Help Center/Data Encryption Workshop/API Reference/APIs/Key Management APIs/DEK Management/Creating a DEK

Updated on 2025-09-15 GMT+08:00

Creating a DEK

Function

This API is used to create a DEK. The returned result contains both plaintext and ciphertext.

Calling Method

For details, see Calling APIs.

URI

POST /v1.0/{project_id}/kms/create-datakey

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token.

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
key_id	Yes	String	A 36-byte key ID which matches the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$, for example, 0d0466b0-e727-4d9c-b35d-f84bb474a37f.
key_spec	No	String	Bit length of the generated key. The value can be AES_256, AES_128, SM4, HMAC_256, HMAC_384, HMAC_512, or HMAC_SM3. AES_256: A 256-bit symmetric key AES_128: A 128-bit symmetric key SM4: An SM4 key HMAC_256: An HMAC_256 key HMAC_384: An HMAC_384 key HMAC_512: An HMAC_512 key HMAC_SM3: An HMAC_SM3 key If neither of them is specified, a 256-bit key is generated by default. If both of them are specified, only datakey_length takes effect. Notes: Set either datakey_length or key_spec.
datakey_length	No	String	Key length by bit. The value ranges from 8 to 8,192 and must be a multiple of 8. Note: You must configure either datakey_length or key_spec. If both are empty, a 256-bit key is generated by default. If both are specified, only datakey_length takes effect.
additional_authenticated_data	No	String	Non-sensitive extra data used for authentication. The value is a random string with at most 128 bytes.
pin	No	String	PIN code, which is used to authenticate the data key. This parameter is valid only in the level-4 cryptography testing scenario.
pin_type	No	String	PIN code type. The default value is CipherText. The value can be: PlainText: plaintext PIN CipherText: ciphertext PIN
sequence	No	String	A 36-byte serial number of a request message, for example, 919c82d4-8046-4722-9094-35c3c6524cff

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
key_id	String	Key ID.
plain_text	String	Plaintext DEK in hexadecimal format. Two characters represent 1 byte.
cipher_text	String	Ciphertext DEK in hexadecimal format. Two characters represent 1 byte.

Status code: 400

**Table 5** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 6** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 401

**Table 7** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 8** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 403

**Table 9** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 10** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 404

**Table 11** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 12** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 500

**Table 13** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 14** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 502

**Table 15** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 16** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Status code: 504

**Table 17** Response body parameters
Parameter	Type	Description
error	Object	Error message

**Table 18** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned by the error request
error_msg	String	Error information returned by the error request

Example Requests

Create a 512-bit plaintext DEK and encrypt it using the key whose ID is 0d0466b0-e727-4d9c-b35d-f84bb474a37f. Return the plaintext key and add 123add as the associated data.

{
  "key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
  "datakey_length" : "512",
  "additional_authenticated_data" : "123aad"
}

Example Responses

Status code: 200

Request succeeded.

{
  "key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
  "plain_text" : "8151014275E426C72EE7D44267XXXXX...",
  "cipher_text" : "020098009EEAFCE122CAA5927D2XXX..."
}

Status Codes

Status Code	Description
200	Request succeeded.
400	Invalid request parameters.
401	Username and password are required for the requested page.
403	Authentication failed.
404	The resource does not exist.
500	Internal service error.
502	Failed to complete the request. The server receives an invalid response from the upstream server.
504	Gateway timed out.

Error Codes

See Error Codes.

Parent Topic: DEK Management

Previous topic: Generating a Random Number

Next topic: Creating a Plaintext-free DEK

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.