You can click 
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
+
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Choose . The key management page is displayed.
- Click the name of the target custom key to view its details.
- Click Rotation Policy. The dialog box is displayed, as shown in Figure 1.
Figure 1 Key rotation
+ - Click
to enable key rotation. - In the Enable Rotation Policy dialog box, set the rotation period and click OK.
Figure 2 Setting the rotation period
+Set the rotation period (unit: day) to an integer in the range 30 to 365. The default value is 365.
+After the setting takes effect, the new rotation period starts.
+Configure the period based on how often a custom key is used. If it is frequently used, configure a short period; otherwise, set a long one.
+ - After rotation is enabled, the rotation details will be displayed, as shown in Figure 3.
Figure 3 Key rotation details
+After rotation is enabled, the key will be rotated based on your set period.
+ - A disabled custom key is never rotated, even if rotation is enabled for it.
- KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
- You can click
to change the rotation period. After the period is changed, KMS rotates the key by the new period.
+
+
\ No newline at end of file
diff --git a/docs/kms/umn/kms_01_0142.html b/docs/kms/umn/kms_01_0142.html
deleted file mode 100644
index 2bc8e7503..000000000
--- a/docs/kms/umn/kms_01_0142.html
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
Creating CMKs Using Imported Key Materials
-
-
-
diff --git a/docs/kms/umn/kms_01_0161.html b/docs/kms/umn/kms_01_0161.html
deleted file mode 100644
index 2fcd633cd..000000000
--- a/docs/kms/umn/kms_01_0161.html
+++ /dev/null
@@ -1,68 +0,0 @@
-
-
-
Creating a Custom KMS Policy
-
Custom policies can be created as a supplement to the system policies of KMS. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
-
You can create custom policies in either of the following ways:
-
- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical KMS custom policies.
-
Example Custom Policies of KMS
- Example: authorizing users to create and import keys
{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "kms:cmk:create",
- "kms:cmk:getMaterial",
- "kms:cmkTag:create",
- "kms:cmkTag:batch",
- "kms:cmk:importMaterial"
- ]
- }
- ]
-}
-
-
-
- Example: authorizing users to use keys
{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "kms:dek:crypto",
- "kms:cmk:get",
- "kms:cmk:crypto",
- "kms:cmk:generate",
- "kms:cmk:list"
- ]
- }
- ]
-}
- - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
-{
- "Version": "1.1",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:task:list"
- ]
- },
- {
- "Effect": "Allow",
- "Action": [
- "kms:dek:crypto",
- "kms:cmk:get",
- "kms:cmk:crypto",
- "kms:cmk:generate",
- "kms:cmk:list"
- ]
- }
- ]
-}
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0177.html b/docs/kms/umn/kms_01_0177.html
deleted file mode 100644
index 2efbce5c2..000000000
--- a/docs/kms/umn/kms_01_0177.html
+++ /dev/null
@@ -1,31 +0,0 @@
-
-
-
Key Management Service
-
-
-
diff --git a/docs/kms/umn/kms_01_0178.html b/docs/kms/umn/kms_01_0178.html
deleted file mode 100644
index ccbe470ef..000000000
--- a/docs/kms/umn/kms_01_0178.html
+++ /dev/null
@@ -1,79 +0,0 @@
-
-
-
Creating a Key
-
This section describes how to create a custom key on the KMS console.
-
Custom keys can be categorized into symmetric keys and asymmetric keys.
-
Constraints
- You can create up to 100 custom keys, excluding default keys.
- A custom key is created using the AES-256 algorithm and is 256 bit long.
- Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
- Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
- KMS does not limit the number of times that a key can be called.
-
-
Scenarios
- Encrypt data in OBS
- Encrypt data in EVS
- Encrypt data in IMS
- Use custom keys to directly encrypt and decrypt small volumes of data.
- DEK encryption and decryption for user applications
-
-
Creating a Key
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
. Choose . The Key Management Service page is displayed. - Click Create Bucket in the upper right corner.
- Configure parameters in the Create Key dialog box.
