123412361"><a href="#dew_01_0006__fig1265115271176">Figure 2</a> illustrates the process for encrypting a local file.<div class="fignone" id="dew_01_0006__fig1265115271176"><a name="dew_01_0006__fig1265115271176"></a><a name="fig1265115271176"></a><span class="figcap"><b>Figure 2 </b>Encrypting a local file</span><br><span><img id="dew_01_0006__image3652527476" src="en-us_image_0232858228.png"></span></div>
<div class="p" id="dew_01_0006__p1733533725610">The procedure is as follows:<ol id="dew_01_0006__ol183351137175613"><li id="dew_01_0006__li1914417517112">Create a CMK on KMS.</li><li id="dew_01_0006__li19144251151115">Call the <span class="parmvalue" id="dew_01_0006__parmvalue19444152575212"><b>create-datakey</b></span> API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.</li><li id="dew_01_0006__li1614465171118">Use the plaintext DEK to encrypt the file. A ciphertext file is generated.</li><li id="dew_01_0006__li17337203795613">Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.</li></ol>
</div>
</li><li id="dew_01_0006__li35556366373"><a href="#dew_01_0006__fig133981165810">Figure 3</a> illustrates the process for decrypting a local file.<div class="fignone" id="dew_01_0006__fig133981165810"><a name="dew_01_0006__fig133981165810"></a><a name="fig133981165810"></a><span class="figcap"><b>Figure 3 </b>Decrypting a local file</span><br><span><img id="dew_01_0006__image173981416786" src="en-us_image_0232858842.png"></span></div>
<div class="p" id="dew_01_0006__p466631785715">The procedure is as follows:<ol id="dew_01_0006__ol17666171735711"><li id="dew_01_0006__li1145951121111">Obtain the ciphertext DEK and file from the persistent storage device or the storage service.</li><li id="dew_01_0006__li17145205111112">Call the <span class="parmvalue" id="dew_01_0006__parmvalue1051755216529"><b>decrypt-datakey</b></span> API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.<p id="dew_01_0006__p1145115112118">If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.</p>
</li><li id="dew_01_0006__li3669191785714">Use the plaintext DEK to decrypt the ciphertext file.</li></ol>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0121.html">KMS</a></div>
</div>
</div>

17
docs/kms/umn/dew_01_0007.html
View File

@ -1,21 +1,14 @@
<a name="dew_01_0007"></a><a name="dew_01_0007"></a>
<h1 class="topictitle1">Encrypting Data in OBS</h1>
<div id="body8662426"><ul id="dew_01_0007__en-us_topic_0112947554_ul12677105311212"><li id="dew_01_0007__en-us_topic_0112947554_li5146105118114">When using Object Storage Service (OBS) to upload data with server-side encryption, you can select <span class="parmname" id="dew_01_0007__en-us_topic_0112947554_parmname147834433345"><b>SEE-KMS encryption</b></span> and use the key provided by KMS to encrypt the files to be uploaded. For details, see <a href="#dew_01_0007__en-us_topic_0112947554_fig1096125520374">Figure 1</a>. For details, see <i><cite id="dew_01_0007__en-us_topic_0112947554_cite16391161013811">Object Storage Service Console Operation Guide</cite></i>.<div class="fignone" id="dew_01_0007__en-us_topic_0112947554_fig1096125520374"><a name="dew_01_0007__en-us_topic_0112947554_fig1096125520374"></a><a name="en-us_topic_0112947554_fig1096125520374"></a><span class="figcap"><b>Figure 1 </b>Encrypting Data in OBS</span><br><span><img id="dew_01_0007__en-us_topic_0112947554_image9429037162115" src="en-us_image_0000002207465277.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="dew_01_0007__en-us_topic_0112947554_p86061313182911">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0007__en-us_topic_0112947554_ul1160681317292"><li id="dew_01_0007__en-us_topic_0112947554_li15606101342920">The default key <strong id="dew_01_0007__en-us_topic_0112947554_b842352706151922_1">obs/default</strong> created by KMS</li><li id="dew_01_0007__en-us_topic_0112947554_li136061613112914">Custom keys that you created on the KMS console</li></ul>
</li><li id="dew_01_0007__en-us_topic_0112947554_li5684145313124">Alternatively, you can call OBS APIs to upload a file with server-side encryption using KMS-managed keys (SSE-KMS). For details, see .</li></ul>
<div id="body8662426"><ul id="dew_01_0007__en-us_topic_0000002247328838_ul12677105311212"><li id="dew_01_0007__en-us_topic_0000002247328838_li5146105118114">When using OBS to upload data with server-side encryption, you can select <span class="parmname" id="dew_01_0007__en-us_topic_0000002247328838_parmname147834433345"><b>SEE-KMS encryption</b></span> and use the key provided by KMS to encrypt the files to be uploaded, as shown in <a href="#dew_01_0007__en-us_topic_0000002247328838_fig1096125520374">Figure 1</a>. For details, see <i><cite id="dew_01_0007__cite172631928152510">Object Storage Service Console Operation Guide</cite></i>.<div class="fignone" id="dew_01_0007__en-us_topic_0000002247328838_fig1096125520374"><a name="dew_01_0007__en-us_topic_0000002247328838_fig1096125520374"></a><a name="en-us_topic_0000002247328838_fig1096125520374"></a><span class="figcap"><b>Figure 1 </b>Encrypting data in OBS</span><br><span><img id="dew_01_0007__en-us_topic_0000002247328838_image9429037162115" src="en-us_image_0000002248488504.png"></span></div>
<p id="dew_01_0007__en-us_topic_0000002247328838_p86061313182911">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0007__en-us_topic_0000002247328838_ul1160681317292"><li id="dew_01_0007__en-us_topic_0000002247328838_li15606101342920">The default key <strong id="dew_01_0007__en-us_topic_0000002247328838_b842352706151922_1">obs/default</strong> created by KMS</li><li id="dew_01_0007__en-us_topic_0000002247328838_li136061613112914">Custom keys that you created on the KMS console</li></ul>
</li><li id="dew_01_0007__en-us_topic_0000002247328838_li5684145313124">Alternatively, you can call OBS APIs to upload a file with server-side encryption using KMS-managed keys (SSE-KMS). For details, see <i><cite id="dew_01_0007__cite4436532202518">Object Storage Service API Reference</cite></i>.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0106.html">Cloud Services with KMS Integrated</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000002248485012.html">Cloud Services with KMS Integrated</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

19
docs/kms/umn/dew_01_0008.html
View File

@ -1,23 +1,16 @@
<a name="dew_01_0008"></a><a name="dew_01_0008"></a>
<h1 class="topictitle1">Encrypting Data in EVS</h1>
<div id="body8662426"><ul id="dew_01_0008__en-us_topic_0112947603_ul292114191134"><li id="dew_01_0008__en-us_topic_0112947603_li014885111115">When purchasing a disk, you can choose <strong id="dew_01_0008__en-us_topic_0112947603_b34906822211">Advanced Settings</strong> &gt; <strong id="dew_01_0008__en-us_topic_0112947603_b1949110842211">Encryption</strong> to encrypt the disk using the key provided by KMS. For details, see <a href="#dew_01_0008__en-us_topic_0112947603_fig1372118163416">Figure 1</a>. For more information about EVS, see the <i><cite id="dew_01_0008__en-us_topic_0112947603_cite1614894043314">Elastic Volume Service User Guide</cite></i>.<div class="note" id="dew_01_0008__en-us_topic_0112947603_note11471051201111"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0008__en-us_topic_0112947603_p1514735111113">Before you use the encryption function, EVS must be granted the permission to access KMS. If you have the right to grant the permission, you can grant the permission directly. If you do not have the permission, contact a user with the security administrator permissions to add the security administrator permission for you. Then, you can grant the permission. For more information about EVS, see the <i><cite id="dew_01_0008__en-us_topic_0112947603_cite1079810500332">Elastic Volume Service User Guide</cite></i>.</p>
<div id="body8662426"><ul id="dew_01_0008__en-us_topic_0000002247169038_ul292114191134"><li id="dew_01_0008__en-us_topic_0000002247169038_li014885111115">When purchasing a disk, you can choose <strong id="dew_01_0008__en-us_topic_0000002247169038_b34906822211">Advanced Settings</strong> &gt; <strong id="dew_01_0008__en-us_topic_0000002247169038_b1949110842211">Encryption</strong> to encrypt the disk using the key provided by KMS. For details, see <a href="#dew_01_0008__en-us_topic_0000002247169038_fig1372118163416">Figure 1</a>. For more information about EVS, see <i><cite id="dew_01_0008__en-us_topic_0000002247169038_cite8146115161119">Elastic Volume Service User Guide</cite></i>.<div class="note" id="dew_01_0008__en-us_topic_0000002247169038_note11471051201111"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0008__en-us_topic_0000002247169038_p1514735111113">Before you use the encryption function, EVS must be granted the permission to access KMS. If you have the right to grant the permission, you can grant the permission directly. If you do not have the permission, contact a user with the security administrator permissions to add the security administrator permission for you. Then, you can grant the permission. For more information about EVS, see <i><cite id="dew_01_0008__en-us_topic_0000002247169038_cite59931115216">Elastic Volume Service User Guide</cite></i>.</p>
</div></div>
<div class="fignone" id="dew_01_0008__en-us_topic_0112947603_fig1372118163416"><a name="dew_01_0008__en-us_topic_0112947603_fig1372118163416"></a><a name="en-us_topic_0112947603_fig1372118163416"></a><span class="figcap"><b>Figure 1 </b>Encrypting data in EVS</span><br><span><img id="dew_01_0008__en-us_topic_0112947603_image19824105814162" src="en-us_image_0000001677397941.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="dew_01_0008__en-us_topic_0112947603_p12147125171117">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0008__en-us_topic_0112947603_ul51471451181110"><li id="dew_01_0008__en-us_topic_0112947603_li314745151117">The default key <strong id="dew_01_0008__en-us_topic_0112947603_b842352706151922_3">evs/default</strong> created by KMS</li><li id="dew_01_0008__en-us_topic_0112947603_li191471851171115">Custom keys that you create on the KMS console using KMS-generated key materials</li></ul>
</li><li id="dew_01_0008__en-us_topic_0112947603_li8934161920130">You can also call EVS APIs to create encrypted EVS disks. For details, see the <i><cite id="dew_01_0008__en-us_topic_0112947603_cite11509822112010">Elastic Volume Service API Reference</cite></i>.</li></ul>
<div class="fignone" id="dew_01_0008__en-us_topic_0000002247169038_fig1372118163416"><a name="dew_01_0008__en-us_topic_0000002247169038_fig1372118163416"></a><a name="en-us_topic_0000002247169038_fig1372118163416"></a><span class="figcap"><b>Figure 1 </b>Encrypting data in EVS</span><br><span><img id="dew_01_0008__en-us_topic_0000002247169038_image19824105814162" src="en-us_image_0000002283527325.png"></span></div>
<p id="dew_01_0008__en-us_topic_0000002247169038_p12147125171117">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0008__en-us_topic_0000002247169038_ul51471451181110"><li id="dew_01_0008__en-us_topic_0000002247169038_li314745151117">The default key <strong id="dew_01_0008__en-us_topic_0000002247169038_b842352706151922_3">evs/default</strong> created by KMS</li><li id="dew_01_0008__en-us_topic_0000002247169038_li191471851171115">Custom keys that you create on the KMS console using KMS-generated key materials</li></ul>
</li><li id="dew_01_0008__en-us_topic_0000002247169038_li8934161920130">You can also call EVS APIs to create encrypted EVS disks. For details, see <i><cite id="dew_01_0008__cite1131824772514">Elastic Volume Service API Reference</cite></i>.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0106.html">Cloud Services with KMS Integrated</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000002248485012.html">Cloud Services with KMS Integrated</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

17
docs/kms/umn/dew_01_0009.html
View File

@ -1,21 +1,14 @@
<a name="dew_01_0009"></a><a name="dew_01_0009"></a>
<h1 class="topictitle1">Encrypting Data in IMS</h1>
<div id="body8662426"><ul id="dew_01_0009__en-us_topic_0112947622_ul569985051312"><li id="dew_01_0009__en-us_topic_0112947622_li1714975110115">When uploading an image file to Image Management Service (IMS), you can choose to encrypt the image file using a key provided by KMS to protect the file. <a href="#dew_01_0009__en-us_topic_0112947622_fig144761027111615">Figure 1</a> describes details. For details, see the <i><cite id="dew_01_0009__en-us_topic_0112947622_cite1629483683413">Image Management Service User Guide</cite></i>.<div class="fignone" id="dew_01_0009__en-us_topic_0112947622_fig144761027111615"><a name="dew_01_0009__en-us_topic_0112947622_fig144761027111615"></a><a name="en-us_topic_0112947622_fig144761027111615"></a><span class="figcap"><b>Figure 1 </b>Encrypting data in IMS</span><br><span><img id="dew_01_0009__en-us_topic_0112947622_image17114220207" src="en-us_image_0000001628879300.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="dew_01_0009__en-us_topic_0112947622_p1411316243717">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0009__en-us_topic_0112947622_ul14114724778"><li id="dew_01_0009__en-us_topic_0112947622_li1111316241711">The default key <strong id="dew_01_0009__en-us_topic_0112947622_b1150188133010">ims/default</strong> created by KMS</li><li id="dew_01_0009__en-us_topic_0112947622_li911492415713">Custom keys that you create on the KMS console using KMS-generated key materials</li></ul>
</li><li id="dew_01_0009__en-us_topic_0112947622_li6707550161319">You can also call IMS APIs to create encrypted image files. For details, see <i><cite id="dew_01_0009__en-us_topic_0112947622_cite27821158152019">Image Management Service API Reference</cite></i>.</li></ul>
<div id="body8662426"><ul id="dew_01_0009__en-us_topic_0000002282207753_ul569985051312"><li id="dew_01_0009__en-us_topic_0000002282207753_li1714975110115">When uploading an image file to Image Management Service (IMS), you can choose to encrypt the image file using a key provided by KMS to protect the file, as shown in <a href="#dew_01_0009__en-us_topic_0000002282207753_fig144761027111615">Figure 1</a>. For details, see the <i><cite id="dew_01_0009__en-us_topic_0000002282207753_cite18148651161110">Image Management Service User Guide</cite></i>.<div class="fignone" id="dew_01_0009__en-us_topic_0000002282207753_fig144761027111615"><a name="dew_01_0009__en-us_topic_0000002282207753_fig144761027111615"></a><a name="en-us_topic_0000002282207753_fig144761027111615"></a><span class="figcap"><b>Figure 1 </b>Encrypting data in IMS</span><br><span><img id="dew_01_0009__en-us_topic_0000002282207753_image17114220207" src="en-us_image_0000002248488512.png"></span></div>
<p id="dew_01_0009__en-us_topic_0000002282207753_p1411316243717">There are two types of CMKs that can be used:</p>
<ul id="dew_01_0009__en-us_topic_0000002282207753_ul14114724778"><li id="dew_01_0009__en-us_topic_0000002282207753_li1111316241711">The default key <strong id="dew_01_0009__en-us_topic_0000002282207753_b1150188133010">ims/default</strong> created by KMS</li><li id="dew_01_0009__en-us_topic_0000002282207753_li911492415713">Custom keys that you create on the KMS console using KMS-generated key materials</li></ul>
</li><li id="dew_01_0009__en-us_topic_0000002282207753_li6707550161319">You can also call IMS APIs to create encrypted image files. For details, see <i><cite id="dew_01_0009__cite11261127192617">Image Management Service API Reference</cite></i>.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0106.html">Cloud Services with KMS Integrated</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000002248485012.html">Cloud Services with KMS Integrated</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

