Functions
KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.
It uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage. The HSM module meets the FIPS 140-2 Leave 3 security requirements.
It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
Functions
| Function | Description |
|---|---|
| Key lifecycle management |
|
| User-imported key | Import CMKs and delete CMK material |
| Small-size data encryption and decryption | Use the online tool to encrypt and decrypt small-size data |
| Signature and verification | Sign or verify the signature of messages or message digests NOTE: This function can be called only through an API. |
| Key tag | Add, search for, edit, and delete tags |
| Key rotation | Enable, modify, and disable the key rotation |
| Key grant | Create, cancel, and query grants |
| Retire grants NOTE: This function can be called only through an API. | |
| Cloud service encryption | Data encryption for OBS |
| Data encryption for EVS | |
| Data encryption for IMS | |
| Data encryption for SFS (SFS file system) | |
| Data encryption for SFS (SFS Turbo file system) | |
| Data encryption for RDS (MySQL, PostgreSQL, and SQL Server engine) | |
| Data encryption for DDS | |
| Data encryption for DWS | |
| Data encryption key (DEK) management | Create, encrypt, and decrypt DEKs NOTE: This function can be called only through an API. |
| Generate hardware true random numbers. | Generate 512-bit hardware true random numbers, which can be used as a basis for key materials or as encryption parameters. NOTE: This function can be called only through an API. |
| Message authentication code | Generate and verify message authentication codes. NOTE: This function can be called only through an API. |
| Keystore management | Create, disable, and delete a keystore |
Key Algorithms Supported by KMS
Symmetric keys created on the KMS console use the AES algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.
| Key Type | Algorithm Type | Key Specifications | Description | Application Scenario |
|---|---|---|---|---|
| Symmetric key | AES | AES_256 | AES symmetric key |
|
| Symmetric key | SM4 | SM4 | SM4 symmetric key |
|
| Symmetric key | AES |
| HMAC symmetric key | Generates and verifies a message authentication code |
| Symmetric keys | SM3 | HMAC_SM3 | SM3 symmetric key | Generates and verifies a message authentication code |
| Asymmetric key | RSA |
| RSA asymmetric password |
|
| ECC |
| Elliptic curve recommended by NIST | Digital signature and signature verification | |
| Asymmetric keys | SM2 | SM2 | SM2 asymmetric key |
|
Table 3 describes the encryption and decryption algorithms supported for user-imported keys.
| Algorithm | Description | Configuration |
|---|---|---|
| RSAES_OAEP_SHA_256 | RSA algorithm that uses OAEP and has the SHA-256 hash function | Select an algorithm based on your HSM functions. If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials. NOTICE: The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation. |
| RSAES_OAEP_SHA_1 | RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function | |
| SM2_ENCRYPT | SM2 elliptic curve cryptography (ECC) recommended by the State Cryptography Administration | Use the SM2 algorithm at sites that support algorithms approved by the State Password Administration. |
Dedicated Keystore
KMS uses a dedicated keystore to support the HYOK function, allowing users to control their master keys. Customer master keys are not separated from HSMs, and cryptographic operations are completed in HSMs. Different from the default keystore, you can use Dedicated HSM cluster to manage keys at any time.
Both the basic edition and platinum edition (Chinese Mainland) support the HYOK function.
Hold Your Own Key (HYOK) means that users have full control over their keys, and the keys are always owned by users.
For details about how to use the dedicated keystore, see Activating a Cluster and Creating a Keystore. Table 4 lists the algorithms supported by the dedicated keystore.
| Key Type | Algorithm Type | Key Specifications | Description | Application Scenario |
|---|---|---|---|---|
| Symmetric key | AES | AES_256 | AES symmetric key |
|
| Symmetric key | SM4 | SM4 | SM4 symmetric key |
|
| Asymmetric key | RSA |
| RSA asymmetric password |
|
| ECC |
| Elliptic curve recommended by NIST | Digital signature and signature verification | |
| Asymmetric keys | SM2 | SM2 | SM2 asymmetric key |
|
Last Article: KMS
Next Article: Product Advantages
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.