yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/kms/umn/dew_01_0089.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

282 lines
46 KiB
HTML
Raw Blame History

<a name="dew_01_0089"></a><a name="dew_01_0089"></a>
<h1 class="topictitle1">Importing Key Materials</h1>
<div id="body0000002000085620"><p id="dew_01_0089__a516fa69a92a4491ba67ad54587d59b26">If you want to use your own key materials instead of the KMS-generated materials, you can use the console to import your key materials to KMS. CMKs created using imported materials and KMS-generated materials are managed together by KMS.</p>
<p id="dew_01_0089__a04cb1bda13814c87af1743675362e312">This section describes how to import key materials on the KMS console.</p>
<div class="section" id="dew_01_0089__section148317438319"><h4 class="sectiontitle">Operation Process</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__table42393316534" frame="border" border="1" rules="all"><thead align="left"><tr id="dew_01_0089__row1424093118532"><th align="left" class="cellrowborder" valign="top" width="22.49%" id="mcps1.3.3.2.1.3.1.1"><p id="dew_01_0089__p1224043125312">Scenario</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="77.51%" id="mcps1.3.3.2.1.3.1.2"><p id="dew_01_0089__p18240143175316">Procedure</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__row182401231205319"><td class="cellrowborder" valign="top" width="22.49%" headers="mcps1.3.3.2.1.3.1.1 "><p id="dew_01_0089__p824010318531">Using existing key materials</p>
</td>
<td class="cellrowborder" valign="top" width="77.51%" headers="mcps1.3.3.2.1.3.1.2 "><ol id="dew_01_0089__ol17855250151111"><li id="dew_01_0089__li14855125061113"><a href="#dew_01_0089__section1232061165711">Creating a key whose material source is external</a>: Create an empty key whose material source is external.</li><li id="dew_01_0089__li1385565041119"><a href="#dew_01_0089__section8215105213617">Importing key material (existing key material)</a>: Import key material and token to the created empty key.</li></ol>
</td>
</tr>
<tr id="dew_01_0089__row15240103115310"><td class="cellrowborder" valign="top" width="22.49%" headers="mcps1.3.3.2.1.3.1.1 "><p id="dew_01_0089__p424083118535">Downloading key materials by calling APIs</p>
</td>
<td class="cellrowborder" valign="top" width="77.51%" headers="mcps1.3.3.2.1.3.1.2 "><ol id="dew_01_0089__ol122801192128"><li id="dew_01_0089__li142811795125"><a href="#dew_01_0089__section1232061165711">Creating a key whose material source is external</a>: Create an empty key whose material source is external.</li><li id="dew_01_0089__li177819106124"><a href="#dew_01_0089__scfd68ea997e74909a825386e20128afc">Downloading wrapping key and importing a token (by calling the API)</a>: Download the wrapping key and import the token by calling the API.</li><li id="dew_01_0089__li1245424141213"><a href="#dew_01_0089__section167823289366">Using wrapping key to encrypt key material</a>: Use HSM or OpenSSL to encrypt wrapping key into key material.</li><li id="dew_01_0089__li321383613121"><a href="#dew_01_0089__section19218511587">Importing key material (existing key material)</a>: Import key material and token to the created empty key.</li></ol>
</td>
</tr>
<tr id="dew_01_0089__row1682573120544"><td class="cellrowborder" valign="top" width="22.49%" headers="mcps1.3.3.2.1.3.1.1 "><p id="dew_01_0089__p0826113117547">Downloading key materials on the KMS console</p>
</td>
<td class="cellrowborder" valign="top" width="77.51%" headers="mcps1.3.3.2.1.3.1.2 "><ol id="dew_01_0089__ol154581349101310"><li id="dew_01_0089__li345894911316"><a href="#dew_01_0089__section1232061165711">Creating a key whose material source is external</a>: Create an empty key whose material source is external.</li><li id="dew_01_0089__li79591050141314"><a href="#dew_01_0089__section197084131607">Downloading wrapping key and importing the token (from the KMS console)</a>: Download wrapping key from the KMS console. The import token is automatically guided by the console.<div class="notice" id="dew_01_0089__note1184530105914"><span class="noticetitle"> NOTICE: </span><div class="noticebody"><p id="dew_01_0089__p43128515016">After downloading wrapping key, do not close or exit the <span class="parmname" id="dew_01_0089__parmname154583114115"><b>Import Key Material</b></span> dialog box. After the key material is encrypted, you need to perform the <a href="#dew_01_0089__section1421715592815">Import Key Material (Continue to Import Key Material)</a> in this dialog box.</p>
</div></div>
</li><li id="dew_01_0089__li1215172614145"><a href="#dew_01_0089__section167823289366">Using wrapping key to encrypt key material</a>: Use HSM or OpenSSL to encrypt wrapping key into key material.</li><li id="dew_01_0089__li18451172712143"><a href="#dew_01_0089__section1421715592815">Importing Key Material (Continue Importing Key Material)</a>: Import the key material to the created empty key.</li></ol>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="dew_01_0089__section1232061165711"><a name="dew_01_0089__section1232061165711"></a><a name="section1232061165711"></a><h4 class="sectiontitle">Step 1: Creating a Key Using External Materials</h4><ol id="dew_01_0089__ol16614162723712"><li id="dew_01_0089__li161519279372"><span>Log in to the management console.</span></li><li id="dew_01_0089__li680214213713"><span>Click <span><img id="dew_01_0089__dew_01_0178_image10325154918393" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0089__li1279512297175"><span>Click <span><img id="dew_01_0089__image2028218125542" src="en-us_image_0000002511514115.png"></span> on the left and choose <span class="menucascade" id="dew_01_0089__menucascade1428218125541"><b><span class="uicontrol" id="dew_01_0089__uicontrol15282191210543">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0089__uicontrol128231275416">Key Management Service</span></b></span>.</span></li><li id="dew_01_0089__li18542658173812"><span>Click <span class="uicontrol" id="dew_01_0089__dew_01_0178_uicontrol64412134714"><b>Create Key</b></span> in the upper right corner of the page to create an empty key whose <span class="parmname" id="dew_01_0089__parmname35991233124011"><b>Source</b></span> is <span class="parmvalue" id="dew_01_0089__parmvalue99489350402"><b>External</b></span>. For details about more parameters, see <a href="dew_01_0178.html#dew_01_0178__li19889912558">Step 5</a>.</span></li></ol>