80
docs/kms/umn/dew_01_0016.html Normal file
View File

@ -0,0 +1,80 @@
<a name="dew_01_0016"></a><a name="dew_01_0016"></a>
<h1 class="topictitle1">Using KMS for Encryption</h1>
<div id="body1558598748162"><div class="section" id="dew_01_0016__section552718133618"><h4 class="sectiontitle">Interacting with Cloud Services</h4><p id="dew_01_0016__p1843818518258">Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, cloud services use a specific custom key of yours to encrypt data.</p>
<div class="p" id="dew_01_0016__p1733533725610">The encryption process is as follows:<ol id="dew_01_0016__ol183351137175613"><li id="dew_01_0016__li1914417517112">Create a custom key on KMS.</li><li id="dew_01_0016__li19144251151115">Cloud services call the <span class="parmvalue" id="dew_01_0016__parmvalue175261311613"><b>create-datakey</b></span> API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.<div class="note" id="dew_01_0016__note7119521125711"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0016__p273792210576">Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.</p>
</div></div>
</li><li id="dew_01_0016__li554111015386">Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.</li><li id="dew_01_0016__li663714348386">Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.</li></ol>
</div>
<div class="note" id="dew_01_0016__note162711444143610"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0016__p187908597468">When users download the data from a cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.</p>
</div></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0016__table724313364617" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Cloud services supported by KMS</caption><thead align="left"><tr id="dew_01_0016__row6245203615610"><th align="left" class="cellrowborder" valign="top" width="19.93%" id="mcps1.3.1.5.2.4.1.1"><p id="dew_01_0016__p122453366612">Service</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="58.199999999999996%" id="mcps1.3.1.5.2.4.1.2"><p id="dew_01_0016__p32456364612">How to Use</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.87%" id="mcps1.3.1.5.2.4.1.3"><p id="dew_01_0016__p5883151918180">Reference</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0016__row624517361619"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p92457362614">Object Storage Service (OBS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p57692822165925">You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p621125372111"><i><cite id="dew_01_0016__cite1988611011197">Object Storage Service Console Operation Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0016__row1124517361262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p224553614611">Elastic Volume Service (EVS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p5195880517016">If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p10587155122318"><i><cite id="dew_01_0016__cite12788565239">Elastic Volume Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0016__row924520361862"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p17246136469">Image Management Service (IMS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p2031176417022">When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p1514225482715"><i><cite id="dew_01_0016__cite19478185415278">Image Management Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0016__row02465361618"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p9246133619613">Scalable File Service (SFS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p102319261638">When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p13206114443015"><i><cite id="dew_01_0016__cite8697450163018">Scalable File Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0016__row32461936262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p2246936568">Relational Database Service (RDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p833055014464">When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p474318343316"><i><cite id="dew_01_0016__cite9874118193317">Relational Database Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0016__row13851202164517"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.5.2.4.1.1 "><p id="dew_01_0016__p685252112459">Document Database Service (DDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.5.2.4.1.2 "><p id="dew_01_0016__p2037916913468">When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.5.2.4.1.3 "><p id="dew_01_0016__p1285664023518"><i><cite id="dew_01_0016__cite3332114710353">Document Database Service User Guide</cite></i></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="dew_01_0016__section1959717181163"><h4 class="sectiontitle">Working with User Applications</h4><p id="dew_01_0016__p8376171184214">To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.</p>
<p id="dew_01_0016__p2704191711812">Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.</p>
<div class="p" id="dew_01_0016__p9558114515476">The encryption process is as follows:<ol id="dew_01_0016__ol2558114544718"><li id="dew_01_0016__li12558154594712"><a name="dew_01_0016__li12558154594712"></a><a name="li12558154594712"></a>The application calls the <span class="parmvalue" id="dew_01_0016__parmvalue3443135765110"><b>create-key</b></span> API of KMS to create a custom key.</li><li id="dew_01_0016__li4558104504710">The application calls the <span class="parmvalue" id="dew_01_0016__parmvalue9442115015452"><b>create-datakey</b></span> API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.<div class="note" id="dew_01_0016__note141636573"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0016__p1336319412578">Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in <a href="#dew_01_0016__li12558154594712">1</a>.</p>
</div></div>
</li><li id="dew_01_0016__li115596458477">The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.</li><li id="dew_01_0016__li555934504716">The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.</li></ol>
</div>
<p id="dew_01_0016__p929410810153">For details, see the <i><cite id="dew_01_0016__cite542720913155">Key Management Service API Usage Guidelines</cite></i>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0121.html">KMS</a></div>
</div>
</div>

74
docs/kms/umn/dew_01_0017.html Normal file
View File

@ -0,0 +1,74 @@
<a name="dew_01_0017"></a><a name="dew_01_0017"></a>
<h1 class="topictitle1">Related Services</h1>
<div id="body1481523501205"><div class="section" id="dew_01_0017__section144016137361"><h4 class="sectiontitle">Related Services</h4><p id="dew_01_0017__p146745235357">KMS provides CMK management and encryption capabilities for cloud services. The following table lists the cloud services that can use KMS for encryption.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0017__table20444146124420" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Cloud services supported by KMS</caption><thead align="left"><tr id="dew_01_0017__dew_01_0016_row6245203615610"><th align="left" class="cellrowborder" valign="top" width="19.93%" id="mcps1.3.1.3.2.4.1.1"><p id="dew_01_0017__dew_01_0016_p122453366612">Service</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="58.199999999999996%" id="mcps1.3.1.3.2.4.1.2"><p id="dew_01_0017__dew_01_0016_p32456364612">How to Use</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.87%" id="mcps1.3.1.3.2.4.1.3"><p id="dew_01_0017__dew_01_0016_p5883151918180">Reference</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0017__dew_01_0016_row624517361619"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p92457362614">Object Storage Service (OBS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p57692822165925">You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p621125372111"><i><cite id="dew_01_0017__dew_01_0016_cite1988611011197">Object Storage Service Console Operation Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0017__dew_01_0016_row1124517361262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p224553614611">Elastic Volume Service (EVS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p5195880517016">If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p10587155122318"><i><cite id="dew_01_0017__dew_01_0016_cite12788565239">Elastic Volume Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0017__dew_01_0016_row924520361862"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p17246136469">Image Management Service (IMS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p2031176417022">When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p1514225482715"><i><cite id="dew_01_0017__dew_01_0016_cite19478185415278">Image Management Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0017__dew_01_0016_row02465361618"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p9246133619613">Scalable File Service (SFS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p102319261638">When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p13206114443015"><i><cite id="dew_01_0017__dew_01_0016_cite8697450163018">Scalable File Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0017__dew_01_0016_row32461936262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p2246936568">Relational Database Service (RDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p833055014464">When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p474318343316"><i><cite id="dew_01_0017__dew_01_0016_cite9874118193317">Relational Database Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0017__dew_01_0016_row13851202164517"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.1.3.2.4.1.1 "><p id="dew_01_0017__dew_01_0016_p685252112459">Document Database Service (DDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.1.3.2.4.1.2 "><p id="dew_01_0017__dew_01_0016_p2037916913468">When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.1.3.2.4.1.3 "><p id="dew_01_0017__dew_01_0016_p1285664023518"><i><cite id="dew_01_0017__dew_01_0016_cite3332114710353">Document Database Service User Guide</cite></i></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="dew_01_0017__section167594619305"><h4 class="sectiontitle">CTS</h4><p id="dew_01_0017__p52125173103447">CTS provides you with a history of KMS operations. After the CTS service is enabled, you can view all generated traces to review and audit performed KMS operations. For details, see the <i><cite id="dew_01_0017__cite82961142239">Cloud Trace Service User Guide</cite></i>.</p>
</div>
<div class="section" id="dew_01_0017__section4573770192847"><h4 class="sectiontitle">IAM</h4><p id="dew_01_0017__p123907173191">IAM provides permission management for KMS.</p>
<p id="dew_01_0017__p0867319181911">Only users who have KMS Administrator permissions can use KMS.</p>
<p id="dew_01_0017__p1054201119298">To apply for permissions, contact a user with Security Administrator permissions. For details, see <i><cite id="dew_01_0017__cite2953164116374">Identity and Access Management User Guide</cite></i>.</p>
</div>
<div class="section" id="dew_01_0017__section13683170172541"><h4 class="sectiontitle">SMN</h4><p id="dew_01_0017__p7930422172534">Simple Message Notification (SMN) provides the notification function. When a selected event is triggered for the target secret, CSMS sends a notification through SMN.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0091.html">Service Overview</a></div>
</div>
</div>

358
docs/kms/umn/dew_01_0018.html Normal file
View File

File diff suppressed because it is too large Load Diff

13
docs/kms/umn/dew_01_0019.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0019"></a><a name="dew_01_0019"></a>
<h1 class="topictitle1">Auditing Logs</h1>
<div id="body1524558435786"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0020.html">Operations supported by CTS</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0331.html">Viewing CTS Traces in the Trace List</a></strong><br>
</li>
</ul>
</div>

324
docs/kms/umn/dew_01_0020.html Normal file
View File

File diff suppressed because it is too large Load Diff

28
docs/kms/umn/dew_01_0022.html Normal file
View File

@ -0,0 +1,28 @@
<a name="dew_01_0022"></a><a name="dew_01_0022"></a>
<h1 class="topictitle1">Using the Online Tool to Encrypt and Decrypt Small-Size Data</h1>
<div id="body1511507276995"><p id="dew_01_0022__p430347211597">This section describes how to use the online tool to encrypt or decrypt small-size data (4 KB or smaller) on the KMS console.</p>
<div class="section" id="dew_01_0022__section2108995215120"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0022__p169881058132818">The custom key is in <span class="parmname" id="dew_01_0022__parmname124131141161112"><b>Enabled</b></span> status.</p>
</div>
<div class="section" id="dew_01_0022__section1895018118274"><h4 class="sectiontitle">Constraints</h4><ul id="dew_01_0022__ul1719311159272"><li id="dew_01_0022__li1419310151277">Default keys cannot be used to encrypt or decrypt such data with the tool.</li><li id="dew_01_0022__li158581831131112">Asymmetric keys cannot be used to encrypt or decrypt such data with the tool.</li><li id="dew_01_0022__li1719321514274">You can call an API to use a default key to encrypt or decrypt small volumes of data. For details, see the <em id="dew_01_0022__i1334716328148">Key Management Service API Reference</em>.</li><li id="dew_01_0022__li9672143820328">Use the current CMK to encrypt the data.</li><li id="dew_01_0022__li1294176103319">Exercise caution when you delete a CMK. The online tool cannot decrypt data if the CMK used for encryption has been deleted.</li><li id="dew_01_0022__li579415973318">After an API is called to encrypt data, the online tool cannot be used to decrypt the data.</li></ul>
</div>
<div class="section" id="dew_01_0022__section45724709151226"><h4 class="sectiontitle">Encrypting Data</h4><ol id="dew_01_0022__ol17677259151342"><li id="dew_01_0022__li20878132444910"><span>Log in to the management console.</span></li><li id="dew_01_0022__li11878172474919"><span>Click <span><img id="dew_01_0022__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0022__li1279512297175"><span>Click <span><img id="dew_01_0022__image1124575085517" src="en-us_image_0000002511598247.png"></span> on the left and choose <span class="menucascade" id="dew_01_0022__menucascade42460501558"><b><span class="uicontrol" id="dew_01_0022__uicontrol7245175010555">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0022__uicontrol02461850205516">Key Management Service</span></b></span>.</span></li><li id="dew_01_0022__li49600184597"><span>Click the name of the target custom key to access the key details page. Click the <strong id="dew_01_0022__b145035013559">Tool</strong> tab.</span></li><li id="dew_01_0022__li8513572061"><span>Click <strong id="dew_01_0022__b177715251418">Encrypt</strong>. In the text box on the left, enter the data to be encrypted, as shown in <a href="#dew_01_0022__fig61927028183617">Figure 1</a>.</span><p><div class="fignone" id="dew_01_0022__fig61927028183617"><a name="dew_01_0022__fig61927028183617"></a><a name="fig61927028183617"></a><span class="figcap"><b>Figure 1 </b>Encrypting data</span><br><span><img id="dew_01_0022__image2707364481" src="en-us_image_0000001629601212.png"></span></div>
</p></li><li id="dew_01_0022__li145581622484"><span>Click <strong id="dew_01_0022__b10106172520422">Execute</strong>. Ciphertext of the data is displayed in the text box on the right.</span><p><div class="note" id="dew_01_0022__note1652557269"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0022__ul13212113916814"><li id="dew_01_0022__li8211914111510">Use the current CMK to encrypt the data.</li><li id="dew_01_0022__li4212153919814">To clear your input, click <strong id="dew_01_0022__b429844654214">Clear</strong>.</li><li id="dew_01_0022__li152125391984">To copy the encrypted data, click <strong id="dew_01_0022__b02094587429">Copy to Clipboard</strong>. You can then paste and save it to a local file.</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="section" id="dew_01_0022__section251382416917"><h4 class="sectiontitle">Decrypting Data</h4><ol id="dew_01_0022__ol2839154719318"><li id="dew_01_0022__li5490143683618"><span>Log in to the management console.</span></li><li id="dew_01_0022__li1383954718318"><span>Click <span><img id="dew_01_0022__dew_01_0178_image10325154918393_1" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0022__li9748814203513"><span>Click <span><img id="dew_01_0022__image5564195211553" src="en-us_image_0000002511605033.png"></span> on the left and choose <span class="menucascade" id="dew_01_0022__menucascade956535216555"><b><span class="uicontrol" id="dew_01_0022__uicontrol1656412526559">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0022__uicontrol5565155213551">Key Management Service</span></b></span>.</span></li></ol><ol start="4" id="dew_01_0022__ol12988161919918"><li id="dew_01_0022__li1486413121014"><span>You can click any non-default key in <strong id="dew_01_0022__b842352706112914">Enabled</strong> status to go to the encryption and decryption page of the online tool.</span></li><li id="dew_01_0022__li11865163131014"><span>Click <strong id="dew_01_0022__b12255116194310">Decrypt</strong> and enter the data to be decrypted in the text box, as shown in <a href="#dew_01_0022__fig1586514341014">Figure 2</a>.</span><p><div class="note" id="dew_01_0022__note3864113161017"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0022__ul1812317431410"><li id="dew_01_0022__li312313481420">The tool will identify the original encryption CMK and use it to decrypt the data.</li><li id="dew_01_0022__li41234411143">If the key has been deleted, the decryption will fail.</li></ul>
</div></div>
<div class="fignone" id="dew_01_0022__fig1586514341014"><a name="dew_01_0022__fig1586514341014"></a><a name="fig1586514341014"></a><span class="figcap"><b>Figure 2 </b>Decrypting data</span><br><span><img id="dew_01_0022__image694415194517" src="en-us_image_0000001629122164.png"></span></div>
</p></li><li id="dew_01_0022__li78650312108"><span>Click <strong id="dew_01_0022__b842352706163142">Execute</strong>. Plaintext of the data is displayed in the text box on the right.</span><p><div class="note" id="dew_01_0022__note15120629191411"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0022__ul135993613337"><li id="dew_01_0022__li11600065339">You can click <strong id="dew_01_0022__b842352706164331">Copy to Clipboard</strong> to copy the plaintext and save it in a local file.</li><li id="dew_01_0022__li1628081119238">Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.<p id="dew_01_0022__p19341104193711"><a name="dew_01_0022__li1628081119238"></a><a name="li1628081119238"></a>The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.</p>
</li></ul>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0177.html">Key Management Service</a></div>
</div>
</div>

19
docs/kms/umn/dew_01_0023.html Normal file
View File

@ -0,0 +1,19 @@
<a name="dew_01_0023"></a><a name="dew_01_0023"></a>
<h1 class="topictitle1">Managing Tags</h1>
<div id="body1520304335388"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0024.html">Adding a Tag</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0026.html">Modifying Tag Values</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0027.html">Deleting Tags</a></strong><br>
</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0177.html">Key Management Service</a></div>
</div>
</div>

