yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/kms/umn/dew_01_0001.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

106 lines
10 KiB
HTML
Raw Blame History

<a name="dew_01_0001"></a><a name="dew_01_0001"></a>
<h1 class="topictitle1">Functions</h1>
<div id="body1481514797769"><p id="dew_01_0001__p186877312337">KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.</p>
<p id="dew_01_0001__p590191262515">It uses Hardware Security Modules (HSMs) to protect keys. All keys are protected by root keys in HSMs to avoid key leakage. The HSMs meet the FIPS 140-2 Level 3 security requirements.</p>
<p id="dew_01_0001__p12564163653415">It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.</p>
<div class="section" id="dew_01_0001__section16718183017471"><h4 class="sectiontitle">Functions</h4><ul id="dew_01_0001__ul62201146124710"><li id="dew_01_0001__li199561059204912">On the KMS console, you can:<ul id="dew_01_0001__ul46709216504"><li id="dew_01_0001__li12220174624711">Create, query, enable, and disable CMKs, as well as schedule and cancel CMK deletion.</li><li id="dew_01_0001__li122115461470">Modify the alias and description of CMKs.</li><li id="dew_01_0001__li822210463477">Use the online tool to encrypt and decrypt small-size data.</li><li id="dew_01_0001__li1370881311485">Import keys and delete key material.</li><li id="dew_01_0001__li19194121715109">Add, search for, edit, and delete tags.</li><li id="dew_01_0001__li16811214151115">Create, cancel, and query grants.</li></ul>
</li><li id="dew_01_0001__li441618476327">You can use the API to perform the following operations:<ul id="dew_01_0001__ul10132344157"><li id="dew_01_0001__li1366493118153">Create, encrypt, or decrypt DEKs.</li><li id="dew_01_0001__li14256837191511">Retire grants.</li></ul>
<p id="dew_01_0001__p965196173318">For details, see <em id="dew_01_0001__i175341166258">Key Management Service (KMS) API Reference</em>.</p>
</li><li id="dew_01_0001__li12420174720328">Generate hardware true random numbers.<p id="dew_01_0001__p31461682338"><a name="dew_01_0001__li12420174720328"></a><a name="li12420174720328"></a>You can generate 512-bit hardware true random numbers using a KMS API. The numbers can be used as a basis for key materials or as encryption parameters. For details, see <em id="dew_01_0001__i783314211616">Key Management Service (KMS) API Reference</em>.</p>
</li></ul>
</div>
<div class="section" id="dew_01_0001__section11249191211316"><h4 class="sectiontitle">Key Algorithms Supported by KMS</h4><p id="dew_01_0001__p490604711261">Symmetric keys created on the KMS console use AES algorithms. Asymmetric keys created by KMS support the RSA and ECC algorithms.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0001__table0624027274" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key algorithms supported by KMS</caption><thead align="left"><tr id="dew_01_0001__row1062492152718"><th align="left" class="cellrowborder" valign="top" width="19.79%" id="mcps1.3.5.3.2.6.1.1"><p id="dew_01_0001__p6624525278">Key Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.84%" id="mcps1.3.5.3.2.6.1.2"><p id="dew_01_0001__p126241216278">Algorithm Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22.27%" id="mcps1.3.5.3.2.6.1.3"><p id="dew_01_0001__p1262442102713">Key Specifications</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20.1%" id="mcps1.3.5.3.2.6.1.4"><p id="dew_01_0001__p062416292712">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.5.3.2.6.1.5"><p id="dew_01_0001__p12624827271">Application Scenario</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0001__row1762412272713"><td class="cellrowborder" valign="top" width="19.79%" headers="mcps1.3.5.3.2.6.1.1 "><p id="dew_01_0001__p13624162172711">Symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.5.3.2.6.1.2 "><p id="dew_01_0001__p462412152717">AES</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.5.3.2.6.1.3 "><p id="dew_01_0001__p146244272717">AES_256</p>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.5.3.2.6.1.4 "><p id="dew_01_0001__p86241925279">AES symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.5.3.2.6.1.5 "><ul id="dew_01_0001__ul15153158575"><li id="dew_01_0001__li115388577">Data encryption and decryption</li><li id="dew_01_0001__li13153181270">DEKs encryption and decryption<div class="note" id="dew_01_0001__note1372720189158"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="dew_01_0001__p195293671611">You can encrypt and decrypt a small amount of data using the online tool on the console.</p>