</div>
<div class="section" id="dew_01_0089__section1410714716346"><h4 class="sectiontitle">Step 2: Downloading the Wrapping Key and Importing Token</h4><div class="p" id="dew_01_0089__p18899295507">The key management function provides two download modes:<ul id="dew_01_0089__ul729810392535"><li id="dew_01_0089__li14298239135312">Download the wrapping key and import token by calling the API.</li><li id="dew_01_0089__li188499477532">Download the wrapping key from the KMS console. The import token is automatically passed by the console. Therefore, do not close or exit the <span class="parmname" id="dew_01_0089__parmname17785125565318"><b>Import Key Material</b></span> dialog box after the key material is downloaded. Otherwise, the imported token will automatically become invalid.</li></ul>
</div>
</div>
<div class="section" id="dew_01_0089__scfd68ea997e74909a825386e20128afc"><a name="dew_01_0089__scfd68ea997e74909a825386e20128afc"></a><a name="scfd68ea997e74909a825386e20128afc"></a><h4 class="sectiontitle">Downloading the Wrapping Key By Calling APIs</h4><ol id="dew_01_0089__ol1541410161834"><li id="dew_01_0089__li154158161035"><span>Call the <strong id="dew_01_0089__b1874913583017">get-parameters-for-import</strong> API to obtain the wrapping key and import token.</span><p><ul id="dew_01_0089__ul640239194815"><li id="dew_01_0089__li44018391482"><span class="parmname" id="dew_01_0089__parmname12511151381513"><b>public_key</b></span>: content of the wrapping key (Base-64 encoding) returned after the API call</li><li id="dew_01_0089__li18923851184818"><span class="parmname" id="dew_01_0089__parmname339919151153"><b>import_token</b></span>: content of the import token (Base-64 encoding) returned after the API call</li></ul>
<div class="p" id="dew_01_0089__p032814361292">The following example describes how to obtain the wrapping key and import token of a CMK (ID: <span class="parmvalue" id="dew_01_0089__parmvalue33751615171613"><b>43f1ffd7-18fb-4568-9575-602e009b7ee8</b></span>; algorithm: <span class="parmvalue" id="dew_01_0089__parmvalue13375101551612"><b>RSAES_OAEP_SHA_256</b></span>).<ul id="dew_01_0089__ul133291136697"><li id="dew_01_0089__li43291536197">Example request<pre class="screen" id="dew_01_0089__screen63291361391">{
"key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
"wrapping_algorithm":"RSAES_OAEP_SHA_256"
}</pre>
</li><li id="dew_01_0089__li10329736494">Example response<pre class="screen" id="dew_01_0089__screen103295361593">{
"key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
"public_key":"<em id="dew_01_0089__i1733015364911">public key base64 encoded data</em>",
"import_token":"<em id="dew_01_0089__i433020361690">import token base64 encoded data</em>",
"expiration_time":1501578672
}</pre>
</li></ul>
</div>
</p></li><li id="dew_01_0089__li512773015315"><span>Save the wrapping key and convert its format. Only the key material encrypted using the converted wrapping key can be imported to the management console.</span><p><ol type="a" id="dew_01_0089__ol2330163615917"><li id="dew_01_0089__li163307361395">Copy the content of the wrapping key <strong id="dew_01_0089__b1232212916217">public_key</strong>, paste it to a .txt file, and save the file as <strong id="dew_01_0089__b132320290218">PublicKey.b64</strong>.</li><li id="dew_01_0089__li1933053615918">Use OpenSSL to run the following command to perform Base-64 coding on the content of the <strong id="dew_01_0089__b11409331122116">PublicKey.b64</strong> file to generate binary data, and save the converted file as <strong id="dew_01_0089__b341012310215">PublicKey.bin</strong>:<p id="dew_01_0089__p033019364913"><strong id="dew_01_0089__b1133063616914">openssl</strong> <strong id="dew_01_0089__b143307364913">enc</strong> <strong id="dew_01_0089__b1533014368912">-d</strong> <strong id="dew_01_0089__b533014365913">-base64</strong> <strong id="dew_01_0089__b233013617910">-A</strong> <strong id="dew_01_0089__b133012365919">-in</strong> <strong id="dew_01_0089__b133016361294">PublicKey.b64</strong> <strong id="dew_01_0089__b11330036892">-out</strong> <strong id="dew_01_0089__b833033616914">PublicKey.bin</strong></p>
</li></ol>
</p></li><li id="dew_01_0089__li0423534736"><span>Save the import token, copy the content of the <strong id="dew_01_0089__b15236138173014">import_token</strong> token, paste it to a .txt file, and save the file as <strong id="dew_01_0089__b18236153810307">ImportToken.b64</strong>.</span></li></ol>
</div>