55
docs/kms/umn/dew_01_0024.html Normal file
View File

@ -0,0 +1,55 @@
<a name="dew_01_0024"></a><a name="dew_01_0024"></a>
<h1 class="topictitle1">Adding a Tag</h1>
<div id="body1520304335388"><p id="dew_01_0024__a88da10c7d5a942fc8f313ad95a0f5e02">Tags are used to identify keys. You can add tags to custom keys so that you can classify custom keys, trace them, and collect their usage status according to the tags.</p>
<div class="section" id="dew_01_0024__section7622144917348"><h4 class="sectiontitle">Constraints</h4><p id="dew_01_0024__p178087013352">Tags cannot be added to default keys.</p>
</div>
<div class="section" id="dew_01_0024__s4df85e58e3fb4718968ef3a4ac208ba4"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0024__o0f208618b4b44ea0b569a0f86947e77f"><li id="dew_01_0024__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0024__li880294292648"><span>Click <span><img id="dew_01_0024__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0024__li1279512297175"><span>Click <span><img id="dew_01_0024__image2084331518566" src="en-us_image_0000002479639400.png"></span> on the left and choose <span class="menucascade" id="dew_01_0024__menucascade2843121518568"><b><span class="uicontrol" id="dew_01_0024__uicontrol20843181525619">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0024__uicontrol13843161516562">Key Management Service</span></b></span>.</span></li><li id="dew_01_0024__l56f9d4be109b4fe5943518373436010e"><span>Click the alias of the target custom key to view its details.</span></li><li id="dew_01_0024__l4d2ad01f63c84c92af887f3171d1963b"><span>Click <strong id="dew_01_0024__b1657519304419">Tags</strong> to go to the tag management tab.</span></li><li id="dew_01_0024__l0cd7195cd62540ad88a5f73f8169d964"><span>Click <strong id="dew_01_0024__b276391034218">Add Tag</strong>, as shown in <a href="#dew_01_0024__ff809bb6d608c464aa1430d54c02b19be">Figure 1</a>. In the <strong id="dew_01_0024__b14763610164212">Add Tag</strong> dialog box, enter the tag key and tag value. <a href="#dew_01_0024__t2276fe27aa3d4e03a154c9332ff563f6">Table 1</a> describes the parameters.</span><p><div class="fignone" id="dew_01_0024__ff809bb6d608c464aa1430d54c02b19be"><a name="dew_01_0024__ff809bb6d608c464aa1430d54c02b19be"></a><a name="ff809bb6d608c464aa1430d54c02b19be"></a><span class="figcap"><b>Figure 1 </b>Adding a tag</span><p id="dew_01_0024__p7662164033613"></p>
<br><span><img id="dew_01_0024__image7640122555412" src="en-us_image_0000001677882901.png"></span></div>
<div class="note" id="dew_01_0024__note148911525189"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0024__p19893122181819">If you want to delete a tag from the tag list when adding multiple tags, locate the target tag and click <strong id="dew_01_0024__b777815289165">Delete</strong> on the right.</p>
</div></div>
<div class="tablenoborder"><a name="dew_01_0024__t2276fe27aa3d4e03a154c9332ff563f6"></a><a name="t2276fe27aa3d4e03a154c9332ff563f6"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0024__t2276fe27aa3d4e03a154c9332ff563f6" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Tag parameters</caption><thead align="left"><tr id="dew_01_0024__r89466a68d27d4826982e0c32f41ba194"><th align="left" class="cellrowborder" valign="top" width="18%" id="mcps1.3.3.2.6.2.3.2.5.1.1"><p id="dew_01_0024__a7a55ed2421f740eab7751daf0827450a"><strong id="dew_01_0024__b28570466083531">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32%" id="mcps1.3.3.2.6.2.3.2.5.1.2"><p id="dew_01_0024__a01724755823747d19ea3b4586620671d"><strong id="dew_01_0024__en-us_topic_0101843928_b842352706193336">Description</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="34%" id="mcps1.3.3.2.6.2.3.2.5.1.3"><p id="dew_01_0024__a17657384322d4476bbbac798b4e5186c"><strong id="dew_01_0024__en-us_topic_0101843928_b84235270613118">Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="16%" id="mcps1.3.3.2.6.2.3.2.5.1.4"><p id="dew_01_0024__a29bf5c4875a046dbac9c1538a7ab038c"><strong id="dew_01_0024__en-us_topic_0101843928_b84235270610336">Example Value</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0024__r038b16919f2749e1a79c9146dcd61ecb"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.3.2.6.2.3.2.5.1.1 "><p id="dew_01_0024__aa0a0f3f6da274c59b2acc8453c62b1a8">Tag key</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.3.2.6.2.3.2.5.1.2 "><p id="dew_01_0024__en-us_topic_0101843928_p91159390107">Name of a tag.</p>
<p id="dew_01_0024__abaa562f9f16d4811ad7215e61a04db01">The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.</p>
<p id="dew_01_0024__a97a5da675a064289abeb8dfa32624604">A maximum of 20 tags can be added for one custom key.</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.3.2.6.2.3.2.5.1.3 "><ul id="dew_01_0024__u6541ee1746d64f3e80b05bdbba1010f5"><li id="dew_01_0024__l7a07a3450d7f45ccbb60481f6995d731">Mandatory.</li><li id="dew_01_0024__lddf8b91566d74819a757fb08c87e5512">The tag key must be unique for the same custom key.</li><li id="dew_01_0024__lce3ee6bd91654592b94c8363329e13b4">128 characters limit.</li><li id="dew_01_0024__li342616914125">The value cannot start or end with a space.</li><li id="dew_01_0024__l2e45f3b27fb4457aa13fe0d125f2d503">The following character types are allowed:<ul id="dew_01_0024__ul126881015191010"><li id="dew_01_0024__li13347210131017">English</li><li id="dew_01_0024__li16620102811011">Numbers</li><li id="dew_01_0024__li1345724561016">Special characters: _-@</li></ul>
</li></ul>
</td>
<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.3.2.6.2.3.2.5.1.4 "><p id="dew_01_0024__af0e27aa36fa74e34a627f4cfcf4ee4e6">cost</p>
</td>
</tr>
<tr id="dew_01_0024__r7132d5376e104100a78e4f668f6eae34"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.3.2.6.2.3.2.5.1.1 "><p id="dew_01_0024__a845cc3aea7cb4cdb9192ecef1088ab05">Tag value</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.3.2.6.2.3.2.5.1.2 "><p id="dew_01_0024__a814337fa15034faeb7cd22e064f633f9">Value of the tag</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.3.2.6.2.3.2.5.1.3 "><ul id="dew_01_0024__ue18a9cb3059e43c78ec77f2492539753"><li id="dew_01_0024__lffe13ea786c44a66a41ff175ebc633eb">This parameter can be empty.</li><li id="dew_01_0024__lb1865c5077bf494ba861d61b4436fed1">255 characters limit.</li><li id="dew_01_0024__l6ac8cac57b99437d8e0d0e6e273e99f2">The following character types are allowed:<ul id="dew_01_0024__ul17891151414169"><li id="dew_01_0024__li4660142910374">English</li><li id="dew_01_0024__li3891114151619">Numbers</li><li id="dew_01_0024__li18891814141618">Special characters: _-@</li></ul>
</li></ul>
</td>
<td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.3.2.6.2.3.2.5.1.4 "><p id="dew_01_0024__af026f1550c374b3481d7e5c004f816d4">100</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0024__l77231ee2706d4578b0fc083792d439dc"><span>Click <strong id="dew_01_0024__b1920713716718">OK</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0023.html">Managing Tags</a></div>
</div>
</div>

13
docs/kms/umn/dew_01_0026.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0026"></a><a name="dew_01_0026"></a>
<h1 class="topictitle1">Modifying Tag Values</h1>
<div id="body1520304335388"><p id="dew_01_0026__a40c46f842ede4d6d88ac952701ead3ec">This section describes how to modify tag values on the KMS console.</p>
<div class="section" id="dew_01_0026__sd1817bef210540b2b4062385985a85df"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0026__ol1330219161110"><li id="dew_01_0026__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0026__li880294292648"><span>Click <span><img id="dew_01_0026__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0026__li1279512297175"><span>Click <span><img id="dew_01_0026__image529192395620" src="en-us_image_0000002479480574.png"></span> on the left and choose <span class="menucascade" id="dew_01_0026__menucascade173082318561"><b><span class="uicontrol" id="dew_01_0026__uicontrol22952325619">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0026__uicontrol9295239563">Key Management Service</span></b></span>.</span></li></ol><ol start="4" id="dew_01_0026__o6cf21ab3e7cb46398f21b049534dd900"><li id="dew_01_0026__l1918659274744a7485b71ed7901204bd"><span>Click the alias of the target custom key to view its details.</span></li><li id="dew_01_0026__li18977621173610"><span>Click <strong id="dew_01_0026__b2033011447221">Tags</strong> to go to the tag management page.</span></li><li id="dew_01_0026__l75c5998563df43ea9fab937f38d05514"><span>Click <strong id="dew_01_0026__b817712492222">Edit</strong> of the target tag, and the <strong id="dew_01_0026__b818234911222">Edit Tag</strong> dialog box is displayed.</span></li><li id="dew_01_0026__lce7bfdf40ffb42aea0a577bd899e4978"><span>In the <strong id="dew_01_0026__b187373413442">Edit Tag</strong> dialog box, enter a tag value, and click <strong id="dew_01_0026__b157581134351">OK</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0023.html">Managing Tags</a></div>
</div>
</div>

13
docs/kms/umn/dew_01_0027.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0027"></a><a name="dew_01_0027"></a>
<h1 class="topictitle1">Deleting Tags</h1>
<div id="body1520304335388"><p id="dew_01_0027__a015c023f841745e4afaea950e66455dd">This section describes how to delete tags on the KMS console.</p>
<div class="section" id="dew_01_0027__sac1f739fd8fb4d93be1fcd3bc29bb9c1"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0027__ol1330219161110"><li id="dew_01_0027__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0027__li880294292648"><span>Click <span><img id="dew_01_0027__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0027__li1279512297175"><span>Click <span><img id="dew_01_0027__image2084132819562" src="en-us_image_0000002511600539.png"></span> on the left and choose <span class="menucascade" id="dew_01_0027__menucascade158421628145612"><b><span class="uicontrol" id="dew_01_0027__uicontrol78416287566">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0027__uicontrol1984282865618">Key Management Service</span></b></span>.</span></li></ol><ol start="4" id="dew_01_0027__ob8fb7228b54d41afab7ba325f51e2f03"><li id="dew_01_0027__l3d5ff16dc1bd49ccaf5c63641b05c57c"><span>Click the alias of the target custom key to view its details.</span></li><li id="dew_01_0027__li14905224277"><span>Click <strong id="dew_01_0027__b9417193642313">Tags</strong> to go to the tag management page.</span></li><li id="dew_01_0027__lf7b0d0595ce64065afa4a0dc7c44c037"><span>Click <strong id="dew_01_0027__a1a6f987039a445f9b4f3a6d647131ea2">Delete</strong> of the target tag, and the <strong id="dew_01_0027__aed7ad36a6c274792b4cd8ff491f9067e">Delete Tag</strong> dialog box is displayed.</span></li><li id="dew_01_0027__l76bdaa8c507f4063bd7e7253f236b67c"><span>In the <strong id="dew_01_0027__b425952643313">Delete Tag</strong> dialog box, click <strong id="dew_01_0027__b1259826103319">Confirm</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0023.html">Managing Tags</a></div>
</div>
</div>

23
docs/kms/umn/dew_01_0028.html Normal file
View File

@ -0,0 +1,23 @@
<a name="dew_01_0028"></a><a name="dew_01_0028"></a>
<h1 class="topictitle1">Managing CMKs</h1>
<div id="body1520304335388"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0179.html">Viewing a Key</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0029.html">Enabling a Key</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0030.html">Disabling a Key</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0031.html">Deleting a Key</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0032.html">Canceling the Scheduled Deletion of One or More CMKs</a></strong><br>
</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0177.html">Key Management Service</a></div>
</div>
</div>

17
docs/kms/umn/dew_01_0029.html Normal file
View File

@ -0,0 +1,17 @@
<a name="dew_01_0029"></a><a name="dew_01_0029"></a>
<h1 class="topictitle1">Enabling a Key</h1>
<div id="body1469675083219"><p id="dew_01_0029__p43011468103517">This section describes how to use the KMS console to enable one or more custom keys. Only enabled custom keys can be used to encrypt or decrypt data. A new custom key is in the <span class="parmname" id="dew_01_0029__parmname1893194896114022"><b>Enabled</b></span> state by default.</p>
<div class="section" id="dew_01_0029__section2256777914731"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0029__p13781734162715">The custom key you want to enable is in <span class="parmname" id="dew_01_0029__parmname1310216223117"><b>Disabled</b></span> status.</p>
</div>
<div class="section" id="dew_01_0029__section57181635141413"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0029__ol1330219161110"><li id="dew_01_0029__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0029__li880294292648"><span>Click <span><img id="dew_01_0029__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0029__li1279512297175"><span>Click <span><img id="dew_01_0029__image1181054417546" src="en-us_image_0000002511517555.png"></span> on the left and choose <span class="menucascade" id="dew_01_0029__menucascade1781215447546"><b><span class="uicontrol" id="dew_01_0029__uicontrol98111744125419">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0029__uicontrol9811174455417">Key Management Service</span></b></span>.</span></li></ol><ol start="4" id="dew_01_0029__ol8728435111418"><li id="dew_01_0029__li172823521418"><span>Locate the target key in the list and click <strong id="dew_01_0029__b81071230230">Enable</strong> in the <strong id="dew_01_0029__b12351491233">Operation</strong> column.</span></li><li id="dew_01_0029__li1972893501413"><span>In the displayed dialog box, click <span class="uicontrol" id="dew_01_0029__uicontrol1919317474405"><b>OK</b></span> to enable the key.</span><p><div class="note" id="dew_01_0029__note597452812513"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0029__p79906280256">To enable multiple keys at a time, select them and click <strong id="dew_01_0029__b10643138105910">Enable</strong> in the upper left corner of the list.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0028.html">Managing CMKs</a></div>
</div>
</div>

20
docs/kms/umn/dew_01_0030.html Normal file
View File

@ -0,0 +1,20 @@
<a name="dew_01_0030"></a><a name="dew_01_0030"></a>
<h1 class="topictitle1">Disabling a Key</h1>
<div id="body1469675083219"><p id="dew_01_0030__p1424802418529">This section describes how to use the KMS console to disable one or more custom keys, thereby protecting data in urgent cases.</p>
<p id="dew_01_0030__p129527114341">After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled key to encrypt or decrypt data, you must enable it by following instructions in <a href="dew_01_0029.html">Enabling a Key</a>.</p>
<div class="section" id="dew_01_0030__section2256777914731"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0030__p578834114273">The key you want to disable is in <span class="parmname" id="dew_01_0030__parmname155591327181113"><b>Enabled</b></span> status.</p>
</div>
<div class="section" id="dew_01_0030__section8605811101811"><h4 class="sectiontitle">Constraints</h4><ul id="dew_01_0030__ul1692418200189"><li id="dew_01_0030__li129242020181820">Default keys created by KMS cannot be disabled.</li><li id="dew_01_0030__li17924192021811">A disabled key is still billable. It will stop incurring charges if it is deleted.</li></ul>
</div>
<div class="section" id="dew_01_0030__section2756238314925"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0030__ol562648314939"><li id="dew_01_0030__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0030__li880294292648"><span>Click <span><img id="dew_01_0030__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0030__li1279512297175"><span>Click <span><img id="dew_01_0030__image54175410544" src="en-us_image_0000002511517795.png"></span> on the left and choose <span class="menucascade" id="dew_01_0030__menucascade155155414547"><b><span class="uicontrol" id="dew_01_0030__uicontrol1445425413">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0030__uicontrol1575413541">Key Management Service</span></b></span>.</span></li><li id="dew_01_0030__li49567148141429"><span>Locate the target key in the list and click <strong id="dew_01_0030__b18676182412216">Disable</strong> in the <strong id="dew_01_0030__b865153117222">Operation</strong> column.</span></li><li id="dew_01_0030__li59129560141649"><span>In the displayed dialog box, select <strong id="dew_01_0030__b8967073411">I understand the impact of disabling keys</strong>, and click <span class="uicontrol" id="dew_01_0030__uicontrol1919317474405"><b>OK</b></span>.</span><p><div class="note" id="dew_01_0030__note83771858132712"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0030__p79906280256">To disable multiple keys at a time, select them and click <strong id="dew_01_0030__b175921638181912">Disable</strong> in the upper left corner of the list.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0028.html">Managing CMKs</a></div>
</div>
</div>