Figure 1 Creating a key
-- Alias is the alias of the key to be created.
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
-
- - Key Algorithm: Select a key algorithm. For more information, see Table 1.
-
Table 1 Key algorithms supported by KMSKey Type
- |
-Algorithm Type
- |
-Key Specifications
- |
-Description
- |
-Usage
- |
-
|---|
-
-Symmetric key
- |
-AES
- |
-
- |
-AES symmetric key
- |
-Encrypts and decrypts a small amount of data or data keys.
- |
-
-Asymmetric key
- |
-RSA
- |
-
- |
-RSA asymmetric password
- |
-Encrypts and decrypts a small amount of data or creates digital signatures.
- |
-
-ECC
- |
-
- |
-Elliptic curve recommended by NIST
- |
-Digital signature
- |
-
-
-
-
- Usage: Select SIGN_VERIFY or ENCRYPT_DECRYPT.
- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
- The key usage can only be configured during key creation and cannot be modified afterwards.
-
- - (Optional) Description is the description of the custom key.
You can enter up to 255 characters.
-
-
- - (Optional) Add tags to the custom key as needed, and enter the tag key and tag value.
- After creating a CMK, you can click the alias of the CMK to go to the CMK details page and add a tag to the CMK.
- The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
- A maximum of 20 tags can be added for one custom key.
- To delete a tag, click Delete next to it.
-
- - Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created successfully.
In the key list, you can view the created keys. The default status of a key is Enabled.
-
-
-
Related Operations
- For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section "Creating an EVS Disk" in Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0179.html b/docs/kms/umn/kms_01_0179.html
deleted file mode 100644
index 9f56720d8..000000000
--- a/docs/kms/umn/kms_01_0179.html
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
Viewing a CMK
-
This section describes how to view the information about the custom key on the KMS console, including the key alias, status, ID, and creation time. The status of a key can be Enabled, Disabled, Scheduled deletion, or Pending import.
-
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Check the key list.
-
Table 1 Key list parametersParameter
- |
-Description
- |
-
|---|
-
-Alias/ID
- |
-Alias of a key and the random ID of a key generated during its creation.
- |
-
-Status
- |
-Status of a CMK, which can be one of the following:
-- Enabled
The CMK is enabled.
- - Disabled
The CMK is disabled.
- - Pending deletion
The CMK is scheduled for deletion.
- - Pending import
If your CMK does not have materials, its status is Pending import.
-
- |
-
-Key Algorithm and Usage
- |
-Key algorithm selected during key creation and its usage
- |
-
-Origin
- |
-Source of key material, which can be one of the following:
-
- |
-
-Operation
- |
-Operations you can perform on the key, such as disable, delete, import key material, or cancel deletion. You can also assign keys to projects.
- |
-
-
-
-
- You can click the alias of a key to view its details.
To change the alias or description of the CMK, click next to the value of Alias or Description.
-
- A default key (the alias suffix of which is /default) does not allow alias and description changes.
- The alias and description of a CMK cannot be changed if the CMK is in Pending deletion status.
-
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0182.html b/docs/kms/umn/kms_01_0182.html
deleted file mode 100644
index 08667bada..000000000
--- a/docs/kms/umn/kms_01_0182.html
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
-
Symptom
A message indicating lack of permissions is displayed when you attempt to perform operations on keys, such as view, create, or import keys.
-
-
Possible Causes
Your account is not associated with the required KMS system policies.
-
-
Solution
- Check whether your account has been associated with KMS Administrator and KMS CMKFullAccess policies.
For details about how to check your user groups and permissions, see the "User Groups and Authorization" section.
-If your account has been associated with required KMS system policies, go to 2.
- - Associate your account with required system policies.
- For details about how to add administrator permissions, see the "User Groups and Authorization" section.
- For details about how to add a custom policy, see the "Creating a Custom KMS Policy" section.
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0186.html b/docs/kms/umn/kms_01_0186.html
deleted file mode 100644
index 07f9d81af..000000000
--- a/docs/kms/umn/kms_01_0186.html
+++ /dev/null
@@ -1,34 +0,0 @@
-
-
-
Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
-
Symptom
By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.