<div class="section" id="dew_01_0089__section197084131607"><a name="dew_01_0089__section197084131607"></a><a name="section197084131607"></a><h4 class="sectiontitle">Downloading the Wrapping Key on the KMS Console</h4><ol id="dew_01_0089__ol14581124801"><li id="dew_01_0089__li258224700"><span>Log in to the management console.</span></li><li id="dew_01_0089__li05819247013"><span>Click <span><img id="dew_01_0089__dew_01_0178_image10325154918393_1" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0089__li7762532246"><span>Click <span><img id="dew_01_0089__image99507144549" src="en-us_image_0000002479477424.png"></span> on the left and choose <span class="menucascade" id="dew_01_0089__menucascade12951114195419"><b><span class="uicontrol" id="dew_01_0089__uicontrol695181455412">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0089__uicontrol169519146540">Key Management Service</span></b></span>.</span></li><li id="dew_01_0089__li13246734201012"><span>In the <span class="parmname" id="dew_01_0089__parmname024673441014"><b>Custom Keys</b></span> tab, locate the key created by <a href="#dew_01_0089__section1232061165711">Step 1: Creating a Key Using External Materials</a> and click <span class="uicontrol" id="dew_01_0089__uicontrol1824603481010"><b>Import Key Material</b></span> in the <span class="parmname" id="dew_01_0089__parmname1024673419104"><b>Operation</b></span> column.</span></li><li id="dew_01_0089__li195915241106"><span>In the <span class="uicontrol" id="dew_01_0089__uicontrol1059152417019"><b>Download the Import Items</b></span> area, select a key wrapping algorithm based on <a href="#dew_01_0089__table25919249015">Key wrapping algorithm</a>.</span><p><div class="fignone" id="dew_01_0089__fig1959172416011"><span class="figcap"><b>Figure 1 </b>Obtaining the wrapping key and import token</span><p id="dew_01_0089__p1227419913814"><span><img id="dew_01_0089__image932553619448" src="en-us_image_0000002277965541.png"></span></p>
</div>
<div class="tablenoborder"><a name="dew_01_0089__table25919249015"></a><a name="table25919249015"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__table25919249015" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key wrapping algorithms</caption><thead align="left"><tr id="dew_01_0089__row26015242004"><th align="left" class="cellrowborder" valign="top" width="23.332333233323332%" id="mcps1.3.7.2.5.2.2.2.4.1.1"><p id="dew_01_0089__p260182416014">Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.08350835083508%" id="mcps1.3.7.2.5.2.2.2.4.1.2"><p id="dew_01_0089__p860102417018">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="41.584158415841586%" id="mcps1.3.7.2.5.2.2.2.4.1.3"><p id="dew_01_0089__p9604241505">Configuration</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__row116011247013"><td class="cellrowborder" valign="top" width="23.332333233323332%" headers="mcps1.3.7.2.5.2.2.2.4.1.1 "><p id="dew_01_0089__p2060182412010">RSAES_OAEP_SHA_256</p>
</td>
<td class="cellrowborder" valign="top" width="35.08350835083508%" headers="mcps1.3.7.2.5.2.2.2.4.1.2 "><p id="dew_01_0089__p86013244020">RSA algorithm that uses OAEP and has the <strong id="dew_01_0089__b228920441317">SHA-256</strong> hash function</p>
</td>
<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.7.2.5.2.2.2.4.1.3 "><p id="dew_01_0089__p3609243017">Select an algorithm based on your HSM functions.</p>
<p id="dew_01_0089__p160172413013">If the HSMs support the <strong id="dew_01_0089__b5560207111311">RSAES_OAEP_SHA_256</strong> algorithm, use <strong id="dew_01_0089__b13561107101310">RSAES_OAEP_SHA_256</strong> to encrypt key materials.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__li142446213516"><a name="dew_01_0089__li142446213516"></a><a name="li142446213516"></a><span>Click <span class="uicontrol" id="dew_01_0089__uicontrol176671141481"><b>Download Key Material</b></span> to download the wrapping key file, as shown in <a href="#dew_01_0089__fig6615246013">Figure 2</a>.</span><p><div class="fignone" id="dew_01_0089__fig6615246013"><a name="dew_01_0089__fig6615246013"></a><a name="fig6615246013"></a><span class="figcap"><b>Figure 2 </b>Downloading a file</span><br><span><img id="dew_01_0089__image20613246014" src="en-us_image_0000002141499297.png"></span></div>
<ul id="dew_01_0089__ul9616242006"><li id="dew_01_0089__li96114241005"><strong id="dew_01_0089__b1052192817137">wrappingKey_</strong><em id="dew_01_0089__i19521192831318">KeyID</em> is the wrapping key. It is encoded in binary format and used to encrypt the wrapping key of the key material.</li><li id="dew_01_0089__li176122417018">Import token: You do not need to download it. The import wizard automatically transfers the import token. If you close the wizard before completing the import, the token will automatically become invalid.</li></ul>
<div class="notice" id="dew_01_0089__note156215241601"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="dew_01_0089__p20629246015">The wrapping key expires in 24 hours. If the wrapping key is invalid, download it again.</p>
<p id="dew_01_0089__p4429102814585">The console automatically passes the import token. Therefore, do not close or exit the <span class="parmname" id="dew_01_0089__parmname542917285583"><b>Import Key Material</b></span> dialog box after the key material is downloaded. Otherwise, the imported token will automatically become invalid.</p>
<p id="dew_01_0089__p17561813175512">After downloading wrapping key, <a href="#dew_01_0089__section167823289366">use it to encrypt the key material</a>. Then, import the key material in the <span class="parmname" id="dew_01_0089__parmname7346321173216"><b>Import Key Material</b></span> dialog box. For details, see <a href="#dew_01_0089__section1421715592815">Importing Key Materials</a>.</p>
</div></div>
</p></li></ol>
</div>