24
docs/kms/umn/dew_01_0031.html Normal file
View File

@ -0,0 +1,24 @@
<a name="dew_01_0031"></a><a name="dew_01_0031"></a>
<h1 class="topictitle1">Deleting a Key</h1>
<div id="body1469675083219"><p id="dew_01_0031__p1821214004217">Before deleting the key, confirm that it is not in use and will not be used. </p>
<div class="section" id="dew_01_0031__section2256777914731"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0031__p13557141019212">The key to be deleted is in <strong id="dew_01_0031__b74711157135314">Enabled</strong>, <strong id="dew_01_0031__b1547165785312">Disabled</strong>, or <strong id="dew_01_0031__b14471145745317">Pending import</strong> status.</p>
</div>
<div class="section" id="dew_01_0031__section1716645918216"><h4 class="sectiontitle">Constraints</h4><ul id="dew_01_0031__ul3218201172210"><li id="dew_01_0031__li2888123512355">A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days.<p id="dew_01_0031__p1240175333517"><a name="dew_01_0031__li2888123512355"></a><a name="li2888123512355"></a>Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by the CMK. Exercise caution when performing this operation.</p>
</li><li id="dew_01_0031__li142181811152216">Default keys created by KMS cannot be scheduled for deletion.</li></ul>
</div>
<div class="section" id="dew_01_0031__section2756238314925"><h4 class="sectiontitle">Procedure</h4><p id="dew_01_0031__p72406121154">To schedule the deletion of multiple CMKs at a time, select them and click <strong id="dew_01_0031__b9992100185420">Delete</strong> in the upper left corner of the list. The following describes how to delete a single key.</p>
<ol id="dew_01_0031__ol562648314939"><li id="dew_01_0031__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0031__li880294292648"><span>Click <span><img id="dew_01_0031__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0031__li1279512297175"><span>Click <span><img id="dew_01_0031__image1732113618554" src="en-us_image_0000002479637892.png"></span> on the left and choose <span class="menucascade" id="dew_01_0031__menucascade163235614553"><b><span class="uicontrol" id="dew_01_0031__uicontrol193221665512">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0031__uicontrol133221066554">Key Management Service</span></b></span>.</span></li><li id="dew_01_0031__li49567148141429"><span>Locate the target key and click <span class="uicontrol" id="dew_01_0031__uicontrol4728182714356"><b>Delete</b></span> in the <strong id="dew_01_0031__b10729162717353">Operation</strong> column.</span></li><li id="dew_01_0031__li23509077163436"><span>On the key deletion dialog box, enter the deletion delay time.</span><p><div class="fignone" id="dew_01_0031__fig1174078175555"><span class="figcap"><b>Figure 1 </b>Setting scheduled deletion</span><p id="dew_01_0031__p15815192501413"><span><img id="dew_01_0031__image154929273145" src="en-us_image_0000002278274229.png"></span></p>
<p id="dew_01_0031__p1572674715720"></p>
<div class="note" id="dew_01_0031__note14588256893"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0031__ul1558820561490"><li id="dew_01_0031__li85881561997">A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days. Before the specified deletion date, you can cancel the deletion if you want to use the CMK.</li></ul>
</div></div>
</div>
</p></li><li id="dew_01_0031__li12531352191011"><span>Enter <strong id="dew_01_0031__b18934226185415">DELETE</strong> in the confirmation dialog box and click <strong id="dew_01_0031__b9934142625420">OK</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0028.html">Managing CMKs</a></div>
</div>
</div>

17
docs/kms/umn/dew_01_0032.html Normal file
View File

@ -0,0 +1,17 @@
<a name="dew_01_0032"></a><a name="dew_01_0032"></a>
<h1 class="topictitle1">Canceling the Scheduled Deletion of One or More CMKs</h1>
<div id="body1469675083219"><p id="dew_01_0032__p38532660154140">This section describes how to use the KMS console to cancel the scheduled deletion of one or more custom keys prior to deletion execution. After the cancellation, the key is in <strong id="dew_01_0032__b842352706174534">Disabled</strong> status.</p>
<div class="section" id="dew_01_0032__section2256777914731"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0032__p1374155519276">The CMK for which you want to cancel the scheduled deletion is in <span class="parmname" id="dew_01_0032__parmname91431319110"><b>Pending deletion</b></span> status.</p>
</div>
<div class="section" id="dew_01_0032__section10862719153923"><h4 class="sectiontitle">Procedure</h4><p id="dew_01_0032__p95121454111612">To cancel the deletion of multiple keys at a time, select them and click <strong id="dew_01_0032__b1636312514544">Cancel Deletion</strong> in the upper left corner of the list. The following describes how to cancel the scheduled deletion of a key.</p>
<ol id="dew_01_0032__ol30655611153923"><li id="dew_01_0032__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0032__li880294292648"><span>Click <span><img id="dew_01_0032__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0032__li1279512297175"><span>Click <span><img id="dew_01_0032__image3230102655516" src="en-us_image_0000002511597849.png"></span> on the left and choose <span class="menucascade" id="dew_01_0032__menucascade1623117264559"><b><span class="uicontrol" id="dew_01_0032__uicontrol1923072665511">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0032__uicontrol9230152611553">Key Management Service</span></b></span>.</span></li><li id="dew_01_0032__li49567148141429"><span>In the row containing the target CMK, click <span class="uicontrol" id="dew_01_0032__uicontrol59469908102821"><b>Cancel Deletion</b></span>.</span></li><li id="dew_01_0032__li3809957712347"><span>In the dialog box that is displayed, click <span class="uicontrol" id="dew_01_0032__uicontrol220613717552"><b>OK</b></span>.</span><p><ul id="dew_01_0032__ul177541251838"><li id="dew_01_0032__li16753651333">If a key is created on the KMS console, the status of the key changes to <strong id="dew_01_0032__b9422105995019">Disabled</strong> after its scheduled deletion is canceled. For details about how to enable the key, see <a href="dew_01_0029.html">Enabling a Key</a>.</li><li id="dew_01_0032__li875415511319">If the CMK is created using imported materials, its status becomes <strong id="dew_01_0032__b842352706105810">Disabled</strong> after the cancellation. To enable the CMK, see <a href="dew_01_0029.html">Enabling a Key</a>.</li><li id="dew_01_0032__li197548511314">If the CMK is created using imported materials and no key materials have been imported for it, its status becomes <strong id="dew_01_0032__b842352706145336">Pending import</strong> after the cancellation. To use the CMK, perform <a href="dew_01_0142.html">Creating CMKs Using Imported Key Materials</a>.</li></ul>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0028.html">Managing CMKs</a></div>
</div>
</div>

56
docs/kms/umn/dew_01_0044.html Normal file
View File

@ -0,0 +1,56 @@
<a name="dew_01_0044"></a><a name="dew_01_0044"></a>
<h1 class="topictitle1">What Is a Customer Master Key?</h1>
<div id="body8662426"><p id="dew_01_0044__en-us_topic_0035099206_p8060118">A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user on KMS. It is used to encrypt and protect DEKs. One CMK can be used to encrypt one or more DEKs.</p>
<div class="p" id="dew_01_0044__p127610196502">CMKs are categorized into custom keys and default keys.<ul id="dew_01_0044__ul1875994575019"><li id="dew_01_0044__li147591145115017">Custom keys<p id="dew_01_0044__p988775013500"><a name="dew_01_0044__li147591145115017"></a><a name="li147591145115017"></a>Keys created or imported by users on the KMS console.</p>
</li><li id="dew_01_0044__li1875934520501">Default keys<p id="dew_01_0044__p20959752125018"><a name="dew_01_0044__li1875934520501"></a><a name="li1875934520501"></a>When a user uses KMS for encryption in a cloud service for the first time, the cloud service automatically creates a key with the alias suffix <strong id="dew_01_0044__b195113158392">/default</strong>.</p>
<p id="dew_01_0044__p37369926114355">You can use the management console to query but cannot disable or schedule the deletion of Default Master Keys.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0044__table42686454104828" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Default master keys</caption><thead align="left"><tr id="dew_01_0044__dew_01_0045_row59355676104828"><th align="left" class="cellrowborder" valign="top" width="26.5%" id="mcps1.3.2.1.2.3.2.3.1.1"><p id="dew_01_0044__dew_01_0045_p58543282104828"><strong id="dew_01_0044__dew_01_0045_b842352706114440_1">Alias</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.5%" id="mcps1.3.2.1.2.3.2.3.1.2"><p id="dew_01_0044__dew_01_0045_p66197698104828"><strong id="dew_01_0044__dew_01_0045_b842352706114445_1">Cloud Service</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0044__dew_01_0045_row53124038104828"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p22934402104828">obs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p66818200104828">Object Storage Service (OBS)</p>
</td>
</tr>
<tr id="dew_01_0044__dew_01_0045_row41239781104828"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p41471516104828">evs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p65102400104828">Elastic Volume Service (EVS)</p>
</td>
</tr>
<tr id="dew_01_0044__dew_01_0045_row2311958917544"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p6074740317544">ims/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p2159264717544">Image Management Service (IMS)</p>
</td>
</tr>
<tr id="dew_01_0044__dew_01_0045_row20537184217141"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p165084781416">sfs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p106501847101420">Scalable File Service (SFS)</p>
</td>
</tr>
<tr id="dew_01_0044__dew_01_0045_row161641750103819"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p11644505385">rds/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p316415507387">Relational Database Service (RDS)</p>
</td>
</tr>
<tr id="dew_01_0044__dew_01_0045_row84561753914"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.2.1.2.3.2.3.1.1 "><p id="dew_01_0044__dew_01_0045_p845647193918">dds/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.2.1.2.3.2.3.1.2 "><p id="dew_01_0044__dew_01_0045_p1445710793910">Document Database Service (DDS)</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

55
docs/kms/umn/dew_01_0045.html Normal file
View File

@ -0,0 +1,55 @@
<a name="dew_01_0045"></a><a name="dew_01_0045"></a>
<h1 class="topictitle1">What Is a Default Key?</h1>
<div id="body1481541166618"><p id="dew_01_0045__p5585871212112">A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with <strong id="dew_01_0045__b517360581161640">/default</strong>.</p>
<p id="dew_01_0045__p37369926114355">You can use the management console to query but cannot disable or schedule the deletion of default keys.</p>
<p id="dew_01_0045__p12438142874">Default keys are hosted for free, and are charged based on the number of the API requests for them. If API requests exceed the free limit, the excess part will be charged.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0045__table42686454104828" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Default master keys</caption><thead align="left"><tr id="dew_01_0045__row59355676104828"><th align="left" class="cellrowborder" valign="top" width="26.5%" id="mcps1.3.4.2.3.1.1"><p id="dew_01_0045__p58543282104828"><strong id="dew_01_0045__b842352706114440_1">Alias</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.5%" id="mcps1.3.4.2.3.1.2"><p id="dew_01_0045__p66197698104828"><strong id="dew_01_0045__b842352706114445_1">Cloud Service</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0045__row53124038104828"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p22934402104828">obs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p66818200104828">Object Storage Service (OBS)</p>
</td>
</tr>
<tr id="dew_01_0045__row41239781104828"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p41471516104828">evs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p65102400104828">Elastic Volume Service (EVS)</p>
</td>
</tr>
<tr id="dew_01_0045__row2311958917544"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p6074740317544">ims/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p2159264717544">Image Management Service (IMS)</p>
</td>
</tr>
<tr id="dew_01_0045__row20537184217141"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p165084781416">sfs/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p106501847101420">Scalable File Service (SFS)</p>
</td>
</tr>
<tr id="dew_01_0045__row161641750103819"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p11644505385">rds/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p316415507387">Relational Database Service (RDS)</p>
</td>
</tr>
<tr id="dew_01_0045__row84561753914"><td class="cellrowborder" valign="top" width="26.5%" headers="mcps1.3.4.2.3.1.1 "><p id="dew_01_0045__p845647193918">dds/default</p>
</td>
<td class="cellrowborder" valign="top" width="73.5%" headers="mcps1.3.4.2.3.1.2 "><p id="dew_01_0045__p1445710793910">Document Database Service (DDS)</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="dew_01_0045__note18522179121116"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0045__p32481891121116">A default key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.</p>
</div></div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

12
docs/kms/umn/dew_01_0046.html Normal file
View File

@ -0,0 +1,12 @@
<a name="dew_01_0046"></a><a name="dew_01_0046"></a>
<h1 class="topictitle1">What Is a Data Encryption Key?</h1>
<div id="body8662426"><p id="dew_01_0046__p0982132210331">A data encryption key (DEK) is used to encrypt data.</p>
<p id="dew_01_0046__p2174163144716">Using KMS, you can create, encrypt, and decrypt DEKs. The KMS system does not save, manage, or track your DEKs, neither does it use the DEKs to encrypt or decrypt data.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

13
docs/kms/umn/dew_01_0047.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0047"></a><a name="dew_01_0047"></a>
<h1 class="topictitle1">What Is Key Management Service?</h1>
<div id="body1490606245657"><p id="dew_01_0047__p16791194916154">KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.</p>
<p id="dew_01_0047__p1497412175167">It uses Hardware Security Modules (HSMs) to protect keys. All keys are protected by root keys in HSMs to avoid key leakage. The HSMs meet the FIPS 140-2 Level 3 security requirements.</p>
<p id="dew_01_0047__p43971522135910">It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

11
docs/kms/umn/dew_01_0049.html Normal file
View File

@ -0,0 +1,11 @@
<a name="dew_01_0049"></a><a name="dew_01_0049"></a>
<h1 class="topictitle1">Why Can't I Delete a CMK Immediately?</h1>
<div id="body8662426"><p id="dew_01_0049__af0c8e77c32fa400296a812f327f13b7d">The decision to delete a CMK should be considered with great caution. Before deletion, confirm that the CMK's encrypted data has all been migrated. As soon as the CMK is deleted, you will not be able to decrypt data with it. Therefore, KMS offers a user-specified period of 7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, the CMK will be permanently deleted. However, prior to the scheduled day, you can still cancel the pending deletion. This is a means of precaution within KMS.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

66
docs/kms/umn/dew_01_0050.html Normal file
View File

@ -0,0 +1,66 @@
<a name="dew_01_0050"></a><a name="dew_01_0050"></a>
<h1 class="topictitle1">Which Cloud Services Can Use KMS for Encryption?</h1>
<div id="body1481688989687"><p id="dew_01_0050__p4305205314594">Object Storage Service (OBS), Elastic Volume Service (EVS), and Image Management Service (IMS) can use KMS for encryption.</p>
<p id="dew_01_0050__p9202586588">Object Storage Service (OBS), Elastic Volume Service (EVS), Image Management Service (IMS), Scalable File Service (SFS), Document Database Service (DDS), and Relational Database Service (RDS) can use KMS for encryption.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0050__table54491421173414" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Cloud services supported by KMS</caption><thead align="left"><tr id="dew_01_0050__dew_01_0016_row6245203615610"><th align="left" class="cellrowborder" valign="top" width="19.93%" id="mcps1.3.3.2.4.1.1"><p id="dew_01_0050__dew_01_0016_p122453366612">Service</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="58.199999999999996%" id="mcps1.3.3.2.4.1.2"><p id="dew_01_0050__dew_01_0016_p32456364612">How to Use</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.87%" id="mcps1.3.3.2.4.1.3"><p id="dew_01_0050__dew_01_0016_p5883151918180">Reference</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0050__dew_01_0016_row624517361619"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p92457362614">Object Storage Service (OBS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p57692822165925">You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p621125372111"><i><cite id="dew_01_0050__dew_01_0016_cite1988611011197">Object Storage Service Console Operation Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0050__dew_01_0016_row1124517361262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p224553614611">Elastic Volume Service (EVS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p5195880517016">If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p10587155122318"><i><cite id="dew_01_0050__dew_01_0016_cite12788565239">Elastic Volume Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0050__dew_01_0016_row924520361862"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p17246136469">Image Management Service (IMS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p2031176417022">When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p1514225482715"><i><cite id="dew_01_0050__dew_01_0016_cite19478185415278">Image Management Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0050__dew_01_0016_row02465361618"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p9246133619613">Scalable File Service (SFS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p102319261638">When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p13206114443015"><i><cite id="dew_01_0050__dew_01_0016_cite8697450163018">Scalable File Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0050__dew_01_0016_row32461936262"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p2246936568">Relational Database Service (RDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p833055014464">When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p474318343316"><i><cite id="dew_01_0050__dew_01_0016_cite9874118193317">Relational Database Service User Guide</cite></i></p>
</td>
</tr>
<tr id="dew_01_0050__dew_01_0016_row13851202164517"><td class="cellrowborder" valign="top" width="19.93%" headers="mcps1.3.3.2.4.1.1 "><p id="dew_01_0050__dew_01_0016_p685252112459">Document Database Service (DDS)</p>
</td>
<td class="cellrowborder" valign="top" width="58.199999999999996%" headers="mcps1.3.3.2.4.1.2 "><p id="dew_01_0050__dew_01_0016_p2037916913468">When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.</p>
</td>
<td class="cellrowborder" valign="top" width="21.87%" headers="mcps1.3.3.2.4.1.3 "><p id="dew_01_0050__dew_01_0016_p1285664023518"><i><cite id="dew_01_0050__dew_01_0016_cite3332114710353">Document Database Service User Guide</cite></i></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