-
-
Solution
Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.
-
- Switch to the root user.
sudo su -
- - Run the following command and record the OpenSSL version:
openssl version
- - Run the following commands to create the /root/build directory. This directory will be used to store the latest OpenSSL binary file.
mkdir $HOME/build
-mkdir -p $HOME/local/ssl
-cd $HOME/build
- - Download the latest OpenSSL version from https://www.openssl.org/source/.
- Download and decompress the binary file.
- Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version downloaded in step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
-tar -zxf openssl-1.1.1d.tar.gz
- - Use the gcc tool to patch the version, and compile the downloaded binary file.
yum install patch make gcc -y If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.
-
-
- - Run the following commands:
sed -i "/BIO_get_cipher_ctx(benc, &ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c
- - Run the following commands to compile the OpenSSL enc.c file:
cd $HOME/build/openssl-1.1.1d/
-./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
-make -j$(grep -c ^processor /proc/cpuinfo)
-make install
- - Configure the environment variable LD_LIBRARY_PATH to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the $HOME/local/ssl/lib/ directory, and cannot be directly executed in shell.
- Create a script named openssl.sh to load the $HOME/local/ssl/lib/ path before running the binary file.
cd $HOME/local/bin/
-echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
- - Run the following command to configure an execute bit on the script:
chmod 755 ./openssl.sh
- - Run the following command to start the patched OpenSSL version:
$HOME/local/bin/openssl.sh
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0189.html b/docs/kms/umn/kms_01_0189.html
deleted file mode 100644
index c277abb4c..000000000
--- a/docs/kms/umn/kms_01_0189.html
+++ /dev/null
@@ -1,57 +0,0 @@
-
-
-
Key Algorithms Supported by KMS
-
-
Table 1 Key algorithms supported by KMSKey Type
- |
-Algorithm Type
- |
-Key Specifications
- |
-Description
- |
-Usage
- |
-
|---|
-
-Symmetric key
- |
-AES
- |
-
- |
-AES symmetric key
- |
-Encrypts and decrypts a small amount of data or data keys.
- |
-
-Asymmetric key
- |
-RSA
- |
-
- |
-RSA asymmetric password
- |
-Encrypts and decrypts a small amount of data or creates digital signatures.
- |
-
-ECC
- |
-
- |
-Elliptic curve recommended by NIST
- |
-Digital signature
- |
-
-
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0193.html b/docs/kms/umn/kms_01_0193.html
new file mode 100644
index 000000000..f20ab6ccb
--- /dev/null
+++ b/docs/kms/umn/kms_01_0193.html
@@ -0,0 +1,11 @@
+
+
+
How Does KMS Protect My Keys?
+
The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
+
+
+
diff --git a/docs/kms/umn/kms_01_0194.html b/docs/kms/umn/kms_01_0194.html
new file mode 100644
index 000000000..75c0a25b9
--- /dev/null
+++ b/docs/kms/umn/kms_01_0194.html
@@ -0,0 +1,98 @@
+
+
+
Creating a Key
+
Scenario
This section describes how to create a custom key on the KMS management console. You can create up to 100 custom keys, excluding default keys.
+
CMKs can be used for:
- Server-side encryption on OBS
- Encryption of data on EVS disks
- Encryption of private images on IMS
- File system encryption on SFS
- Disk encryption for database instances in RDS
- DEK encryption and decryption for user applications
+
+
+
Constraints
- You can create up to 100 custom keys, excluding default keys.
- Names of default keys end with /default. When configuring names for your custom keys, the value cannot end with /default.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Choose . The key management page is displayed.
- Click Create Key in the upper right corner. In the displayed dialog box, enter the alias, names, tags, and description of the key.
Figure 1 Creating a Key
+- Name: Name of the key to be created
- Key Algorithm: Key algorithm supported by KMS. See the following table for details.