<div class="section" id="dew_01_0089__section167823289366"><a name="dew_01_0089__section167823289366"></a><a name="section167823289366"></a><h4 class="sectiontitle">Step 3: Using Wrapping Key to Encrypt Key Materials</h4><div class="p" id="dew_01_0089__p276234010569">Symmetric and asymmetric key encryption modes generate different key materials.<ul id="dew_01_0089__ul18525122613478"><li id="dew_01_0089__li10525826104715">Symmetric key: The key material is <span class="parmname" id="dew_01_0089__parmname16668533164717"><b>EncryptedKeyMaterial.bin</b></span>.</li><li id="dew_01_0089__li853573811478">Asymmetric key: <strong id="dew_01_0089__b13168935141617">EncryptedKeyMaterial.bin</strong> (temporary key material) and <strong id="dew_01_0089__b19169193511164">out_rsa_private_key.der</strong> (private key ciphertext)</li></ul>
</div>
</div>
<div class="section" id="dew_01_0089__section1250155684817"><h4 class="sectiontitle">Symmetric Keys</h4><ul id="dew_01_0089__ul184111957135219"><li id="dew_01_0089__li5411757155218">Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.</li><li id="dew_01_0089__li17613175925212">Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.<div class="note" id="dew_01_0089__note315145319521"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0089__p215175305216">If you need to run the <strong id="dew_01_0089__b185621719395">openssl pkeyutl</strong> command, ensure your OpenSSL version is 1.0.2 or later.</p>
</div></div>
<ol id="dew_01_0089__ol19151125313520"><li id="dew_01_0089__li2151205365212">To generate a key material for a 256-bit symmetric key, on the agent where OpenSSL has been installed, run the following command to generate the key material and save it as <strong id="dew_01_0089__b15680112010399">PlaintextKeyMaterial.bin</strong>:<ul id="dew_01_0089__ul4293107134316"><li id="dew_01_0089__li20293371438">AES256 symmetric key<p id="dew_01_0089__p1492412165432"><a name="dew_01_0089__li20293371438"></a><a name="li20293371438"></a><strong id="dew_01_0089__b873592944313">openssl</strong> <strong id="dew_01_0089__b1273632915437">rand</strong> <strong id="dew_01_0089__b5736102912439">-out</strong> <em id="dew_01_0089__i9736112917431"><strong id="dew_01_0089__b14736162911439">PlaintextKeyMaterial.bin</strong></em> <strong id="dew_01_0089__b16736122964315">32</strong></p>
</li></ul>
</li><li id="dew_01_0089__li1615275385220">Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as <strong id="dew_01_0089__b1098531710417">EncryptedKeyMaterial.bin</strong>.<p id="dew_01_0089__p1015285355212">If the wrapping key was downloaded from the console, replace <strong id="dew_01_0089__b3384182113309"><em id="dew_01_0089__i73841218307">PublicKey.bin</em></strong> in the following command with the wrapping key name <i><span class="varname" id="dew_01_0089__varname0384221153019">wrappingKey_keyID</span></i>.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__table31532537527" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Encrypting the generated key material using the downloaded wrapping key</caption><thead align="left"><tr id="dew_01_0089__row415325315216"><th align="left" class="cellrowborder" valign="top" width="27.97%" id="mcps1.3.9.2.2.2.2.3.2.3.1.1"><p id="dew_01_0089__p1815316530529">Wrapping Key Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="72.03%" id="mcps1.3.9.2.2.2.2.3.2.3.1.2"><p id="dew_01_0089__p315345320526">Key Material Encryption</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__row171531553175216"><td class="cellrowborder" valign="top" width="27.97%" headers="mcps1.3.9.2.2.2.2.3.2.3.1.1 "><p id="dew_01_0089__p915315532524">RSAES_OAEP_SHA_256</p>
</td>
<td class="cellrowborder" valign="top" width="72.03%" headers="mcps1.3.9.2.2.2.2.3.2.3.1.2 "><p id="dew_01_0089__p106122335510"><strong id="dew_01_0089__b2881416569">openssl pkeyutl -in <em id="dew_01_0089__i1434874114552">PlaintextKeyMaterial.bin</em> -inkey <em id="dew_01_0089__i11791650105518">PublicKey.bin</em> -out <em id="dew_01_0089__i61651754195517">EncryptedKeyMaterial.bin</em> -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256</strong></p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ol>
</li></ul>
</div>
<div class="section" id="dew_01_0089__section143328414499"><h4 class="sectiontitle">Asymmetric Keys</h4><ul id="dew_01_0089__ul102411338155715"><li id="dew_01_0089__li16241133810577">Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.</li><li id="dew_01_0089__li624119387573">Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.<div class="note" id="dew_01_0089__note38089198141"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0089__p16808319201417">If you need to run the <strong id="dew_01_0089__b6783114619217">openssl pkeyutl</strong> command, ensure your OpenSSL version is 1.0.2 or later.</p>
</div></div>
<ol id="dew_01_0089__ol1433714243514"><li id="dew_01_0089__li34959578345">To generate a key material for a 256-bit symmetric key, on the agent where OpenSSL has been installed, run the following command to generate the key material and save it as <strong id="dew_01_0089__b2351102716414">PlaintextKeyMaterial.bin</strong>:<ul id="dew_01_0089__ul3336172113581"><li id="dew_01_0089__li1033618212586">RSA and ECC asymmetric keys<ol type="a" id="dew_01_0089__ol1578235619439"><li id="dew_01_0089__li8782156184314">Generate a hexadecimal AES256 key.<p id="dew_01_0089__p4511953912"><a name="dew_01_0089__li8782156184314"></a><a name="li8782156184314"></a><strong id="dew_01_0089__b7875639125819">openssl rand -out 0xPlaintextKeyMaterial.bin -hex 32</strong></p>
</li><li id="dew_01_0089__li147611929442">Convert the hexadecimal AES256 key to the binary format.<p id="dew_01_0089__p6518190395"><a name="dew_01_0089__li147611929442"></a><a name="li147611929442"></a><strong id="dew_01_0089__b15875939155814">cat 0xPlaintextKeyMaterial.bin | xxd -r -ps &gt; PlaintextKeyMaterial.bin</strong></p>
</li></ol>