22
docs/kms/umn/dew_01_0053.html Normal file
View File

@ -0,0 +1,22 @@
<a name="dew_01_0053"></a><a name="dew_01_0053"></a>
<h1 class="topictitle1">How Do Cloud Services Use KMS to Encrypt Data?</h1>
<div id="body1508302911825"><p id="dew_01_0053__p1563974216204">Services (such as OBS, IMS, EVS, SFS, DDS, and RDS) use the envelope encryption method provided by KMS to protect data.</p>
<div class="note" id="dew_01_0053__note1632913553230"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0053__p1432985522310">Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.</p>
</div></div>
<div class="section" id="dew_01_0053__section124407010813"><h4 class="sectiontitle">Envelope Encryption and Decryption Principles</h4><ul id="dew_01_0053__ul14474192915915"><li id="dew_01_0053__dew_01_0006_li1543123412361"><a href="#dew_01_0053__dew_01_0006_fig1265115271176">Figure 1</a> illustrates the process for encrypting a local file.<div class="fignone" id="dew_01_0053__dew_01_0006_fig1265115271176"><a name="dew_01_0053__dew_01_0006_fig1265115271176"></a><a name="dew_01_0006_fig1265115271176"></a><span class="figcap"><b>Figure 1 </b>Encrypting a local file</span><br><span><img id="dew_01_0053__dew_01_0006_image3652527476" src="en-us_image_0232858228.png"></span></div>
<div class="p" id="dew_01_0053__dew_01_0006_p1733533725610">The procedure is as follows:<ol id="dew_01_0053__dew_01_0006_ol183351137175613"><li id="dew_01_0053__dew_01_0006_li1914417517112">Create a CMK on KMS.</li><li id="dew_01_0053__dew_01_0006_li19144251151115">Call the <span class="parmvalue" id="dew_01_0053__dew_01_0006_parmvalue19444152575212"><b>create-datakey</b></span> API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.</li><li id="dew_01_0053__dew_01_0006_li1614465171118">Use the plaintext DEK to encrypt the file. A ciphertext file is generated.</li><li id="dew_01_0053__dew_01_0006_li17337203795613">Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.</li></ol>
</div>
</li><li id="dew_01_0053__dew_01_0006_li35556366373"><a href="#dew_01_0053__dew_01_0006_fig133981165810">Figure 2</a> illustrates the process for decrypting a local file.<div class="fignone" id="dew_01_0053__dew_01_0006_fig133981165810"><a name="dew_01_0053__dew_01_0006_fig133981165810"></a><a name="dew_01_0006_fig133981165810"></a><span class="figcap"><b>Figure 2 </b>Decrypting a local file</span><br><span><img id="dew_01_0053__dew_01_0006_image173981416786" src="en-us_image_0232858842.png"></span></div>
<div class="p" id="dew_01_0053__dew_01_0006_p466631785715">The procedure is as follows:<ol id="dew_01_0053__dew_01_0006_ol17666171735711"><li id="dew_01_0053__dew_01_0006_li1145951121111">Obtain the ciphertext DEK and file from the persistent storage device or the storage service.</li><li id="dew_01_0053__dew_01_0006_li17145205111112">Call the <span class="parmvalue" id="dew_01_0053__dew_01_0006_parmvalue1051755216529"><b>decrypt-datakey</b></span> API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.<p id="dew_01_0053__dew_01_0006_p1145115112118">If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.</p>
</li><li id="dew_01_0053__dew_01_0006_li3669191785714">Use the plaintext DEK to decrypt the ciphertext file.</li></ol>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

23
docs/kms/umn/dew_01_0054.html Normal file
View File

@ -0,0 +1,23 @@
<a name="dew_01_0054"></a><a name="dew_01_0054"></a>
<h1 class="topictitle1">What Are the Benefits of Envelope Encryption?</h1>
<div id="body1508302911825"><p id="dew_01_0054__p636231572315">Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.</p>
<p id="dew_01_0054__p55067918252">Benefits:</p>
<ul id="dew_01_0054__ul1012722115254"><li id="dew_01_0054__li41556328254">Advantages over CMK encryption in KMS<p id="dew_01_0054__p45141745104214"><a name="dew_01_0054__li41556328254"></a><a name="li41556328254"></a>Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.</p>
<p id="dew_01_0054__p8134841102518">A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.</p>
<p id="dew_01_0054__p141341741202516">Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.</p>
</li><li id="dew_01_0054__li7912184511252">Advantages over encryption by using cloud services<ul id="dew_01_0054__ul11965201322615"><li id="dew_01_0054__li1396561372611">Security<p id="dew_01_0054__p139651713172617"><a name="dew_01_0054__li1396561372611"></a><a name="li1396561372611"></a>Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.</p>
<p id="dew_01_0054__p10166195318269">During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.</p>
</li><li id="dew_01_0054__li4965213132610">Trustworthiness<p id="dew_01_0054__p117009372817"><a name="dew_01_0054__li4965213132610"></a><a name="li4965213132610"></a>You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.</p>
<p id="dew_01_0054__p1054826152813">If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.</p>
</li><li id="dew_01_0054__li396514138265">Performance and cost<p id="dew_01_0054__p199651713152614"><a name="dew_01_0054__li396514138265"></a><a name="li396514138265"></a>To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.</p>
<p id="dew_01_0054__p28241193288">Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.</p>
</li></ul>
</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

39
docs/kms/umn/dew_01_0055.html Normal file
View File

@ -0,0 +1,39 @@
<a name="dew_01_0055"></a><a name="dew_01_0055"></a>
<h1 class="topictitle1">What Are the Differences Between a Custom Key and a Default Key?</h1>
<div id="body1508302911825"><p id="dew_01_0055__p5076864893027">The following table describes the differences between a custom key and a default key.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0055__table3710455493120" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Differences between a custom key and a default key</caption><thead align="left"><tr id="dew_01_0055__row689534593120"><th align="left" class="cellrowborder" valign="top" width="20.11%" id="mcps1.3.2.2.4.1.1"><p id="dew_01_0055__p6065075293120">Item</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.15%" id="mcps1.3.2.2.4.1.2"><p id="dew_01_0055__p1915223993559">Definition</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="44.74%" id="mcps1.3.2.2.4.1.3"><p id="dew_01_0055__p4113363693120">Difference</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0055__row1311937993120"><td class="cellrowborder" valign="top" width="20.11%" headers="mcps1.3.2.2.4.1.1 "><p id="dew_01_0055__p5603678893120">Custom key</p>
</td>
<td class="cellrowborder" valign="top" width="35.15%" headers="mcps1.3.2.2.4.1.2 "><p id="dew_01_0055__p3004822193559"><span id="dew_01_0055__ph387329699401">A Key Encryption Key (KEK) created using KMS. The key is used to encrypt and protect DEKs.</span></p>
<p id="dew_01_0055__p531672849402">A custom key can be used to encrypt multiple DEKs.</p>
</td>
<td class="cellrowborder" valign="top" width="44.74%" headers="mcps1.3.2.2.4.1.3 "><ul id="dew_01_0055__ul1891314016577"><li id="dew_01_0055__li109131840185712">It can be disabled and scheduled for deletion.</li><li id="dew_01_0055__li176598420574">It is billed per use after the being created or imported.</li></ul>
</td>
</tr>
<tr id="dew_01_0055__row4667679093120"><td class="cellrowborder" valign="top" width="20.11%" headers="mcps1.3.2.2.4.1.1 "><p id="dew_01_0055__p2272364493120">Default key</p>
</td>
<td class="cellrowborder" valign="top" width="35.15%" headers="mcps1.3.2.2.4.1.2 "><p id="dew_01_0055__p1798684193559">Automatically generated by the system when you use KMS to encrypt data in another cloud service for the first time. The suffix of the key is <strong id="dew_01_0055__b842352706143025">/default</strong>.</p>
<p id="dew_01_0055__p6175177194218">Example: <strong id="dew_01_0055__b842352706235235">evs/default</strong></p>
</td>
<td class="cellrowborder" valign="top" width="44.74%" headers="mcps1.3.2.2.4.1.3 "><ul id="dew_01_0055__ul852523085817"><li id="dew_01_0055__li15251430115818">It cannot be disabled or scheduled for deletion.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

12
docs/kms/umn/dew_01_0056.html Normal file
View File

@ -0,0 +1,12 @@
<a name="dew_01_0056"></a><a name="dew_01_0056"></a>
<h1 class="topictitle1">Is There a Limit on the Number of Custom Keys That I Can Create on KMS?</h1>
<div id="body1508302911826"><p id="dew_01_0056__p5244925519463">There is a limit on the number of custom keys that can be created on KMS.</p>
<p id="dew_01_0056__p569208164616">You can create a maximum of 100 custom keys, including those in enabled, disabled, and pending deletion states. Default keys are not included.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

12
docs/kms/umn/dew_01_0058.html Normal file
View File

@ -0,0 +1,12 @@
<a name="dew_01_0058"></a><a name="dew_01_0058"></a>
<h1 class="topictitle1">Can I Export a CMK from KMS?</h1>
<div id="body1508302911826"><p id="dew_01_0058__p9810320162141">No.</p>
<p id="dew_01_0058__p16624289112057">To ensure CMK security, users can only create and use CMKs in KMS.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

13
docs/kms/umn/dew_01_0059.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0059"></a><a name="dew_01_0059"></a>
<h1 class="topictitle1">Can I Decrypt My Data if I Permanently Delete My Custom Key?</h1>
<div id="body1516696854978"><p id="dew_01_0059__p267614064610">No.</p>
<p id="dew_01_0059__p797611519422">If you have permanently deleted your custom key, the data encrypted using it cannot be decrypted. Before the scheduled deletion date of the custom key, you can cancel the scheduled deletion.</p>
<p id="dew_01_0059__p593061534118">If the custom key is created using imported key material and only the key material is deleted, you can import the local backup of the key material to the custom key and reclaim the user data. If the key material is not backed up locally, user data cannot be reclaimed.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

27
docs/kms/umn/dew_01_0060.html Normal file
View File

@ -0,0 +1,27 @@
<a name="dew_01_0060"></a><a name="dew_01_0060"></a>
<h1 class="topictitle1">How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?</h1>
<div id="body1513824148963"><p id="dew_01_0060__p1041034202">You can use the online tool to encrypt or decrypt data in the following procedures:</p>
<div class="section" id="dew_01_0060__section1128520338576"><h4 class="sectiontitle">Encrypting Data</h4><ol id="dew_01_0060__dew_01_0022_ol17677259151342"><li id="dew_01_0060__dew_01_0022_li20878132444910"><span>Log in to the management console.</span></li><li id="dew_01_0060__dew_01_0022_li11878172474919"><span>Click <span><img id="dew_01_0060__dew_01_0022_dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0060__dew_01_0022_li1279512297175"><span>Click <span><img id="dew_01_0060__dew_01_0022_image1124575085517" src="en-us_image_0000002511598247.png"></span> on the left and choose <span class="menucascade" id="dew_01_0060__dew_01_0022_menucascade42460501558"><b><span class="uicontrol" id="dew_01_0060__dew_01_0022_uicontrol7245175010555">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0060__dew_01_0022_uicontrol02461850205516">Key Management Service</span></b></span>.</span></li><li id="dew_01_0060__dew_01_0022_li49600184597"><span>Click the name of the target custom key to access the key details page. Click the <strong id="dew_01_0060__dew_01_0022_b145035013559">Tool</strong> tab.</span></li><li id="dew_01_0060__dew_01_0022_li8513572061"><span>Click <strong id="dew_01_0060__dew_01_0022_b177715251418">Encrypt</strong>. In the text box on the left, enter the data to be encrypted, as shown in <a href="#dew_01_0060__dew_01_0022_fig61927028183617">Figure 1</a>.</span><p><div class="fignone" id="dew_01_0060__dew_01_0022_fig61927028183617"><a name="dew_01_0060__dew_01_0022_fig61927028183617"></a><a name="dew_01_0022_fig61927028183617"></a><span class="figcap"><b>Figure 1 </b>Encrypting data</span><br><span><img id="dew_01_0060__dew_01_0022_image2707364481" src="en-us_image_0000001629601212.png"></span></div>
</p></li><li id="dew_01_0060__dew_01_0022_li145581622484"><span>Click <strong id="dew_01_0060__dew_01_0022_b10106172520422">Execute</strong>. Ciphertext of the data is displayed in the text box on the right.</span><p><div class="note" id="dew_01_0060__dew_01_0022_note1652557269"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0060__dew_01_0022_ul13212113916814"><li id="dew_01_0060__dew_01_0022_li8211914111510">Use the current CMK to encrypt the data.</li><li id="dew_01_0060__dew_01_0022_li4212153919814">To clear your input, click <strong id="dew_01_0060__dew_01_0022_b429844654214">Clear</strong>.</li><li id="dew_01_0060__dew_01_0022_li152125391984">To copy the encrypted data, click <strong id="dew_01_0060__dew_01_0022_b02094587429">Copy to Clipboard</strong>. You can then paste and save it to a local file.</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="note" id="dew_01_0060__note434094173719"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0060__p1726155024013">Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.</p>
<p id="dew_01_0060__p19341104193711">The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.</p>
</div></div>
<div class="section" id="dew_01_0060__section861815517577"><h4 class="sectiontitle">Decrypting Data</h4><ol id="dew_01_0060__dew_01_0022_ol2839154719318"><li id="dew_01_0060__dew_01_0022_li5490143683618"><span>Log in to the management console.</span></li><li id="dew_01_0060__dew_01_0022_li1383954718318"><span>Click <span><img id="dew_01_0060__dew_01_0022_dew_01_0178_image10325154918393_1" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0060__dew_01_0022_li9748814203513"><span>Click <span><img id="dew_01_0060__dew_01_0022_image5564195211553" src="en-us_image_0000002511605033.png"></span> on the left and choose <span class="menucascade" id="dew_01_0060__dew_01_0022_menucascade956535216555"><b><span class="uicontrol" id="dew_01_0060__dew_01_0022_uicontrol1656412526559">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0060__dew_01_0022_uicontrol5565155213551">Key Management Service</span></b></span>.</span></li></ol><ol start="4" id="dew_01_0060__dew_01_0022_ol12988161919918"><li id="dew_01_0060__dew_01_0022_li1486413121014"><span>You can click any non-default key in <strong id="dew_01_0060__dew_01_0022_b842352706112914">Enabled</strong> status to go to the encryption and decryption page of the online tool.</span></li><li id="dew_01_0060__dew_01_0022_li11865163131014"><span>Click <strong id="dew_01_0060__dew_01_0022_b12255116194310">Decrypt</strong> and enter the data to be decrypted in the text box, as shown in <a href="#dew_01_0060__dew_01_0022_fig1586514341014">Figure 2</a>.</span><p><div class="note" id="dew_01_0060__dew_01_0022_note3864113161017"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0060__dew_01_0022_ul1812317431410"><li id="dew_01_0060__dew_01_0022_li312313481420">The tool will identify the original encryption CMK and use it to decrypt the data.</li><li id="dew_01_0060__dew_01_0022_li41234411143">If the key has been deleted, the decryption will fail.</li></ul>
</div></div>
<div class="fignone" id="dew_01_0060__dew_01_0022_fig1586514341014"><a name="dew_01_0060__dew_01_0022_fig1586514341014"></a><a name="dew_01_0022_fig1586514341014"></a><span class="figcap"><b>Figure 2 </b>Decrypting data</span><br><span><img id="dew_01_0060__dew_01_0022_image694415194517" src="en-us_image_0000001629122164.png"></span></div>
</p></li><li id="dew_01_0060__dew_01_0022_li78650312108"><span>Click <strong id="dew_01_0060__dew_01_0022_b842352706163142">Execute</strong>. Plaintext of the data is displayed in the text box on the right.</span><p><div class="note" id="dew_01_0060__dew_01_0022_note15120629191411"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0060__dew_01_0022_ul135993613337"><li id="dew_01_0060__dew_01_0022_li11600065339">You can click <strong id="dew_01_0060__dew_01_0022_b842352706164331">Copy to Clipboard</strong> to copy the plaintext and save it in a local file.</li><li id="dew_01_0060__dew_01_0022_li1628081119238">Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.<p id="dew_01_0060__dew_01_0022_p19341104193711"><a name="dew_01_0060__dew_01_0022_li1628081119238"></a><a name="dew_01_0022_li1628081119238"></a>The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.</p>
</li></ul>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