+
Table 1 Key algorithms supported by KMSKey Type
+ |
+Algorithm Type
+ |
+Key Specifications
+ |
+Description
+ |
+Application Scenario
+ |
+
|---|
+
+Symmetric key
+ |
+AES
+ |
+AES_256
+ |
+AES symmetric key
+ |
+- Data encryption and decryption
- DEKs encryption and decryption
NOTE: You can encrypt and decrypt a small amount of data using the the online tool on the console.
+ You need to call APIs to encrypt and decrypt a large amount of data.
+
+
+ |
+
+Digest key
+ |
+SHA
+ |
+
+ |
+Digest key
+ |
+- Data tampering prevention
- Data integrity verification
+ |
+
+Asymmetric key
+ |
+RSA
+ |
+
+ |
+RSA asymmetric password
+ |
+- Digital signature and signature verification
- Data encryption and decryption
NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
+
+
+ |
+
+ECC
+ |
+
+ |
+Elliptic curve recommended by NIST
+ |
+Digital signature and signature verification
+ |
+
+
+
+
- Usage: Select SIGN_VERIFY, GENERATE_VERIFY_MAC, or ENCRYPT_DECRYPT.
- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
+ The key usage can only be configured during key creation and cannot be modified afterwards.
+
+ - (Optional) Description is the description of the custom key.
- (Optional) Tags: Add tags to the custom key as needed, and enter the tag key and tag value.
- If a custom key has been created without any tag, you can add a tag to the custom key later as necessary. Click the name of the custom key. The page with key details is displayed. Then you can add tags to the custom key.
- The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
- A maximum of 20 tags can be added for one custom key.
- If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
+
+
+ - Click OK.
In the custom key list, you can view created custom keys. The default status of a custom key is Enabled.
+
+
+
Related Operations
- For details about how to upload objects with server-side encryption, see section Uploading a File with Server-Side Encryption in the Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section Creating an EVS Disk in the Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section Encrypting an Image in the Image Management Service User Guide.
- For details about how to encrypt the file system on SFS, see section Creating a File System in the Scalable File Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section Creating an RDS MySQL DB Instance in the Relational Database Service User Guide.
- For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in .
- For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in .
+
+
+
+
+
+
\ No newline at end of file
diff --git a/docs/kms/umn/kms_01_0198.html b/docs/kms/umn/kms_01_0198.html
new file mode 100644
index 000000000..dee44c410
--- /dev/null
+++ b/docs/kms/umn/kms_01_0198.html
@@ -0,0 +1,12 @@
+
+
+
Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
+
There is a limit on the number of custom keys that can be created on KMS.
+
You can create a maximum of 100 custom keys, including those in enabled, disabled, and pending deletion states. Default keys are not included.
+
+
+
diff --git a/docs/kms/umn/kms_01_0199.html b/docs/kms/umn/kms_01_0199.html
deleted file mode 100644
index 4b36849ee..000000000
--- a/docs/kms/umn/kms_01_0199.html
+++ /dev/null
@@ -1,14 +0,0 @@
-
-
-
Encrypting Data in DDS
-
-
- You can also call the required API of DDS to purchase encrypted DB instances. For details, see Document Database Service API Reference.
-
-
-
diff --git a/docs/kms/umn/kms_01_0215.html b/docs/kms/umn/kms_01_0215.html
deleted file mode 100644
index d54d86db6..000000000
--- a/docs/kms/umn/kms_01_0215.html
+++ /dev/null
@@ -1,15 +0,0 @@
-
-
-
What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
-
The basic length of the ciphertext returned by the encrypt-data API is 124 bytes. The ciphertext consists of multiple fields, including the key ID, encryption algorithm, key version, and ciphertext digest.
-
The plaintext has 16 bytes in each block. A block with fewer than 16 bytes will be padded. Ciphertext length = 124 + Ceil(plaintext length/16) x 16. The conversion result is encoded using Base64.
-
Take 4-byte plaintext input as an example. The calculation result is 124 + Ceil(4/16) x 16 = 140. The 140 bytes are converted into 188 bytes after Base64 encoding.
-
Ceil is a round-up function. Ceil(a) = 1. The value range of a is (0,1].