</li></ul>
</li><li id="dew_01_0089__li12585410398">Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as <strong id="dew_01_0089__dew_01_0089_b1098531710417">EncryptedKeyMaterial.bin</strong>.<p id="dew_01_0089__dew_01_0089_p1015285355212">If the wrapping key was downloaded from the console, replace <strong id="dew_01_0089__dew_01_0089_b3384182113309"><em id="dew_01_0089__dew_01_0089_i73841218307">PublicKey.bin</em></strong> in the following command with the wrapping key name <i><span class="varname" id="dew_01_0089__dew_01_0089_varname0384221153019">wrappingKey_keyID</span></i>.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__dew_01_0089_table31532537527" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Encrypting the generated key material using the downloaded wrapping key</caption><thead align="left"><tr id="dew_01_0089__dew_01_0089_row415325315216"><th align="left" class="cellrowborder" valign="top" width="27.97%" id="mcps1.3.10.2.2.2.2.3.2.3.1.1"><p id="dew_01_0089__dew_01_0089_p1815316530529">Wrapping Key Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="72.03%" id="mcps1.3.10.2.2.2.2.3.2.3.1.2"><p id="dew_01_0089__dew_01_0089_p315345320526">Key Material Encryption</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__dew_01_0089_row171531553175216"><td class="cellrowborder" valign="top" width="27.97%" headers="mcps1.3.10.2.2.2.2.3.2.3.1.1 "><p id="dew_01_0089__dew_01_0089_p915315532524">RSAES_OAEP_SHA_256</p>
</td>
<td class="cellrowborder" valign="top" width="72.03%" headers="mcps1.3.10.2.2.2.2.3.2.3.1.2 "><p id="dew_01_0089__dew_01_0089_p106122335510"><strong id="dew_01_0089__dew_01_0089_b2881416569">openssl pkeyutl -in <em id="dew_01_0089__dew_01_0089_i1434874114552">PlaintextKeyMaterial.bin</em> -inkey <em id="dew_01_0089__dew_01_0089_i11791650105518">PublicKey.bin</em> -out <em id="dew_01_0089__dew_01_0089_i61651754195517">EncryptedKeyMaterial.bin</em> -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256</strong></p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="dew_01_0089__li287144863910">To import an asymmetric key, generate an asymmetric private key, use the temporary key material (<span class="filepath" id="dew_01_0089__filepath434335034111"><b>EncryptedKeyMaterial.bin</b></span>) to encrypt the private key, and import the encrypted file as the private key ciphertext.<ul id="dew_01_0089__ul1487910398582"><li id="dew_01_0089__li8879193916587">Take the <strong id="dew_01_0089__b1460512911437">RSA4096 algorithm</strong> as an example.<ol type="a" id="dew_01_0089__ol1879639125817"><li id="dew_01_0089__li18791239185813">Generate a private key.<p id="dew_01_0089__p156960812421"><a name="dew_01_0089__li18791239185813"></a><a name="li18791239185813"></a><strong id="dew_01_0089__b111171437185711">openssl genrsa -out pkcs1_rsa_private_key.pem 4096</strong></p>
</li><li id="dew_01_0089__li3239193421717">Convert the format to PKCS8.<p id="dew_01_0089__p1700164904213"><a name="dew_01_0089__li3239193421717"></a><a name="li3239193421717"></a><strong id="dew_01_0089__b5223185844216">openssl pkcs8 -topk8 -inform PEM -in pkcs1_rsa_private_key.pem -outform pem -nocrypt -out rsa_private_key.pem</strong></p>
</li><li id="dew_01_0089__li2879193920580">Convert the PKCS8 format to the DER format.<p id="dew_01_0089__p14879123916586"><a name="dew_01_0089__li2879193920580"></a><a name="li2879193920580"></a><strong id="dew_01_0089__b10879839165815">openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private_key.pem -out rsa_private_key.der -nocrypt</strong></p>
</li><li id="dew_01_0089__li9879163965814">Use a temporary key material to encrypt the private key.<p id="dew_01_0089__p7879193975817"><a name="dew_01_0089__li9879163965814"></a><a name="li9879163965814"></a><strong id="dew_01_0089__b1987933916584">openssl enc -id-aes256-wrap-pad -K $(cat 0xPlaintextKeyMaterial.bin) -iv A65959A6 -in rsa_private_key.der -out out_rsa_private_key.der</strong></p>
<div class="note" id="dew_01_0089__note16879133915584"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0089__p128792392583">By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first. For details, see FAQs.</p>
</div></div>
</li></ol>
</li></ul>
</li></ol>
</li></ul>
</div>
<div class="section" id="dew_01_0089__section8215105213617"><a name="dew_01_0089__section8215105213617"></a><a name="section8215105213617"></a><h4 class="sectiontitle">Step 4: Importing Key Materials</h4><p id="dew_01_0089__p1769391875416">The import method varies depending on the key material download method.</p>
<ul id="dew_01_0089__ul931013217136"><li id="dew_01_0089__li1476713167401">If the key material is downloaded by calling the API or the key material already exists, run the <a href="#dew_01_0089__section19218511587">Importing Existing Key Materials</a>.</li><li id="dew_01_0089__li113101822136">To download the key material using the KMS console, run the <a href="#dew_01_0089__section1421715592815">Importing Key Materials</a>.</li></ul>
</div>
