Diese Seite ist in Ihrer lokalen Sprache noch nicht verfügbar. Wir arbeiten daran, weitere Sprachversionen hinzuzufügen. Vielen Dank für Ihre Unterstützung.
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Auditing Logs
- Permission Control
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
- API Overview
- APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
- General
- Change History
-
KMS Related
- Videos
Functions
KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.
It uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.
It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
Functions
- On the KMS console, you can perform the following operations on CMKs:
- Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of CMKs
- Modifying the alias and description of CMKs
- Using the online tool to encrypt and decrypt small volumes of data
- Adding, searching for, editing, and deleting tags
- Creating, canceling, and querying grants
- You can use the API to perform the following operations:
- Creating, encrypting, or decrypting data encryption keys (DEKs)
- Retiring grants
- Signing or verifying the signature of messages or message digests
For details, see the Data Encryption Workshop API Reference.
- Generate hardware true random number.
You can generate 512-bit random numbers using the KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for key materials and encryption parameters. For details, see the Data Encryption Workshop API Reference.
Key Algorithms Supported by KMS
Symmetric keys created on the KMS console use the AES-256 algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.
Key Type |
Algorithm Type |
Key Specifications |
Description |
Usage |
---|---|---|---|---|
Symmetric key |
AES |
AES_256 |
AES symmetric key |
Encrypts and decrypts a small amount of data or data keys. |
Asymmetric keys |
RSA |
|
RSA asymmetric password |
Encrypts and decrypts a small amount of data or creates digital signatures. |
ECC |
|
Elliptic curve recommended by NIST |
Digital signature |
Table 2 describes the key wrapping encryption and decryption algorithms supported by imported keys.
Algorithm |
Description |
Configuration |
---|---|---|
RSAES_OAEP_SHA_256 |
RSA algorithm that uses OAEP and has the SHA-256 hash function |
Select an algorithm based on your HSM functions. If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.
NOTICE:
The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation. |
RSAES_OAEP_SHA_1 |
RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.