12
docs/kms/umn/dew_01_0062.html Normal file
View File

@ -0,0 +1,12 @@
<a name="dew_01_0062"></a><a name="dew_01_0062"></a>
<h1 class="topictitle1">Can I Update CMKs Created by KMS-Generated Key Materials?</h1>
<div id="body1521596102531"><p id="dew_01_0062__p8060118">No.</p>
<p id="dew_01_0062__p1632081914388">Keys created using KMS-generated materials cannot be updated. You can only use KMS to create new CMKs to encrypt and decrypt data.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

42
docs/kms/umn/dew_01_0088.html Normal file
View File

@ -0,0 +1,42 @@
<a name="dew_01_0088"></a><a name="dew_01_0088"></a>
<h1 class="topictitle1">Overview</h1>
<div id="body1525421554097"><div class="p" id="dew_01_0088__a3bf9ffe5da1149078cea14a21c0a8369">A custom key contains key metadata (key ID, key name, description, key status, and creation date) and key materials used for encrypting and decrypting data.<ul id="dew_01_0088__ud577747dd3f642008cae98c326cfb97d"><li id="dew_01_0088__l0aff38ddb542410a9f2a4416f32169e7">When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.</li><li id="dew_01_0088__l325fefd364fa4fcb896ba0e6cb426793">If you want to use your own key material, you can use the KMS console to create a custom key whose key material source is external, and import the key material to the custom key.</li></ul>
</div>
<div class="section" id="dew_01_0088__s3f753595a83247f2893dd5dd1ddc46e5"><h4 class="sectiontitle">Important Notes</h4><ul id="dew_01_0088__ud3274b20df7b4eabaf205162782ca8d6"><li id="dew_01_0088__en-us_topic_0101786406_li13253317211">Security<p id="dew_01_0088__en-us_topic_0101786406_p132521740923"><a name="dew_01_0088__en-us_topic_0101786406_li13253317211"></a><a name="en-us_topic_0101786406_li13253317211"></a>You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key materials function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.</p>
</li><li id="dew_01_0088__l674baad78a804a0982db57d1f2aa53ba">Availability and durability<p id="dew_01_0088__a6d391f1d7a3842b0b4013ff63d429458"><a name="dew_01_0088__l674baad78a804a0982db57d1f2aa53ba"></a><a name="l674baad78a804a0982db57d1f2aa53ba"></a>Before importing the key material into KMS, you need to ensure the availability and durability of the key material.</p>
<p id="dew_01_0088__a2fa51adf5ba84201875e17e287a4d1b9">Differences between the imported key material and the key material generated by KMS are shown in <a href="#dew_01_0088__t487a5cf584df41c0ae6cb48067f92643">Table 1</a>.</p>
<div class="tablenoborder"><a name="dew_01_0088__t487a5cf584df41c0ae6cb48067f92643"></a><a name="t487a5cf584df41c0ae6cb48067f92643"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0088__t487a5cf584df41c0ae6cb48067f92643" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Differences between the imported key material and the key material generated by KMS</caption><thead align="left"><tr id="dew_01_0088__r90c9721328be4eeab210f7fb6240a32e"><th align="left" class="cellrowborder" valign="top" width="14.000000000000002%" id="mcps1.3.2.2.2.3.2.3.1.1"><p id="dew_01_0088__en-us_topic_0101786406_p433534731217">Key Material Source</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="86%" id="mcps1.3.2.2.2.3.2.3.1.2"><p id="dew_01_0088__a989d845859b1494da679ecdc4bc54116">Difference</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0088__r1872f0be6bc04a2f8d94d6c533da36d7"><td class="cellrowborder" valign="top" width="14.000000000000002%" headers="mcps1.3.2.2.2.3.2.3.1.1 "><p id="dew_01_0088__ab761a560838a44c0b3140ad1796a87cf">Imported keys</p>
</td>
<td class="cellrowborder" valign="top" width="86%" headers="mcps1.3.2.2.2.3.2.3.1.2 "><ul id="dew_01_0088__u6dd1140bd0294c38afc239874611f83f"><li id="dew_01_0088__la57f71ffd3d94cadba25791f9f02e414">You can delete the key material, but cannot delete the custom key and its metadata.</li><li id="dew_01_0088__li1535315448478">Such keys cannot be rotated.</li><li id="dew_01_0088__l85dd12b5d0bd47448c8266543bee9868">When importing the key material, you can set the expiration time of the key material. After the key material expires, the KMS automatically deletes the key material within 24 hours, but does not delete the custom key and its metadata.<p id="dew_01_0088__a1e5fe1dc513b490a959e81a5d97dda34"><a name="dew_01_0088__l85dd12b5d0bd47448c8266543bee9868"></a><a name="l85dd12b5d0bd47448c8266543bee9868"></a>It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key materials or key material mis-deletion.</p>
<div class="note" id="dew_01_0088__note139562554719"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="dew_01_0088__p1339520253477">Keys using RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P384 algorithms are permanently valid. Their key materials cannot be manually deleted, and their expiration time cannot be configured.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="dew_01_0088__r580413ae2f4149f18e7aaab8074b298d"><td class="cellrowborder" valign="top" width="14.000000000000002%" headers="mcps1.3.2.2.2.3.2.3.1.1 "><p id="dew_01_0088__a55f2428af3404bb89e9549a7825204f6">Keys created in KMS</p>
</td>
<td class="cellrowborder" valign="top" width="86%" headers="mcps1.3.2.2.2.3.2.3.1.2 "><ul id="dew_01_0088__uab11f372242646fdb6d9fb6f30e9901d"><li id="dew_01_0088__en-us_topic_0101786406_li79056018521">The key material cannot be manually deleted.</li><li id="dew_01_0088__li751664617557">Symmetric keys can be rotated.</li><li id="dew_01_0088__l80438789b1cb4d9d9dd755e506d31990">You cannot set the expiration time for key material.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="dew_01_0088__l2d3f4af160f54d55a869aa125a3ba7be">Association<p id="dew_01_0088__a30ade659a392407480bee44e6dc0bf17"><a name="dew_01_0088__l2d3f4af160f54d55a869aa125a3ba7be"></a><a name="l2d3f4af160f54d55a869aa125a3ba7be"></a>When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.</p>
</li><li id="dew_01_0088__en-us_topic_0101786406_li08709523619">Uniqueness<p id="dew_01_0088__a4fdfcb6e78de4a8ba91bed09b69594be"><a name="dew_01_0088__en-us_topic_0101786406_li08709523619"></a><a name="en-us_topic_0101786406_li08709523619"></a>If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.</p>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0142.html">Creating CMKs Using Imported Key Materials</a></div>
</div>
</div>

281
docs/kms/umn/dew_01_0089.html Normal file
View File

File diff suppressed because it is too large Load Diff

21
docs/kms/umn/dew_01_0090.html Normal file
View File

@ -0,0 +1,21 @@
<a name="dew_01_0090"></a><a name="dew_01_0090"></a>
<h1 class="topictitle1">Deleting Key Materials</h1>
<div id="body1525421554097"><p id="dew_01_0090__a3a2f59c0605e465bb18be43d390a67cb">When importing key materials, you can specify their expiration time. After the key material expires, KMS deletes it, and the status of the custom key changes to <strong id="dew_01_0090__b842352706195336">Pending import</strong>. You can manually delete the key materials as needed. The effect of expiration of the key material is the same as that of manual deletion of the key material.</p>
<p id="dew_01_0090__en-us_topic_0101786408_p09617577515">This section describes how to delete imported key materials on the KMS console.</p>
<div class="note" id="dew_01_0090__note48554101985"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dew_01_0090__ul174851720185113"><li id="dew_01_0090__li194861120175111">To re-import a deleted key material, ensure the imported material is the same as the deleted one.</li><li id="dew_01_0090__li348732085116">Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.</li></ul>
</div></div>
<div class="section" id="dew_01_0090__s4ef841f72ac94d9d8b8b670dc55b019b"><h4 class="sectiontitle">Prerequisites</h4><ul id="dew_01_0090__u5a81f1e6732e4f7f833861cc9c592236"><li id="dew_01_0090__lff757368db72463f8f4ef818852e5da2">You have imported key materials for a CMK.</li><li id="dew_01_0090__l02b69c6e720744adafda2b2d84ad2317">The material source of the CMK is <strong id="dew_01_0090__b84235270614210">External</strong>.</li><li id="dew_01_0090__ld579632d367944ae872a6b22fce73d17">The CMK status is <strong id="dew_01_0090__b84235270614228">Enabled</strong> or <strong id="dew_01_0090__b84235270614233">Disabled</strong>.</li></ul>
</div>
<div class="section" id="dew_01_0090__section1510155014127"><h4 class="sectiontitle">Constraints</h4><ul id="dew_01_0090__ul161871968139"><li id="dew_01_0090__li71871612134">To re-import a deleted key material, ensure the imported material is the same as the deleted one.</li><li id="dew_01_0090__li1018815616139">Data encrypted using a CMK cannot be decrypted if the key material of the custom key was deleted. To decrypt the data, re-import the key material.</li><li id="dew_01_0090__li13328181361414">After the deletion, the CMK will become unavailable and its status will change to <strong id="dew_01_0090__b491365101417">Pending import</strong>.</li><li id="dew_01_0090__li88126466158">The key materials of asymmetric keys cannot be directly deleted. To delete them, perform the instructions in <a href="dew_01_0031.html">Deleting a Key</a>.</li></ul>
</div>
<div class="section" id="dew_01_0090__s962264092c274a87a1f7a03f04405d58"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0090__oe6baf0c9fd2f4376a48ba993eaf3b77c"><li id="dew_01_0090__li1296564718544"><span>Log in to the management console.</span></li><li id="dew_01_0090__li880294292648"><span>Click <span><img id="dew_01_0090__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0090__li1279512297175"><span>Click <span><img id="dew_01_0090__image1362222355418" src="en-us_image_0000002479477326.png"></span> on the left and choose <span class="menucascade" id="dew_01_0090__menucascade12623182345414"><b><span class="uicontrol" id="dew_01_0090__uicontrol66223235542">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0090__uicontrol06235230543">Key Management Service</span></b></span>.</span></li><li id="dew_01_0090__le35c9acc50734cfaa662f0a9152a3c94"><span>Locate the target key material and click <span class="uicontrol" id="dew_01_0090__uicontrol59469908102821"><b>Delete Key Material</b></span>.</span></li><li id="dew_01_0090__lfda946222c43444b9bd6720efb37ed10"><span>In the displayed dialog box, enter <strong id="dew_01_0090__b7870112035316">DELETE</strong>, and click <span class="uicontrol" id="dew_01_0090__u3b0ee7729ce345fa924cde5180b568a4"><b>OK</b></span>. When <strong id="dew_01_0090__b1842111625312">Key material deleted successfully</strong> is displayed in the upper right corner, the key materials are deleted.</span><p><p id="dew_01_0090__a1ca0ed43e95947f59e893aed4fe3817f">After the deletion, the key will become unavailable and its status changes to <strong id="dew_01_0090__b84235270614054">Pending import</strong>.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0142.html">Creating CMKs Using Imported Key Materials</a></div>
</div>
</div>

19
docs/kms/umn/dew_01_0091.html Normal file
View File

@ -0,0 +1,19 @@
<a name="dew_01_0091"></a><a name="dew_01_0091"></a>
<h1 class="topictitle1">Service Overview</h1>
<div id="body39451090"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0121.html">KMS</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0222.html">Personal Data Protection Mechanism</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0018.html">Permissions Management</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0017.html">Related Services</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0321.html">Basic Concepts</a></strong><br>
</li>
</ul>
</div>

55
docs/kms/umn/dew_01_0092.html Normal file
View File

@ -0,0 +1,55 @@
<a name="dew_01_0092"></a><a name="dew_01_0092"></a>
<h1 class="topictitle1">FAQs</h1>
<div id="body8662426"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0047.html">What Is Key Management Service?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0044.html">What Is a Customer Master Key?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0045.html">What Is a Default Key?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0055.html">What Are the Differences Between a Custom Key and a Default Key?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0046.html">What Is a Data Encryption Key?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0049.html">Why Can't I Delete a CMK Immediately?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0050.html">Which Cloud Services Can Use KMS for Encryption?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0053.html">How Do Cloud Services Use KMS to Encrypt Data?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0054.html">What Are the Benefits of Envelope Encryption?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0056.html">Is There a Limit on the Number of Custom Keys That I Can Create on KMS?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0058.html">Can I Export a CMK from KMS?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0059.html">Can I Decrypt My Data if I Permanently Delete My Custom Key?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0060.html">How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0062.html">Can I Update CMKs Created by KMS-Generated Key Materials?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0102.html">When Should I Use a CMK Created with Imported Key Materials?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0103.html">What Types of Keys Can I Import?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0104.html">What Should I Do When I Accidentally Delete Key Materials?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0182.html">What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0186.html">Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0189.html">Key Algorithms Supported by KMS</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0215.html">What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0227.html">How Does KMS Protect My Keys?</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0472.html">How Do I Convert an Original EC Private Key into a Private Key in PKCS8 Format?</a></strong><br>
</li>
</ul>
</div>