<div class="section" id="dew_01_0089__section19218511587"><a name="dew_01_0089__section19218511587"></a><a name="section19218511587"></a><h4 class="sectiontitle">Importing Existing Key Materials</h4><ol id="dew_01_0089__ol12444142317019"><li id="dew_01_0089__li124291322163816"><span>Log in to the management console.</span></li><li id="dew_01_0089__li3429122163812"><span>Click <span><img id="dew_01_0089__dew_01_0178_image10325154918393_2" src="en-us_image_0000001284811084.png"></span> in the upper left corner of the management console and select a region or project.</span></li><li id="dew_01_0089__li1116111229247"><span>Click <span><img id="dew_01_0089__image1593021718546" src="en-us_image_0000002479637434.png"></span> on the left and choose <span class="menucascade" id="dew_01_0089__menucascade2931151717543"><b><span class="uicontrol" id="dew_01_0089__uicontrol1593061714547">Security</span></b> &gt; <b><span class="uicontrol" id="dew_01_0089__uicontrol9931817165416">Key Management Service</span></b></span>.</span></li><li id="dew_01_0089__li1720913014117"><span>In the <span class="parmname" id="dew_01_0089__dew_01_0089_parmname024673441014"><b>Custom Keys</b></span> tab, locate the key created by <a href="dew_01_0089.html#dew_01_0089__section1232061165711">Step 1: Creating a Key Using External Materials</a> and click <span class="uicontrol" id="dew_01_0089__dew_01_0089_uicontrol1824603481010"><b>Import Key Material</b></span> in the <span class="parmname" id="dew_01_0089__dew_01_0089_parmname1024673419104"><b>Operation</b></span> column.</span></li><li id="dew_01_0089__l18e8bc6afbd442f1b509b34a92341a64"><span>In the <span class="uicontrol" id="dew_01_0089__dew_01_0089_uicontrol1059152417019"><b>Download the Import Items</b></span> area, select a key wrapping algorithm based on <a href="#dew_01_0089__dew_01_0089_table25919249015">Key wrapping algorithm</a>.</span><p><div class="fignone" id="dew_01_0089__dew_01_0089_fig1959172416011"><span class="figcap"><b>Figure 3 </b>Obtaining the wrapping key and import token</span><p id="dew_01_0089__dew_01_0089_p1227419913814"><span><img id="dew_01_0089__dew_01_0089_image932553619448" src="en-us_image_0000002277965541.png"></span></p>
</div>
<div class="tablenoborder"><a name="dew_01_0089__dew_01_0089_table25919249015"></a><a name="dew_01_0089_table25919249015"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__dew_01_0089_table25919249015" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Key wrapping algorithms</caption><thead align="left"><tr id="dew_01_0089__dew_01_0089_row26015242004"><th align="left" class="cellrowborder" valign="top" width="23.332333233323332%" id="mcps1.3.12.2.5.2.2.2.4.1.1"><p id="dew_01_0089__dew_01_0089_p260182416014">Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.08350835083508%" id="mcps1.3.12.2.5.2.2.2.4.1.2"><p id="dew_01_0089__dew_01_0089_p860102417018">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="41.584158415841586%" id="mcps1.3.12.2.5.2.2.2.4.1.3"><p id="dew_01_0089__dew_01_0089_p9604241505">Configuration</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__dew_01_0089_row116011247013"><td class="cellrowborder" valign="top" width="23.332333233323332%" headers="mcps1.3.12.2.5.2.2.2.4.1.1 "><p id="dew_01_0089__dew_01_0089_p2060182412010">RSAES_OAEP_SHA_256</p>
</td>
<td class="cellrowborder" valign="top" width="35.08350835083508%" headers="mcps1.3.12.2.5.2.2.2.4.1.2 "><p id="dew_01_0089__dew_01_0089_p86013244020">RSA algorithm that uses OAEP and has the <strong id="dew_01_0089__dew_01_0089_b228920441317">SHA-256</strong> hash function</p>
</td>
<td class="cellrowborder" valign="top" width="41.584158415841586%" headers="mcps1.3.12.2.5.2.2.2.4.1.3 "><p id="dew_01_0089__dew_01_0089_p3609243017">Select an algorithm based on your HSM functions.</p>
<p id="dew_01_0089__dew_01_0089_p160172413013">If the HSMs support the <strong id="dew_01_0089__dew_01_0089_b5560207111311">RSAES_OAEP_SHA_256</strong> algorithm, use <strong id="dew_01_0089__dew_01_0089_b13561107101310">RSAES_OAEP_SHA_256</strong> to encrypt key materials.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__li420693110123"><span>Click <span class="uicontrol" id="dew_01_0089__uicontrol17412185416206"><b>Use Existing Key Material</b></span>. In the <span class="parmname" id="dew_01_0089__parmname0412654192016"><b>Import Key Material</b></span> area, enter <span class="parmname" id="dew_01_0089__parmname14121454192013"><b>Key Material</b></span>.</span><p><div class="fignone" id="dew_01_0089__fb3b7e892e3ab492683050d9df66a22b2"><span class="figcap"><b>Figure 4 </b>Importing key materials</span><p id="dew_01_0089__p5485145045415"><span><img id="dew_01_0089__image17641752145415" src="en-us_image_0000002243177908.png"></span></p>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__ta53da73a8072468e9b86d7fa3a6fd53e" frame="border" border="1" rules="all"><caption><b>Table 5 </b>Key material description</caption><thead align="left"><tr id="dew_01_0089__r989bb16df63d4b9ca9f10e4a4a44cb2c"><th align="left" class="cellrowborder" valign="top" width="22.31%" id="mcps1.3.12.2.6.2.2.2.3.1.1"><p id="dew_01_0089__a7eac1e350af74ef59e09d9063252796b">Scenario</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="77.69%" id="mcps1.3.12.2.6.2.2.2.3.1.2"><p id="dew_01_0089__aebcfd684c8734c71a7132dbd7cc5465e">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__rc65d9ddff5b44d41ad16b3c562ab4beb"><td class="cellrowborder" valign="top" width="22.31%" headers="mcps1.3.12.2.6.2.2.2.3.1.1 "><p id="dew_01_0089__a0f3fbf51160745f4a7aad88f02074b9e">Symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="77.69%" headers="mcps1.3.12.2.6.2.2.2.3.1.2 "><p id="dew_01_0089__p831014018019">Use the key material encrypted by wrapping key.</p>
<p id="dew_01_0089__p114712710505">For example, the <span class="parmname" id="dew_01_0089__parmname788812485319"><b>EncryptedKeyMaterial.bin</b></span> file in <a href="#dew_01_0089__section167823289366">Step 3: Using Wrapping Key to Encrypt Key Materials</a>.</p>
</td>
</tr>
<tr id="dew_01_0089__r6e823183e2854549ba6adc1e56e15752"><td class="cellrowborder" valign="top" width="22.31%" headers="mcps1.3.12.2.6.2.2.2.3.1.1 "><p id="dew_01_0089__a58d27bac09a740ed8918e8f353d04946">Asymmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="77.69%" headers="mcps1.3.12.2.6.2.2.2.3.1.2 "><p id="dew_01_0089__p1747014239018">Use the temporary key material and private key ciphertext encrypted by wrapping key.</p>