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0222.html b/docs/kms/umn/kms_01_0222.html
deleted file mode 100644
index a78d9f973..000000000
--- a/docs/kms/umn/kms_01_0222.html
+++ /dev/null
@@ -1,42 +0,0 @@
-
-
-
Personal Data Protection Mechanism
-
To ensure that your personal data, such as the username, password, and mobile phone number, will not be leaked or obtained by unauthorized or unauthenticated entities or people, KMS controls access to the data and records logs for operations performed on the data.
-
Personal Data to Be Collected
Table 1 lists the personal data generated or collected by KMS.
-
-
Table 1 Personal dataType
- |
-Source
- |
-Can Be Modified
- |
-Mandatory
- |
-
|---|
-
-Tenant ID
- |
-- Tenant ID in the token when an operation is performed on the console.
- Tenant ID in the token when an API is invoked.
- |
-No
- |
-Yes
- |
-
-
-
-
-
-
Storage Mode
Tenant IDs are not sensitive data and are stored in plaintext.
-
-
Access Permission Control
Users can view only logs related to their own services.
-
-
Log Records
KMS records logs for all operations, such as editing, querying, and deleting, performed on personal data. The logs are uploaded to Cloud Trace Service (CTS). You can view only the logs generated for operations you performed.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0227.html b/docs/kms/umn/kms_01_0227.html
deleted file mode 100644
index b09a30600..000000000
--- a/docs/kms/umn/kms_01_0227.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
How Does KMS Protect My Keys?
-
The mechanism of KMS prevents anyone from accessing your keys in plaintext. KMS relies on hardware security modules (HSMs) that safeguard the confidentiality and integrity of your keys. Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested.
-
-
-
diff --git a/docs/kms/umn/kms_01_0299.html b/docs/kms/umn/kms_01_0299.html
deleted file mode 100644
index 00ee5b6e3..000000000
--- a/docs/kms/umn/kms_01_0299.html
+++ /dev/null
@@ -1,85 +0,0 @@
-
-
-
Key Management Service
-
Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs).
-
KMS uses hardware security modules (HSMs) to protect CMKs. HSMs help you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage.
-
It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
-
-
Table 1 Basic conceptsItem
- |
-Definition
- |
-
|---|
-
-Customer Master Key
-(CMK)
- |
-A CMK is a main encryption key created by a user using KMS. It is used to encrypt and protect data encryption keys (DEKs). One CMK can be used to encrypt one or more DEKs.
- |
-
-Default Key
-
- |
-A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default. For details about the corresponding cloud services, see Default Master Keys.
-You can use the management console to query the status of Default Master Keys, but cannot disable or schedule the deletion of default keys.
- |
-
-Data Encryption Key
-(DEK)
- |
-A data encryption key (DEK) is a key used for encrypting data.
- |
-
-Hardware Security Module (HSM)
- |
-A hardware device that securely produces, stores, manages, and uses keys and provides encryption services.
- |
-
-True Random Number Generator (TRNG)
- |
-A device that generates random numbers through physical processes instead of computer programs.
- |
-
-Project
- |
-A project is used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
-Multiple projects can be created for one account.
- |
-
-
-
-
-
-
Table 2 Default keysAlias
- |
-Cloud Service
- |
-
|---|
-
-obs/default
- |
-Object Storage Service (OBS)
- |
-
-evs/default
- |
-Elastic Volume Service (EVS)
- |
-
-ims/default
- |
-Image Management Service (IMS)
- |
-
-
-
-
-
A default key is automatically created when a user employs the KMS encryption function for the first time in another cloud service.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_0330.html b/docs/kms/umn/kms_01_0330.html
deleted file mode 100644
index 1fe92a147..000000000
--- a/docs/kms/umn/kms_01_0330.html
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
Does an Imported Key Support Rotation?
-
Imported keys do not support rotation. After the imported key materials are deleted, ensure that the same key materials are imported.