<p id="dew_01_0001__p19728161831512">You need to call APIs to encrypt and decrypt a large amount of data.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="dew_01_0001__row25853341815"><td class="cellrowborder" valign="top" width="19.79%" headers="mcps1.3.5.3.2.6.1.1 "><p id="dew_01_0001__p1759103319185">Digest key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.5.3.2.6.1.2 "><p id="dew_01_0001__p185973320186">SHA</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.5.3.2.6.1.3 "><ul id="dew_01_0001__ul12847123214192"><li id="dew_01_0001__li0847432101920">HMAC_256</li><li id="dew_01_0001__li873494210199">HMAC_384</li><li id="dew_01_0001__li199611657141910">HMAC_512</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.5.3.2.6.1.4 "><p id="dew_01_0001__p459143361817">Digest key</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.5.3.2.6.1.5 "><ul id="dew_01_0001__ul173801592042"><li id="dew_01_0001__li738013599414">Data tampering prevention</li><li id="dew_01_0001__li53921875519">Data integrity verification</li></ul>
</td>
</tr>
<tr id="dew_01_0001__row51341950153118"><td class="cellrowborder" rowspan="2" valign="top" width="19.79%" headers="mcps1.3.5.3.2.6.1.1 "><p id="dew_01_0001__p17135145013312">Asymmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="17.84%" headers="mcps1.3.5.3.2.6.1.2 "><p id="dew_01_0001__p121351050163112">RSA</p>
</td>
<td class="cellrowborder" valign="top" width="22.27%" headers="mcps1.3.5.3.2.6.1.3 "><ul id="dew_01_0001__ul858832973417"><li id="dew_01_0001__li11588429113412">RSA_2048</li><li id="dew_01_0001__li5589132917341">RSA_3072</li><li id="dew_01_0001__li340620263353">RSA_4096</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20.1%" headers="mcps1.3.5.3.2.6.1.4 "><p id="dew_01_0001__p1613595015317">RSA asymmetric password</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.5.3.2.6.1.5 "><ul id="dew_01_0001__ul9805101045314"><li id="dew_01_0001__li16805510135314">Digital signature and signature verification</li><li id="dew_01_0001__li38051110145311">Data encryption and decryption<div class="note" id="dew_01_0001__note11881237111318"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="dew_01_0001__p178819371135">Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="dew_01_0001__row037145343118"><td class="cellrowborder" valign="top" headers="mcps1.3.5.3.2.6.1.1 "><p id="dew_01_0001__p14371539318">ECC</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.5.3.2.6.1.2 "><ul id="dew_01_0001__ul384511534343"><li id="dew_01_0001__li8845053133410">EC_P256</li><li id="dew_01_0001__li38451531342">EC_P384</li></ul>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.5.3.2.6.1.3 "><p id="dew_01_0001__p43795363116">Elliptic curve recommended by NIST</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.5.3.2.6.1.4 "><p id="dew_01_0001__p1537145343114">Digital signature and signature verification</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="dew_01_0001__p1463525511469">The following table lists the key wrapping encryption and decryption algorithms supported by imported keys.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0001__table123192815372" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Key wrapping algorithm</caption><thead align="left"><tr id="dew_01_0001__row14322823712"><th align="left" class="cellrowborder" valign="top" width="23.332333233323332%" id="mcps1.3.5.5.2.4.1.1"><p id="dew_01_0001__p9260153415371">Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.08350835083508%" id="mcps1.3.5.5.2.4.1.2"><p id="dew_01_0001__p72601534163718">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="41.584158415841586%" id="mcps1.3.5.5.2.4.1.3"><p id="dew_01_0001__p920123983710">Configuration</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0001__row16318285374"><td class="cellrowborder" valign="top" width="23.332333233323332%" headers="mcps1.3.5.5.2.4.1.1 "><p id="dew_01_0001__p22614345378">RSAES_OAEP_SHA_256</p>
</td>
<td class="cellrowborder" valign="top" width="35.08350835083508%" headers="mcps1.3.5.5.2.4.1.2 "><p id="dew_01_0001__p1261634163713">RSA algorithm that uses OAEP and has the <strong id="dew_01_0001__b382814129">SHA-256</strong> hash function</p>
</td>
<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.5.5.2.4.1.3 "><p id="dew_01_0001__p17211039183716">Select an algorithm based on your HSM functions.</p>
<p id="dew_01_0001__p10211539203714">If your HSM supports the <strong id="dew_01_0001__b6388205181914">RSAES_OAEP_SHA_256</strong> algorithm, use <strong id="dew_01_0001__b123883515192">RSAES_OAEP_SHA_256</strong> to encrypt key materials.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0121.html">KMS</a></div>
</div>
</div>
View Git Blame Copy Permalink