<p id="dew_01_0089__p121881818115017">For example, the temporary key material <span class="parmname" id="dew_01_0089__parmname1788520518170"><b>EncryptedKeyMaterial.bin</b></span> and private key ciphertext <span class="parmname" id="dew_01_0089__parmname688513514170"><b>out_rsa_private_key.der</b></span> in <a href="#dew_01_0089__section167823289366">Step 3: Using Wrapping Key to Encrypt Key Materials</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__l02d0a3b879404256aaeb7881687dac70"><span>Click <span class="uicontrol" id="dew_01_0089__uc08501e1961c49ebb48ccfc8e767a915"><b>Next</b></span>. In the <span class="uicontrol" id="dew_01_0089__u55d74ecec22d4cdcaaa2d6443baaa2ac"><b>Import Key Token</b></span> area, set parameters based on <a href="#dew_01_0089__tf00e7c9f3be04375a6ceb8b65a9b1697">Table 6</a>.</span><p>
<div class="tablenoborder"><a name="dew_01_0089__tf00e7c9f3be04375a6ceb8b65a9b1697"></a><a name="tf00e7c9f3be04375a6ceb8b65a9b1697"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__tf00e7c9f3be04375a6ceb8b65a9b1697" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Parameters for importing a key token</caption><thead align="left"><tr id="dew_01_0089__rf59951b771844ecca3dbe56fb80fdb29"><th align="left" class="cellrowborder" valign="top" width="21.37%" id="mcps1.3.12.2.7.2.1.2.3.1.1"><p id="dew_01_0089__a552017a60d544972abdc5c4ea8f8ce62">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="78.63%" id="mcps1.3.12.2.7.2.1.2.3.1.2"><p id="dew_01_0089__aa6cf08d8bf344b4e83c5a7e77b967087">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__rfcb26ba6947e47f4bec8caf271d98201"><td class="cellrowborder" valign="top" width="21.37%" headers="mcps1.3.12.2.7.2.1.2.3.1.1 "><p id="dew_01_0089__a71d222757dd945d08cec1e16c8c52b43">Key ID</p>
</td>
<td class="cellrowborder" valign="top" width="78.63%" headers="mcps1.3.12.2.7.2.1.2.3.1.2 "><p id="dew_01_0089__a4ecc1783cf204a349812d00a527e60a7">Random ID of a CMK generated during the CMK creation</p>
</td>
</tr>
<tr id="dew_01_0089__r2011af42808a4f37b275cfd2690351cd"><td class="cellrowborder" valign="top" width="21.37%" headers="mcps1.3.12.2.7.2.1.2.3.1.1 "><p id="dew_01_0089__a931e8dab4c22458db6d054d2831511f3">Key import token</p>
</td>
<td class="cellrowborder" valign="top" width="78.63%" headers="mcps1.3.12.2.7.2.1.2.3.1.2 "><p id="dew_01_0089__aef9f37060e4040c6be5d6fea9b0edca3">Enter the import token obtained in <a href="#dew_01_0089__scfd68ea997e74909a825386e20128afc">Downloading the Wrapping Key By Calling APIs</a>.</p>
</td>
</tr>
<tr id="dew_01_0089__r3d8b4931db9c43b1b6af2c1388762c5c"><td class="cellrowborder" valign="top" width="21.37%" headers="mcps1.3.12.2.7.2.1.2.3.1.1 "><p id="dew_01_0089__ae3deeda9b6d148219900add0ddac60c4">Key material expiration mode</p>
</td>
<td class="cellrowborder" valign="top" width="78.63%" headers="mcps1.3.12.2.7.2.1.2.3.1.2 "><ul id="dew_01_0089__uecc055812f1d4fc898eec34955de39f6"><li id="dew_01_0089__l6bfe3f691ff840de99c0b8590cd9afc2"><strong id="dew_01_0089__b121618254328">Key material will never expire</strong>: You use this option to specify that key materials will not expire after import.</li><li id="dew_01_0089__l4485721c75664e75bb006621766f9c75"><strong id="dew_01_0089__b1464427193215">Key material will expire</strong>: You use this option to specify the expiration time of the key materials. By default, key materials expire in 24 hours after import.<p id="dew_01_0089__af9defe111c8645aca783d36a31e249d5">After the key material expires, the system automatically deletes the key material within 24 hours. Once the key material is deleted, the key cannot be used and its status changes to <strong id="dew_01_0089__b41829103210">Pending import</strong>.</p>
</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__l1dba31a562614e3ba323e4f59a0ac92d"><span>Click <strong id="dew_01_0089__b2076717304322">OK</strong>. When the <strong id="dew_01_0089__b16767163016327">Key imported successfully</strong> message is displayed in the upper right corner, the materials are imported.</span><p><div class="notice" id="dew_01_0089__nd33fd4bacb634c5bb0431504dbe152a5"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="dew_01_0089__a31f410343d64442c82be0fe8da31c8a1">Key materials can be successfully imported when they match the corresponding CMK ID and token.</p>
</div></div>
<p id="dew_01_0089__acfb0368ddd9b462ea53d0a7c39511995">Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is <strong id="dew_01_0089__b45071934103218">Enabled</strong>.</p>
</p></li></ol>
</div>
<div class="section" id="dew_01_0089__section1421715592815"><a name="dew_01_0089__section1421715592815"></a><a name="section1421715592815"></a><h4 class="sectiontitle">Importing Key Materials</h4><ol id="dew_01_0089__ol10546101510365"><li id="dew_01_0089__li18546815143613"><span>In the <span class="parmname" id="dew_01_0089__parmname8546131513613"><b>Import Key Material</b></span> dialog box (<a href="#dew_01_0089__li142446213516">Step 6</a>) on the management console, add the <span class="parmname" id="dew_01_0089__parmname76932816378"><b>Key Material</b></span> file in the <span class="parmname" id="dew_01_0089__parmname29091453164011"><b>Import Key Material</b></span> configuration item.