-
-
-
diff --git a/docs/kms/umn/kms_01_7774.html b/docs/kms/umn/kms_01_7774.html
deleted file mode 100644
index c355535cb..000000000
--- a/docs/kms/umn/kms_01_7774.html
+++ /dev/null
@@ -1,15 +0,0 @@
-
-
-
Disabling Key Rotation
-
This section describes how to disable rotation for a key on the KMS console.
-
Prerequisites
- The key is enabled.
- The Origin of the key is KMS.
- Key rotation has been enabled.
-
-
Procedure
- Log in to the management console.
- Click . Choose . The Key Management Service page is displayed.
- Click the alias of a symmetric key.
- Click Rotation Policy and the dialog box is displayed.
- Click
to disable key rotation. - In the displayed confirmation dialog box, click OK.
- Check the rotation status.
-
-
-
-
diff --git a/docs/kms/umn/kms_01_7775.html b/docs/kms/umn/kms_01_7775.html
deleted file mode 100644
index 08aa0f88f..000000000
--- a/docs/kms/umn/kms_01_7775.html
+++ /dev/null
@@ -1,61 +0,0 @@
-
-
-
Key Types
-
CMKs include custom keys and default keys. This section describes how to create, view, enable, disable, schedule the deletion, and cancel the deletion of custom keys.
-
Custom keys can be categorized into symmetric keys and asymmetric keys.
-
Symmetric keys are most commonly used for data encryption protection. Asymmetric keys are used for digital signature verification or sensitive information encryption in systems where the trust relationship is not mutual. An asymmetric key consists of a public key and a private key. The public key can be sent to anyone. The private key must be securely stored and only accessible to trusted users.
-
An asymmetric key can be used to generate and verify a signature. To securely transfer data, a signer sends the public key to a receiver, uses the private key to sign data, and then sends the data and signature to the receiver. The receiver can use the public key to verify the signature.
-
-
Table 1 Key algorithms supported by KMSKey Type
- |
-Algorithm Type
- |
-Key Specifications
- |
-Description
- |
-Usage
- |
-
|---|
-
-Symmetric key
- |
-AES
- |
-
- |
-AES symmetric key
- |
-Encrypts and decrypts a small amount of data or data keys.
- |
-
-Asymmetric key
- |
-RSA
- |
-
- |
-RSA asymmetric password
- |
-Encrypts and decrypts a small amount of data or creates digital signatures.
- |
-
-ECC
- |
-
- |
-Elliptic curve recommended by NIST
- |
-Digital signature
- |
-
-
-
-
-
-
-
diff --git a/docs/kms/umn/kms_01_9996.html b/docs/kms/umn/kms_01_9996.html
new file mode 100644
index 000000000..1d3cbf3df
--- /dev/null
+++ b/docs/kms/umn/kms_01_9996.html
@@ -0,0 +1,68 @@
+
+
+
Creating a Custom KMS Policy
+
Custom policies can be created as a supplement to the system policies of KMSfilter. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
+
You can create custom policies in either of the following ways:
+
- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical KMS custom policies.
+
Example Custom Policies of KMS
- Example: authorizing users to create and import keys
{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:cmk:create",
+ "kms:cmk:getMaterial",
+ "kms:cmkTag:create",
+ "kms:cmkTag:batch",
+ "kms:cmk:importMaterial"
+ ]
+ }
+ ]
+}
+
+
+
- Example: authorizing users to use keys
{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:dek:crypto",
+ "kms:cmk:get",
+ "kms:cmk:crypto",
+ "kms:cmk:generate",
+ "kms:cmk:list"
+ ]
+ }
+ ]
+}
+ - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:task:list"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "kms:dek:crypto",
+ "kms:cmk:get",
+ "kms:cmk:crypto",
+ "kms:cmk:generate",
+ "kms:cmk:list"
+ ]
+ }
+ ]
+}
+
+
+
+
diff --git a/docs/kms/umn/kms_01_9997.html b/docs/kms/umn/kms_01_9997.html
new file mode 100644
index 000000000..86e16afa9
--- /dev/null
+++ b/docs/kms/umn/kms_01_9997.html
@@ -0,0 +1,66 @@
+
+
+
Creating a User and Authorizing the User the Permission to Access KMS
+
This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:
+
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
+
If your account does not need individual IAM users, skip this chapter.