68
docs/kms/umn/dew_01_0094.html Normal file
View File

@ -0,0 +1,68 @@
<a name="dew_01_0094"></a><a name="dew_01_0094"></a>
<h1 class="topictitle1">About Key Rotation</h1>
<div id="body1526437072739"><div class="section" id="dew_01_0094__section142633107512"><h4 class="sectiontitle">Purpose of Key Rotation</h4><p id="dew_01_0094__p74131058201912">Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.</p>
<p id="dew_01_0094__aa5af4eb2641b4f43aba31e9ac960ec9a">The purposes of key rotation are:</p>
<ul id="dew_01_0094__ul1363191145212"><li id="dew_01_0094__li1963118116524">To reduce the amount of data encrypted by each key.<p id="dew_01_0094__p46311212524"><a name="dew_01_0094__li1963118116524"></a><a name="li1963118116524"></a>A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.</p>
</li><li id="dew_01_0094__li146012113521">To enhance the capability of responding to security events.<p id="dew_01_0094__p76011711185214"><a name="dew_01_0094__li146012113521"></a><a name="li146012113521"></a>In your initial system security design, you shall design the key rotation function and use it for routine O&amp;M, so that it will be at hand when an emergency occurs.</p>
</li><li id="dew_01_0094__li129501749125219">To enhance the data isolation capability.<p id="dew_01_0094__p29501049165217"><a name="dew_01_0094__li129501749125219"></a><a name="li129501749125219"></a>The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.</p>
</li></ul>
</div>
<div class="section" id="dew_01_0094__section114103111537"><h4 class="sectiontitle">Key Rotation Methods</h4><p id="dew_01_0094__p123016407532">You can use either of the following key rotation methods:</p>
<ul id="dew_01_0094__ul481722117543"><li id="dew_01_0094__li1081716213548">Manual key rotation<p id="dew_01_0094__p54010316334"><a name="dew_01_0094__li1081716213548"></a><a name="li1081716213548"></a>Method 1: Create a key B to replace the currently used key A.</p>
<p id="dew_01_0094__p55804713407">Method 2: Modify the key A and use it.</p>
<p id="dew_01_0094__p144549472114">Example:</p>
<p id="dew_01_0094__p7545164920110">Take OBS as an example. To manually rotate a key, create a custom key on the KMS console. Replace the old custom key with the new one on the OBS console.</p>
<div class="fignone" id="dew_01_0094__fig1662802305113"><span class="figcap"><b>Figure 1 </b>Manual key rotation</span><br><span><img id="dew_01_0094__image383919234016" src="en-us_image_0000001357411985.png"></span></div>
</li><li id="dew_01_0094__li3617223205410">Automatic key rotation<p id="dew_01_0094__p173411527220"><a name="dew_01_0094__li3617223205410"></a><a name="li3617223205410"></a>KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.</p>
<p id="dew_01_0094__p1848719451329">Automatic key rotation has the following characteristics:</p>
<ol id="dew_01_0094__ol12487945626"><li id="dew_01_0094__li84876451023">Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.</li><li id="dew_01_0094__li948754513220">Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.</li></ol>
<div class="fignone" id="dew_01_0094__fig948719451727"><span class="figcap"><b>Figure 2 </b>Key rotation</span><br><span><img id="dew_01_0094__image24879452213" src="en-us_image_0000001357372181.png"></span></div>
</li></ul>
<div class="note" id="dew_01_0094__note17375937205315"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><div class="p" id="dew_01_0094__p6440172812544">KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key.<ul id="dew_01_0094__ul19464718165411"><li id="dew_01_0094__li64641718185415">KMS uses the latest version of the custom key to encrypt data.</li><li id="dew_01_0094__li15464171810541">When decrypting data, KMS uses the custom key version that was used to encrypt the data.</li></ul>
</div>
</div></div>
</div>
<div class="section" id="dew_01_0094__section12184145083117"><h4 class="sectiontitle">Rotation Modes</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0094__table88396113212" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key rotation modes</caption><thead align="left"><tr id="dew_01_0094__row283919111323"><th align="left" class="cellrowborder" valign="top" width="24.08%" id="mcps1.3.3.2.2.3.1.1"><p id="dew_01_0094__p118397113213">Key Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.92%" id="mcps1.3.3.2.2.3.1.2"><p id="dew_01_0094__p1683981113218">Rotation Mode</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0094__row15839191143217"><td class="cellrowborder" valign="top" width="24.08%" headers="mcps1.3.3.2.2.3.1.1 "><p id="dew_01_0094__p2083916113326">Default key</p>
</td>
<td class="cellrowborder" valign="top" width="75.92%" headers="mcps1.3.3.2.2.3.1.2 "><p id="dew_01_0094__p283991143217">Cannot be rotated.</p>
</td>
</tr>
<tr id="dew_01_0094__row185231129480"><td class="cellrowborder" valign="top" width="24.08%" headers="mcps1.3.3.2.2.3.1.1 "><p id="dew_01_0094__p127211653330">Custom key</p>
</td>
<td class="cellrowborder" valign="top" width="75.92%" headers="mcps1.3.3.2.2.3.1.2 "><p id="dew_01_0094__p28401719326">Keys can be rotated automatically or manually, depending on the key algorithm type.</p>
<ul id="dew_01_0094__ul16557203418104"><li id="dew_01_0094__li85571434121013">Symmetric key: Can be automatically or manually rotated.</li><li id="dew_01_0094__li8784174651012">Asymmetric key: Can only be manually rotated.</li></ul>
</td>
</tr>
<tr id="dew_01_0094__row98391912326"><td class="cellrowborder" valign="top" width="24.08%" headers="mcps1.3.3.2.2.3.1.1 "><p id="dew_01_0094__p23141535759">Disabled CMK</p>
</td>
<td class="cellrowborder" valign="top" width="75.92%" headers="mcps1.3.3.2.2.3.1.2 "><p id="dew_01_0094__p1476214306111">Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a custom key is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the custom key has been used for shorter than the rotation period, KMS will implement the original rotation plan.</p>
<p id="dew_01_0094__p163831618181210">For more information, see <a href="dew_01_0030.html">Disabling One or More CMKs</a>.</p>
</td>
</tr>
<tr id="dew_01_0094__row1840716322"><td class="cellrowborder" valign="top" width="24.08%" headers="mcps1.3.3.2.2.3.1.1 "><p id="dew_01_0094__p67521227151211">CMKs in pending deletion state</p>
</td>
<td class="cellrowborder" valign="top" width="75.92%" headers="mcps1.3.3.2.2.3.1.2 "><p id="dew_01_0094__p18211114115">KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the custom key has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.</p>
<p id="dew_01_0094__p47749153143">For more information, see <a href="dew_01_0031.html">Scheduling the Deletion of One or More Keys</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="dew_01_0094__note1813217202442"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0094__p17373458133911">You can check the rotation details on the <strong id="dew_01_0094__b169251178207">Rotation Policy</strong> page, including the last rotation time and number of rotations.</p>
</div></div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0138.html">Rotating CMKs</a></div>
</div>
</div>

19
docs/kms/umn/dew_01_0095.html Normal file
View File

@ -0,0 +1,19 @@
<a name="dew_01_0095"></a><a name="dew_01_0095"></a>
<h1 class="topictitle1">Managing a Grant</h1>
<div id="body1526441148777"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="dew_01_0096.html">Creating a Grant</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0097.html">Querying a Grant</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="dew_01_0098.html">Revoking a Grant</a></strong><br>
</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0177.html">Key Management Service</a></div>
</div>
</div>

65
docs/kms/umn/dew_01_0096.html Normal file
View File

@ -0,0 +1,65 @@
<a name="dew_01_0096"></a><a name="dew_01_0096"></a>
<h1 class="topictitle1">Creating a Grant</h1>
<div id="body1526441148777"><p id="dew_01_0096__abd93f6bca64047dab7c1821937d2176a">You can create grants for other users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.</p>
<div class="section" id="dew_01_0096__sf313f71716e4464a818c0f21fadd47c2"><h4 class="sectiontitle">Prerequisites</h4><ul id="dew_01_0096__ue1a5c744c07e4da2901b21160b118b07"><li id="dew_01_0096__l9f30a172d7b64c169a5502a41ff91d42">You have obtained the ID of the grantee (user to whom permissions are to be authorized).</li><li id="dew_01_0096__lb764e9f8bf2a4c79bde4e1a4e650a69c">The target custom key is in <span class="parmname" id="dew_01_0096__parmname77021054865"><b>Enabled</b></span> status.</li></ul>
</div>
<div class="section" id="dew_01_0096__section57951920104714"><h4 class="sectiontitle">Constraints</h4><ul id="dew_01_0096__ul187081017201420"><li id="dew_01_0096__li2708191751418">The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.</li><li id="dew_01_0096__li169641820131418">A maximum of 100 grants can be created for a custom key.</li></ul>
</div>
<div class="section" id="dew_01_0096__sb242aca4faed47a3a2cda38b7e2aea4f"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0096__oe8646e78119040b19b16e75a4dee0fb6"><li id="dew_01_0096__li1181420455820"><span>Log in to the management console.</span></li><li id="dew_01_0096__li880294292648"><span>Click <span><img id="dew_01_0096__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0096__li1279512297175"><span>Click <span><img id="dew_01_0096__image1568784805614" src="en-us_image_0000002479480874.png"></span> on the left and choose <span class="menucascade" id="dew_01_0096__menucascade2687144845613"><b><span class="uicontrol" id="dew_01_0096__uicontrol2068719489569">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0096__uicontrol568774814561">Key Management Service</span></b></span>.</span></li><li id="dew_01_0096__l3ebfdf7f9d2641be8e268c2c354518b1"><span>Click the name of the target custom key to go to its details page and create a grant on it.</span></li><li id="dew_01_0096__li1655114975915"><span>Click the <strong id="dew_01_0096__b126234401162">Grants</strong> tab.</span></li><li id="dew_01_0096__la8bfd43456334e258880cf1d53df3da3"><span>Click <strong id="dew_01_0096__b84235270614570">Create Grant</strong>. The <strong id="dew_01_0096__b84235270614574">Create Grant</strong> dialog box is displayed.</span><p><div class="fignone" id="dew_01_0096__fig17834205715471"><span class="figcap"><b>Figure 1 </b>Creating a grant</span><br><span><img id="dew_01_0096__image1634124813475" src="en-us_image_0000002278357089.png"></span></div>
</p></li><li id="dew_01_0096__ld1e659d79a734647b0df2c3f23f21d22"><span>In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted. For details, see <a href="#dew_01_0096__t4212c2dc877a41ba8f1db3dfa2ed7575">Table 1</a>.</span><p><div class="notice" id="dew_01_0096__ne46aa03a7d3d4db5a86df92e23c3569c"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="dew_01_0096__a5aa6962a74b54c09a792d321908160cd">A grantee can perform the authorized operations only by calling the necessary APIs. For details, see the <i><cite id="dew_01_0096__cite1046431183">Key Management Service API Reference</cite></i>.</p>
</div></div>
<div class="tablenoborder"><a name="dew_01_0096__t4212c2dc877a41ba8f1db3dfa2ed7575"></a><a name="t4212c2dc877a41ba8f1db3dfa2ed7575"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0096__t4212c2dc877a41ba8f1db3dfa2ed7575" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a grant</caption><thead align="left"><tr id="dew_01_0096__r5262aa06f29a4aeeb12b8c7ea5c1d163"><th align="left" class="cellrowborder" valign="top" width="20.75%" id="mcps1.3.4.2.7.2.2.2.4.1.1"><p id="dew_01_0096__ab97745e4ff174dd29475988b7daf3922"><strong id="dew_01_0096__b58977733783214">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="57.809999999999995%" id="mcps1.3.4.2.7.2.2.2.4.1.2"><p id="dew_01_0096__ab176e626317848caaa985a1979e5db60"><strong id="dew_01_0096__b842352706193336">Description</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.44%" id="mcps1.3.4.2.7.2.2.2.4.1.3"><p id="dew_01_0096__a72df5ce3d23d45a8999ab453fe800b59"><strong id="dew_01_0096__b842352706191839">Example Value</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0096__row1147532142318"><td class="cellrowborder" valign="top" width="20.75%" headers="mcps1.3.4.2.7.2.2.2.4.1.1 "><p id="dew_01_0096__p91486323235">User or Tenant</p>
</td>
<td class="cellrowborder" valign="top" width="57.809999999999995%" headers="mcps1.3.4.2.7.2.2.2.4.1.2 "><p id="dew_01_0096__p314863216235">Whether a user or an account is authorized.</p>
<ul id="dew_01_0096__ul106451354289"><li id="dew_01_0096__li0646535152816">User<p id="dew_01_0096__p1298684352820"><a name="dew_01_0096__li0646535152816"></a><a name="li0646535152816"></a>User ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose <strong id="dew_01_0096__b221472716233">My Credentials</strong>. Choose <strong id="dew_01_0096__b9214192762319">API Credentials</strong> from the navigation pane, and copy the value of <strong id="dew_01_0096__b202154271235">IAM User ID</strong>.</p>
<p id="dew_01_0096__p474111712302">After the authorization is complete, the IAM user can use the specified keys.</p>
</li><li id="dew_01_0096__li181891609297">Account<p id="dew_01_0096__p11103195017278"><a name="dew_01_0096__li181891609297"></a><a name="li181891609297"></a>Account ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose <strong id="dew_01_0096__b1931116910221">My Credentials</strong>. Choose <strong id="dew_01_0096__b19316395228">API Credentials</strong> from the navigation pane and copy the value of <strong id="dew_01_0096__b73161696222">Account ID</strong>.</p>
<p id="dew_01_0096__p4506656173118">After the authorization is complete, all IAM users under the account can use the specified keys.</p>
</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21.44%" headers="mcps1.3.4.2.7.2.2.2.4.1.3 "><p id="dew_01_0096__p1148153211231">d9a6b2bdaedd4ba586cabe6372d1b312</p>
</td>
</tr>
<tr id="dew_01_0096__row11886545173017"><td class="cellrowborder" valign="top" width="20.75%" headers="mcps1.3.4.2.7.2.2.2.4.1.1 "><p id="dew_01_0096__p1288724543017">Grant Name</p>
</td>
<td class="cellrowborder" valign="top" width="57.809999999999995%" headers="mcps1.3.4.2.7.2.2.2.4.1.2 "><p id="dew_01_0096__p4887104511302">You can name the grant.</p>
<div class="note" id="dew_01_0096__note188411220113012"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="dew_01_0096__ul196311438133018"><li id="dew_01_0096__li1690185203018">You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).</li></ul>
</div></div>
</td>
<td class="cellrowborder" valign="top" width="21.44%" headers="mcps1.3.4.2.7.2.2.2.4.1.3 "><p id="dew_01_0096__p1288716457304">test</p>
</td>
</tr>
<tr id="dew_01_0096__r1326823b950b4491a67e426a2680c6bf"><td class="cellrowborder" valign="top" width="20.75%" headers="mcps1.3.4.2.7.2.2.2.4.1.1 "><p id="dew_01_0096__a1546b8eed079445ea3b1868f818806e6">Operations</p>
</td>
<td class="cellrowborder" valign="top" width="57.809999999999995%" headers="mcps1.3.4.2.7.2.2.2.4.1.2 "><p id="dew_01_0096__a28343bfa69dc45eb9089ecb601d9c343">The following permissions can be authorized:</p>
<div class="note" id="dew_01_0096__n3bc68b5a19d8473894309fdf6b6316b9"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="dew_01_0096__u8eb0a85047d0421398ecdd1e941d4a0a"><li id="dew_01_0096__l19724b1186d14cdea00fc64466881db3">You can create multiple grants on a custom key to provide different permissions to the same user. The user's permissions on the custom key are the combination of all the grants.</li><li id="dew_01_0096__l1040294800ce45c5a3bf121c75c81868">This parameter cannot be left blank.</li><li id="dew_01_0096__lf1dcdb78a73c481d919293387429bfd4">Selecting only <strong id="dew_01_0096__b842352706111632">Create Grant</strong> is not allowed.</li></ul>
</div></div>
<ul id="dew_01_0096__u679e0ae81b6b4c78ba3d1dcf99d6ba76"><li id="dew_01_0096__l74c9847b46474022b98f95300f72c8a2"><strong id="dew_01_0096__b842352706154510">Create Data Key Without Plaintext</strong></li><li id="dew_01_0096__l6f42bff6862348879bfd804512b3429f"><strong id="dew_01_0096__b84235270615163">Create Data Key</strong></li><li id="dew_01_0096__l8f3e0cb70890457bb414b84bbe3bd165"><strong id="dew_01_0096__b842352706151612">Encrypt Data Key</strong></li><li id="dew_01_0096__l36318d4a790f4358a61315493a60d54f"><strong id="dew_01_0096__b842352706151616">Decrypt Data Key</strong></li><li id="dew_01_0096__l74d6d395b9e948babf994c33639e1aca"><strong id="dew_01_0096__b842352706151627">Query Key Information</strong></li><li id="dew_01_0096__l640a497b858e429e9827cd2ad0cc1df7"><strong id="dew_01_0096__b842352706151632">Create Grant</strong></li><li id="dew_01_0096__l4cdf3af1496b4a7fb669f956d8dc9c7e"><strong id="dew_01_0096__b842352706151544">Retire Grant</strong><ul id="dew_01_0096__ub6297e776ce6471580561e39830e3fc0"><li id="dew_01_0096__l02a306e9962c4ca0a47e47e8587e81b3">A grantee can retire a grant if the grantee does not need that permission.</li><li id="dew_01_0096__lac1577f4802f471bb6de6f3c320b0d6a">If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.</li></ul>
</li><li id="dew_01_0096__li1771485722215"><strong id="dew_01_0096__b470814294240">Encrypt Data</strong></li><li id="dew_01_0096__li134379632312"><strong id="dew_01_0096__b967316407240">Decrypt Data</strong></li></ul>
</td>
<td class="cellrowborder" valign="top" width="21.44%" headers="mcps1.3.4.2.7.2.2.2.4.1.3 "><p id="dew_01_0096__a9eeada0fea5a47b181fd7672519a87f0">-</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0096__lb57e06fa0f9948cb89ad869a8830b368"><span>Click <strong id="dew_01_0096__b886156753153714">OK</strong>. When message "Grant created successfully" is displayed in the upper right corner, the grant has been created.</span><p><p id="dew_01_0096__a4e18b09ddba142629a35200d37557a86">In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0095.html">Managing a Grant</a></div>
</div>
</div>