</span><p><div class="fignone" id="dew_01_0089__fig127332440338"><span class="figcap"><b>Figure 5 </b>Importing key materials</span><p id="dew_01_0089__dew_01_0089_p5485145045415"><span><img id="dew_01_0089__dew_01_0089_image17641752145415" src="en-us_image_0000002243177908.png"></span></p>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__table9547131583618" frame="border" border="1" rules="all"><caption><b>Table 7 </b>Key material description</caption><thead align="left"><tr id="dew_01_0089__dew_01_0089_r989bb16df63d4b9ca9f10e4a4a44cb2c"><th align="left" class="cellrowborder" valign="top" width="22.31%" id="mcps1.3.13.2.1.2.2.2.3.1.1"><p id="dew_01_0089__dew_01_0089_a7eac1e350af74ef59e09d9063252796b">Scenario</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="77.69%" id="mcps1.3.13.2.1.2.2.2.3.1.2"><p id="dew_01_0089__dew_01_0089_aebcfd684c8734c71a7132dbd7cc5465e">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__dew_01_0089_rc65d9ddff5b44d41ad16b3c562ab4beb"><td class="cellrowborder" valign="top" width="22.31%" headers="mcps1.3.13.2.1.2.2.2.3.1.1 "><p id="dew_01_0089__dew_01_0089_a0f3fbf51160745f4a7aad88f02074b9e">Symmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="77.69%" headers="mcps1.3.13.2.1.2.2.2.3.1.2 "><p id="dew_01_0089__dew_01_0089_p831014018019">Use the key material encrypted by wrapping key.</p>
<p id="dew_01_0089__dew_01_0089_p114712710505">For example, the <span class="parmname" id="dew_01_0089__dew_01_0089_parmname788812485319"><b>EncryptedKeyMaterial.bin</b></span> file in <a href="dew_01_0089.html#dew_01_0089__section167823289366">Step 3: Using Wrapping Key to Encrypt Key Materials</a>.</p>
</td>
</tr>
<tr id="dew_01_0089__dew_01_0089_r6e823183e2854549ba6adc1e56e15752"><td class="cellrowborder" valign="top" width="22.31%" headers="mcps1.3.13.2.1.2.2.2.3.1.1 "><p id="dew_01_0089__dew_01_0089_a58d27bac09a740ed8918e8f353d04946">Asymmetric key</p>
</td>
<td class="cellrowborder" valign="top" width="77.69%" headers="mcps1.3.13.2.1.2.2.2.3.1.2 "><p id="dew_01_0089__dew_01_0089_p1747014239018">Use the temporary key material and private key ciphertext encrypted by wrapping key.</p>
<p id="dew_01_0089__dew_01_0089_p121881818115017">For example, the temporary key material <span class="parmname" id="dew_01_0089__dew_01_0089_parmname1788520518170"><b>EncryptedKeyMaterial.bin</b></span> and private key ciphertext <span class="parmname" id="dew_01_0089__dew_01_0089_parmname688513514170"><b>out_rsa_private_key.der</b></span> in <a href="dew_01_0089.html#dew_01_0089__section167823289366">Step 3: Using Wrapping Key to Encrypt Key Materials</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__li654861519362"><span>Click <span class="uicontrol" id="dew_01_0089__uicontrol17795217433"><b>Next</b></span> to go to the <span class="uicontrol" id="dew_01_0089__uicontrol147252174311"><b>Import Key Token</b></span> step. Configure the parameters as described in <a href="#dew_01_0089__table254971517361">Table 8</a>.</span><p>
<div class="tablenoborder"><a name="dew_01_0089__table254971517361"></a><a name="table254971517361"></a><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0089__table254971517361" frame="border" border="1" rules="all"><caption><b>Table 8 </b>Parameters for importing a key token</caption><thead align="left"><tr id="dew_01_0089__row95493155364"><th align="left" class="cellrowborder" valign="top" width="21.37%" id="mcps1.3.13.2.2.2.1.2.3.1.1"><p id="dew_01_0089__p14549131519363">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="78.63%" id="mcps1.3.13.2.2.2.1.2.3.1.2"><p id="dew_01_0089__p25491515123619">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0089__row35492151366"><td class="cellrowborder" valign="top" width="21.37%" headers="mcps1.3.13.2.2.2.1.2.3.1.1 "><p id="dew_01_0089__p854971563616">Key ID</p>
</td>
<td class="cellrowborder" valign="top" width="78.63%" headers="mcps1.3.13.2.2.2.1.2.3.1.2 "><p id="dew_01_0089__p1454916159367">Random ID of a CMK generated during the CMK creation</p>
</td>
</tr>
<tr id="dew_01_0089__row55502151369"><td class="cellrowborder" valign="top" width="21.37%" headers="mcps1.3.13.2.2.2.1.2.3.1.1 "><p id="dew_01_0089__p13550131533614">Key material expiration mode</p>
</td>
<td class="cellrowborder" valign="top" width="78.63%" headers="mcps1.3.13.2.2.2.1.2.3.1.2 "><ul id="dew_01_0089__ul195501153368"><li id="dew_01_0089__li1355018154365"><strong id="dew_01_0089__b1566910280">Key material will never expire</strong>: You use this option to specify that key materials will not expire after import.</li><li id="dew_01_0089__li125506152363"><strong id="dew_01_0089__b443178719">Key material will expire</strong>: You use this option to specify the expiration time of the key materials. By default, key materials expire in 24 hours after import.<p id="dew_01_0089__p1955010155366">After the key material expires, the system automatically deletes the key material within 24 hours. Once the key material is deleted, the key cannot be used and its status changes to <strong id="dew_01_0089__b147101659">Pending import</strong>.</p>
</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="dew_01_0089__li355081510369"><span>Click <strong id="dew_01_0089__b1640949199">OK</strong>. When the <strong id="dew_01_0089__b1145360488">Key imported successfully</strong> message is displayed in the upper right corner, the materials are imported.</span><p><div class="notice" id="dew_01_0089__note185501615193618"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="dew_01_0089__p20551815133618">Key material can be successfully imported when it matches the corresponding key ID.</p>
</div></div>
<p id="dew_01_0089__p20551131516365">Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is <strong id="dew_01_0089__b617240006">Enabled</strong>.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0142.html">Creating CMKs Using Imported Key Materials</a></div>
</div>
</div>
View Git Blame Copy Permalink