+
This section describes the procedure for granting permissions (see Figure 1).
+
Prerequisites
Before granting permissions to a user group, you need to understand the available KMS permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in KMS.
+
+
Table 1 KMS permissionsRole/Policy
+ |
+Description
+ |
+Type
+ |
+
|---|
+
+KMS Administrator
+ |
+Administrator permissions for the encryption key
+ |
+Role
+ |
+
+KMS CMKFullAccess
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMK Admin
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMKReadOnlyAccess
+ |
+Read-only permission for encryption keys
+ |
+Policy
+ |
+
+
+
+
+
+
Authorization Process
Figure 1 Authorizing the KMS access permission to a user
+
Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
+Create a user on the IAM console and add the user to the user group created in 1.
+- .
Log in to the console as newly created user, and verify that the user only has the assigned permissions.
+
+
+
Tenant Guest Roles
If you have configured Tenant Guest permissions for the IAM account, apart from the read-only permissions for all cloud services except Identity and Access Management (IAM), you also have the following KMS permissions:
+
- kms:cmk:create: Create a key.
- kms:cmk:createDataKey: Create a DEK.
- kms:cmk:createDataKeyWithoutPlaintext: Create a plaintext-free DEK.
- kms:cmk:encryptDataKey: Encrypt the DEK.
- kms:cmk:decryptDataKey: Decrypt a DEK.
- kms:cmk:retireGrant: Retire a grant.
- kms:cmk:decryptData: Decrypt data.
- kms:cmk:encryptData: Encrypt data.
- kms::generateRandom: Generate a random number.
+
If you want to configure the Tenant Guest role for an IAM user but do not want to have the preceding permissions, you need to configure a custom deny policy for the IAM user. For details about how to configure a custom policy, see Creating a Custom KMS Policy.
+
+
+
+
diff --git a/docs/kms/umn/kms_01_9998.html b/docs/kms/umn/kms_01_9998.html
new file mode 100644
index 000000000..aece1ffc9
--- /dev/null
+++ b/docs/kms/umn/kms_01_9998.html
@@ -0,0 +1,13 @@
+
+
+
Permissions Management
+
+
+
diff --git a/docs/kms/umn/kms_01_9999.html b/docs/kms/umn/kms_01_9999.html
new file mode 100644
index 000000000..4a7881c6b
--- /dev/null
+++ b/docs/kms/umn/kms_01_9999.html
@@ -0,0 +1,325 @@
+
+
+
KMS Permission Management
+
If you want to assign different access permissions to employees in an enterprise for the KMS resources purchased on the cloud platform, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
+
With IAM, you can use your account to create IAM users for your employees, and grant permissions to control their access to specific resource types. For example, some software developers in your enterprise need to use KMS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using KMS resources.
+
If the system account has met your requirements and you do not need to create an independent IAM user for permission control, then you can skip this section. This will not affect other functions of KMS.
+
+
KMS Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
+
KMS is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing KMS.
+
You can grant users permissions by using roles and policies.
+
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant KMS users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions.
+
For details, see Table 1.
+
+
Table 1 KMS permissionsRole/Policy
+ |
+Description
+ |
+Type
+ |
+
|---|
+
+KMS Administrator
+ |
+Administrator permissions for the encryption key
+ |
+Role
+ |
+
+KMS CMKFullAccess
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMK Admin
+ |
+All permissions for the encryption keys
+ |
+Policy
+ |
+
+KMS CMKReadOnlyAccess
+ |
+Read-only permission for encryption keys
+ |
+Policy
+ |
+
+
+
+
+
Table 2 lists the common operations supported by each system-defined permission of KMS. Select the permissions as needed.