50
docs/kms/umn/dew_01_0097.html Normal file
View File

@ -0,0 +1,50 @@
<a name="dew_01_0097"></a><a name="dew_01_0097"></a>
<h1 class="topictitle1">Querying a Grant</h1>
<div id="body1526441148777"><p id="dew_01_0097__ab52fa3653b9846448005d5883de6ac0f">You can view the details about a custom key grant on the KMS console, such as the grant ID, grantee user ID, granted operation, and creation time.</p>
<div class="section" id="dew_01_0097__sfc3e337af5ea42f48565144f6312777a"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0097__p1846612372309">You have created a grant.</p>
</div>
<div class="section" id="dew_01_0097__sb584661a07504477b0d4b6ca4bff3298"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0097__o78edb7d3042a499fb73fd2c218fd7dee"><li id="dew_01_0097__li1181420455820"><span>Log in to the management console.</span></li><li id="dew_01_0097__li880294292648"><span>Click <span><img id="dew_01_0097__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0097__li1279512297175"><span>Click <span><img id="dew_01_0097__image18167175819568" src="en-us_image_0000002511520841.png"></span> on the left and choose <span class="menucascade" id="dew_01_0097__menucascade111671558115613"><b><span class="uicontrol" id="dew_01_0097__uicontrol121671758145612">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0097__uicontrol8167105875611">Key Management Service</span></b></span>.</span></li><li id="dew_01_0097__lc922abd902804b449674c23ea41dc328"><span>Click the alias of the target custom key to view its details.</span></li><li id="dew_01_0097__l6d22a37cb3814938a1d3c130a9562f1c"><span>Click <strong id="dew_01_0097__b43221224102419">Grant</strong> to view the created grant of the current custom key. <a href="#dew_01_0097__t0484dc5b4d9e4d86a61df05bffcaecf3">Table 1</a> describes the parameters.</span><p>
<div class="tablenoborder"><a name="dew_01_0097__t0484dc5b4d9e4d86a61df05bffcaecf3"></a><a name="t0484dc5b4d9e4d86a61df05bffcaecf3"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0097__t0484dc5b4d9e4d86a61df05bffcaecf3" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters</caption><thead align="left"><tr id="dew_01_0097__r344dbb44a66149b3a750942f4f90153d"><th align="left" class="cellrowborder" valign="top" width="21.4%" id="mcps1.3.3.2.5.2.1.2.3.1.1"><p id="dew_01_0097__ae308334c00944e9393de7146a9ee74d6"><strong id="dew_01_0097__b68989770183235">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="78.60000000000001%" id="mcps1.3.3.2.5.2.1.2.3.1.2"><p id="dew_01_0097__a03bf848c84974ba8825ba3bd04fec056"><strong id="dew_01_0097__b842352706193336">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0097__row152631141414"><td class="cellrowborder" valign="top" width="21.4%" headers="mcps1.3.3.2.5.2.1.2.3.1.1 "><p id="dew_01_0097__p426434011">Grant Name</p>
</td>
<td class="cellrowborder" valign="top" width="78.60000000000001%" headers="mcps1.3.3.2.5.2.1.2.3.1.2 "><p id="dew_01_0097__p19264746120">Name of the grant when created</p>
</td>
</tr>
<tr id="dew_01_0097__row327415519177"><td class="cellrowborder" valign="top" width="21.4%" headers="mcps1.3.3.2.5.2.1.2.3.1.1 "><p id="dew_01_0097__p11233175971712">Grantee ID</p>
</td>
<td class="cellrowborder" valign="top" width="78.60000000000001%" headers="mcps1.3.3.2.5.2.1.2.3.1.2 "><p id="dew_01_0097__p1523375916172">ID of the authorized user or account.</p>
</td>
</tr>
<tr id="dew_01_0097__row59171317172"><td class="cellrowborder" valign="top" width="21.4%" headers="mcps1.3.3.2.5.2.1.2.3.1.1 "><p id="dew_01_0097__p17917831161713">Granted To</p>
</td>
<td class="cellrowborder" valign="top" width="78.60000000000001%" headers="mcps1.3.3.2.5.2.1.2.3.1.2 "><p id="dew_01_0097__p1691713315179">Whether permissions are granted to a user or account.</p>
</td>
</tr>
<tr id="dew_01_0097__r7b0ddb2c41d7426db24e4abeff60fb95"><td class="cellrowborder" valign="top" width="21.4%" headers="mcps1.3.3.2.5.2.1.2.3.1.1 "><p id="dew_01_0097__a5a9b8d3cdaa743cca2d4e03dd5a68cbf">Granted Operations</p>
</td>
<td class="cellrowborder" valign="top" width="78.60000000000001%" headers="mcps1.3.3.2.5.2.1.2.3.1.2 "><p id="dew_01_0097__a26fd14a682c0437592aa7762c0aeb65e">Authorized operations (such as <strong id="dew_01_0097__b842352706112139">Create Data Key</strong>) on the custom key</p>
</td>
</tr>
<tr id="dew_01_0097__r46593d24fa0440b394527c8b5a2c3806"><td class="cellrowborder" valign="top" width="21.4%" headers="mcps1.3.3.2.5.2.1.2.3.1.1 "><p id="dew_01_0097__ac575af1df0eb46b4ad9ce125d51213f9">Created</p>
</td>
<td class="cellrowborder" valign="top" width="78.60000000000001%" headers="mcps1.3.3.2.5.2.1.2.3.1.2 "><p id="dew_01_0097__a3820c20dd9664a529d80dadd6caf5fe8">Time when the grant is created</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0095.html">Managing a Grant</a></div>
</div>
</div>

21
docs/kms/umn/dew_01_0098.html Normal file
View File

@ -0,0 +1,21 @@
<a name="dew_01_0098"></a><a name="dew_01_0098"></a>
<h1 class="topictitle1">Revoking a Grant</h1>
<div id="body1526441148777"><p id="dew_01_0098__abe21e609c7ae4377821f7899527f5722">You can revoke a grant on the KMS console in either of the following scenarios:</p>
<ul id="dew_01_0098__u66ca32ebe2f24d25b2c261ef49208a9d"><li id="dew_01_0098__l4a6b2f090aa441c39c2f75b504aefd38">A grantee does not need the custom key grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)</li><li id="dew_01_0098__l45830697ea0f42639f371fd284177fb8">You do not want the grantee to have the grant.</li></ul>
<p id="dew_01_0098__a7e3fc403154744d1a7cffa97969b0b74">When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.</p>
<p id="dew_01_0098__ad9234830a7174ce4b163a57a6962aedc">This section describes how to revoke a grant on the KMS console.</p>
<div class="section" id="dew_01_0098__sbd5737a535764a35aae4e93549e26106"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0098__p133017444304">You have created a grant.</p>
</div>
<div class="section" id="dew_01_0098__s4433344876b448e88f99d65e76f0cb65"><h4 class="sectiontitle">Procedure</h4><ol id="dew_01_0098__o970cda3a4441400eb18a188bf85b22bb"><li id="dew_01_0098__li1181420455820"><span>Log in to the management console.</span></li><li id="dew_01_0098__li880294292648"><span>Click <span><img id="dew_01_0098__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0098__li1279512297175"><span>Click <span><img id="dew_01_0098__image14904192145712" src="en-us_image_0000002479481472.png"></span> on the left and choose <span class="menucascade" id="dew_01_0098__menucascade12904192145711"><b><span class="uicontrol" id="dew_01_0098__uicontrol12904122155710">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0098__uicontrol19041827572">Key Management Service</span></b></span>.</span></li><li id="dew_01_0098__l17d2068cc74943f4903c3ac3e81ca4c7"><span>Click the alias of the target custom key to view its details.</span></li><li id="dew_01_0098__li13261468285"><span>In the <strong id="dew_01_0098__b14324037115115">Grants</strong> tab, locate the target grant and click <strong id="dew_01_0098__b16409022527">Revoke Grant</strong> in the <strong id="dew_01_0098__b5169856155118">Operation</strong> column.</span></li><li id="dew_01_0098__li12531352191011"><span>Enter <strong id="dew_01_0098__b11754164882817">DELETE</strong> in the confirmation dialog box and click <span class="parmvalue" id="dew_01_0098__parmvalue1575418480286"><b>OK</b></span>.</span><p><div class="p" id="dew_01_0098__p75641648114111">In the displayed dialog box, click <strong id="dew_01_0098__b3661641141713">OK</strong>. If <strong id="dew_01_0098__b96621741161716">Grant <em id="dew_01_0098__i10661184110178">grant ID</em> revoked successfully</strong> is displayed in the upper right corner, the grant has been revoked.<div class="note" id="dew_01_0098__note1267183035218"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0098__p22671630155218">You can call the API to verify that the key grant has been revoked. For example, if the grant to create a data key is revoked for a user, an error will be reported when the user calls the API to create a data key.</p>
</div></div>
</div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0095.html">Managing a Grant</a></div>
</div>
</div>

15
docs/kms/umn/dew_01_0101.html
View File

@ -1,20 +1,13 @@
<a name="dew_01_0101"></a><a name="dew_01_0101"></a>
<h1 class="topictitle1">Encrypting Data in RDS</h1>
<div id="body8662426"><ul id="dew_01_0101__en-us_topic_0113544733_ul569985051312"><li id="dew_01_0101__en-us_topic_0113544733_li1714975110115">When a user creates a database instance from Relational Database Service (RDS), the user can select <strong id="dew_01_0101__en-us_topic_0113544733_b207781583250">Disk encryption</strong> and use the key provided by KMS to encrypt the disk of the database instance. For more information, see the <em id="dew_01_0101__en-us_topic_0113544733_i97781989251">Relational Database Service User Guide</em>.<div class="fignone" id="dew_01_0101__en-us_topic_0113544733_fig73511236193618"><span class="figcap"><b>Figure 1 </b>Encrypting Data in RDS</span><br><span><img id="dew_01_0101__en-us_topic_0113544733_image8909931143511" src="en-us_image_0000002207563973.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="dew_01_0101__en-us_topic_0113544733_p85308818163">You can use a custom key created on the KMS console for encryption.</p>
</li><li id="dew_01_0101__en-us_topic_0113544733_li6707550161319">You can also call the RDS APIs to purchase encrypted database instances. For details, see the <em id="dew_01_0101__en-us_topic_0113544733_i12470976364">Relational Database Service User Guide</em>.</li></ul>
<div id="body8662426"><ul id="dew_01_0101__en-us_topic_0000002247328738_ul569985051312"><li id="dew_01_0101__en-us_topic_0000002247328738_li1714975110115">When a user creates a database instance from Relational Database Service (RDS), the user can select <strong id="dew_01_0101__en-us_topic_0000002247328738_b207781583250">Disk encryption</strong> and use the key provided by KMS to encrypt the disk of the database instance. For more information, see the <em id="dew_01_0101__en-us_topic_0000002247328738_i97781989251">Relational Database Service User Guide</em>.<div class="fignone" id="dew_01_0101__en-us_topic_0000002247328738_fig73511236193618"><span class="figcap"><b>Figure 1 </b>Encrypting data in RDS</span><br><span><img id="dew_01_0101__en-us_topic_0000002247328738_image8909931143511" src="en-us_image_0000002248648336.png"></span></div>
<p id="dew_01_0101__en-us_topic_0000002247328738_p85308818163">You can use a custom key created on the KMS console for encryption.</p>
</li><li id="dew_01_0101__en-us_topic_0000002247328738_li6707550161319">You can also call the RDS APIs to purchase encrypted database instances. For details, see the <em id="dew_01_0101__en-us_topic_0000002247328738_i12470976364">Relational Database Service User Guide</em>.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0106.html">Cloud Services with KMS Integrated</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000002248485012.html">Cloud Services with KMS Integrated</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

11
docs/kms/umn/dew_01_0102.html Normal file
View File

@ -0,0 +1,11 @@
<a name="dew_01_0102"></a><a name="dew_01_0102"></a>
<h1 class="topictitle1">When Should I Use a CMK Created with Imported Key Materials?</h1>
<div id="body1528788931519"><ul id="dew_01_0102__en-us_topic_0112948406_ul42483106194437"><li id="dew_01_0102__en-us_topic_0112948406_li3529163010530">If you do not want to use KMS-generated key materials, you can import your own key materials to create a CMK. Such a CMK allows deletion of only the key materials when you do not need it. In addition, when you find that the key materials are mis-deleted, you can import the same materials to the CMK.</li><li id="dew_01_0102__en-us_topic_0112948406_li48045514104241">You can also import local key materials to KMS when you want to use the same keys on cloud and on-premises. This practice has proved useful when user migrate local encrypted data to the cloud.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

74
docs/kms/umn/dew_01_0103.html Normal file
View File

@ -0,0 +1,74 @@
<a name="dew_01_0103"></a><a name="dew_01_0103"></a>
<h1 class="topictitle1">What Types of Keys Can I Import?</h1>
<div id="body1528788931519"><p id="dew_01_0103__en-us_topic_0112948473_p50795214194446">The following table lists the types of keys that can be imported.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0103__table1582191414427" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key algorithms supported by KMS</caption><thead align="left"><tr id="dew_01_0103__dew_01_7775_dew_01_0001_row1062492152718"><th align="left" class="cellrowborder" valign="top" width="19.79%" id="mcps1.3.2.2.6.1.1"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p6624525278">Key Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.84%" id="mcps1.3.2.2.6.1.2"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p126241216278">Algorithm Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22.27%" id="mcps1.3.2.2.6.1.3"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p1262442102713">Key Specifications</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20.1%" id="mcps1.3.2.2.6.1.4"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p062416292712">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.2.2.6.1.5"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p12624827271">Application Scenario</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0103__dew_01_7775_dew_01_0001_row1762412272713"><td class="cellrowborder" valign="top" width="19.79%" headers="mcps1.3.2.2.6.1.1 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p13624162172711">Symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.2.2.6.1.2 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p462412152717">AES</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.2.2.6.1.3 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p146244272717">AES_256</p>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.2.2.6.1.4 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p86241925279">AES symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.2.2.6.1.5 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul15153158575"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li115388577">Data encryption and decryption</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li13153181270">DEKs encryption and decryption<div class="note" id="dew_01_0103__dew_01_7775_dew_01_0001_note1372720189158"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p195293671611">You can encrypt and decrypt a small amount of data using the online tool on the console.</p>
<p id="dew_01_0103__dew_01_7775_dew_01_0001_p19728161831512">You need to call APIs to encrypt and decrypt a large amount of data.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="dew_01_0103__dew_01_7775_dew_01_0001_row25853341815"><td class="cellrowborder" valign="top" width="19.79%" headers="mcps1.3.2.2.6.1.1 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p1759103319185">Digest key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.2.2.6.1.2 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p185973320186">SHA</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.2.2.6.1.3 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul12847123214192"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li0847432101920">HMAC_256</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li873494210199">HMAC_384</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li199611657141910">HMAC_512</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.2.2.6.1.4 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p459143361817">Digest key</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.2.2.6.1.5 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul173801592042"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li738013599414">Data tampering prevention</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li53921875519">Data integrity verification</li></ul>
</td>
</tr>
<tr id="dew_01_0103__dew_01_7775_dew_01_0001_row51341950153118"><td class="cellrowborder" rowspan="2" valign="top" width="19.79%" headers="mcps1.3.2.2.6.1.1 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p17135145013312">Asymmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.2.2.6.1.2 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p121351050163112">RSA</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.2.2.6.1.3 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul858832973417"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li11588429113412">RSA_2048</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li5589132917341">RSA_3072</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li340620263353">RSA_4096</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.2.2.6.1.4 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p1613595015317">RSA asymmetric password</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.2.2.6.1.5 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul9805101045314"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li16805510135314">Digital signature and signature verification</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li38051110145311">Data encryption and decryption<div class="note" id="dew_01_0103__dew_01_7775_dew_01_0001_note11881237111318"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="dew_01_0103__dew_01_7775_dew_01_0001_p178819371135">Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="dew_01_0103__dew_01_7775_dew_01_0001_row037145343118"><td class="cellrowborder" valign="top" headers="mcps1.3.2.2.6.1.1 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p14371539318">ECC</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.2.6.1.2 "><ul id="dew_01_0103__dew_01_7775_dew_01_0001_ul384511534343"><li id="dew_01_0103__dew_01_7775_dew_01_0001_li8845053133410">EC_P256</li><li id="dew_01_0103__dew_01_7775_dew_01_0001_li38451531342">EC_P384</li></ul>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.2.6.1.3 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p43795363116">Elliptic curve recommended by NIST</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.2.6.1.4 "><p id="dew_01_0103__dew_01_7775_dew_01_0001_p1537145343114">Digital signature and signature verification</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

13
docs/kms/umn/dew_01_0104.html Normal file
View File

@ -0,0 +1,13 @@
<a name="dew_01_0104"></a><a name="dew_01_0104"></a>
<h1 class="topictitle1">What Should I Do When I Accidentally Delete Key Materials?</h1>
<div id="body1528788931519"><p id="dew_01_0104__en-us_topic_0112948465_p5076910220224">You can import the backup key materials from your local device again.</p>
<div class="notice" id="dew_01_0104__en-us_topic_0112948465_note1695202694810"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="dew_01_0104__en-us_topic_0112948465_p1835050794810">Before importing key materials, you are advised to back up the materials. The materials to be re-imported must be consistent with the mis-deleted materials.</p>
</div></div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>

Some files were not shown because too many files have changed in this diff Show More