+
+
Table 2 Common operations supported by each system-defined policy or roleOperation
+ |
+KMS Administrator
+ |
+KMS CMKFullAccess
+ |
+
|---|
+
+Create a key
+ |
+√
+ |
+√
+ |
+
+Enable a key
+ |
+√
+ |
+√
+ |
+
+Disable a key
+ |
+√
+ |
+√
+ |
+
+Schedule key deletion
+ |
+√
+ |
+√
+ |
+
+Cancel scheduled key deletion
+ |
+√
+ |
+√
+ |
+
+Modify a key alias
+ |
+√
+ |
+√
+ |
+
+Modify key description
+ |
+√
+ |
+√
+ |
+
+Generate a random number
+ |
+√
+ |
+√
+ |
+
+Create a DEK
+ |
+√
+ |
+√
+ |
+
+Create a plaintext-free DEK
+ |
+√
+ |
+√
+ |
+
+Encrypt a DEK
+ |
+√
+ |
+√
+ |
+
+Decrypt a DEK
+ |
+√
+ |
+√
+ |
+
+Obtain parameters for importing a key
+ |
+√
+ |
+√
+ |
+
+Import key materials
+ |
+√
+ |
+√
+ |
+
+Delete key materials
+ |
+√
+ |
+√
+ |
+
+Create a grant
+ |
+√
+ |
+√
+ |
+
+Revoke a grant
+ |
+√
+ |
+√
+ |
+
+Retire a grant
+ |
+√
+ |
+√
+ |
+
+Query the grant list
+ |
+√
+ |
+√
+ |
+
+Query retirable grants
+ |
+√
+ |
+√
+ |
+
+Encrypt data
+ |
+√
+ |
+√
+ |
+
+Decrypt data
+ |
+√
+ |
+√
+ |
+
+Enable key rotation
+ |
+√
+ |
+√
+ |
+
+Modify key rotation interval
+ |
+√
+ |
+√
+ |
+
+Disable key rotation
+ |
+√
+ |
+√
+ |
+
+Query key rotation status
+ |
+√
+ |
+√
+ |
+
+Query CMK instances
+ |
+√
+ |
+√
+ |
+
+Query key tags
+ |
+√
+ |
+√
+ |
+
+Query project tags
+ |
+√
+ |
+√
+ |
+
+Batch add or delete key tags
+ |
+√
+ |
+√
+ |
+
+Add tags to a key
+ |
+√
+ |
+√
+ |
+
+Delete key tags
+ |
+√
+ |
+√
+ |
+
+Query the key list
+ |
+√
+ |
+√
+ |
+
+Query key details
+ |
+√
+ |
+√
+ |
+
+Query instance quantity
+ |
+√
+ |
+√
+ |
+
+Query quotas
+ |
+√
+ |
+√
+ |
+
+
+
+
+
+
+
+
diff --git a/docs/kms/umn/public_sys-resources/imageclose.gif b/docs/kms/umn/public_sys-resources/imageclose.gif
new file mode 100644
index 000000000..3a3344af4
Binary files /dev/null and b/docs/kms/umn/public_sys-resources/imageclose.gif differ
diff --git a/docs/kms/umn/public_sys-resources/imageclosehover.gif b/docs/kms/umn/public_sys-resources/imageclosehover.gif
new file mode 100644
index 000000000..8699d5e36
Binary files /dev/null and b/docs/kms/umn/public_sys-resources/imageclosehover.gif differ
diff --git a/docs/kms/umn/public_sys-resources/imagemax.gif b/docs/kms/umn/public_sys-resources/imagemax.gif
new file mode 100644
index 000000000..99c07dc25
Binary files /dev/null and b/docs/kms/umn/public_sys-resources/imagemax.gif differ
diff --git a/docs/kms/umn/public_sys-resources/imagemaxhover.gif b/docs/kms/umn/public_sys-resources/imagemaxhover.gif
new file mode 100644
index 000000000..d01d77d6e
Binary files /dev/null and b/docs/kms/umn/public_sys-resources/imagemaxhover.gif differ
diff --git a/docs/kms/umn/public_sys-resources/macFFBgHack.png b/docs/kms/umn/public_sys-resources/macFFBgHack.png
new file mode 100644
index 000000000..ec811470c
Binary files /dev/null and b/docs/kms/umn/public_sys-resources/macFFBgHack.png differ
