Importing Key Materials

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click . Choose Security & Compliance > Data Encryption Workshop.
4. Click Import Key. The Import Key dialog box is displayed.
5. Configure key parameters.
   Figure 1 Creating an empty key
   
   • Alias is the alias of the CMK to be created.
     

     • You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
     • You can enter up to 255 characters.
   • Key Algorithm: Select a key algorithm. For more information, see Table 1.

     Table 1 Key algorithms supported by KMS

     Key Type	Algorithm Type	Key Specifications	Description	Usage
     Symmetric key	AES	AES_256	AES symmetric key	Encrypts and decrypts a small amount of data or data keys.
     Asymmetric key	RSA	RSA_2048 RSA_3072 RSA_4096	RSA asymmetric password	Encrypts and decrypts a small amount of data or creates digital signatures.
     	ECC	EC_P256 EC_P384	Elliptic curve recommended by NIST	Digital signature

   • Usage: Select SIGN_VERIFY or ENCRYPT_DECRYPT.
     • For a symmetric key, the default value is ENCRYPT_DECRYPT.
     • For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
     • For an ECC asymmetric key, the default value is SIGN_VERIFY.
     

     The key usage can only be configured during key creation and cannot be modified afterwards.

   • (Optional) Description is the description of the CMK.
   • The Enterprise Project parameter needs to be set only for enterprise users.

     If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

     If there are no Enterprise Management options displayed, you do not need to configure it.

     

     https://support.huaweicloud.com/usermanual-em/em_eps_01_0000.html

     • You can use enterprise projects to manage cloud resources and project members. For more information about enterprise projects, see What Is Enterprise Project Management Service?
     • For details about how to enable the enterprise project function, see Enabling the Enterprise Center.

6. (Optional) Add tags to the CMK as needed, and enter the tag key and tag value.
   

   • If a CMK was created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK, click the Tags tab, and click Add Tag.
   • The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
   • A maximum of 20 tags can be added for each CMK.
   • If you want to delete a tag from the tag list when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.

7. Click security and durability to understand the security and durability of the imported key.
8. Select I understand the security and durability of using an imported key, and create a CMK whose key material is empty.
9. Click Next to go to the Download the Import Items step. Select a key wrapping algorithm based on Table 2.
   Figure 2 Obtaining the wrapping key and import token
   

   Table 2 Key wrapping algorithms

   Algorithm	Description	Configuration
   RSAES_OAEP_SHA_256	RSA encryption algorithm that uses OAEP and has the SHA-256 hash function	Select an encryption algorithm based on your HSM functions. If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials. If the HSMs do not support OAEP, use RSAES_PKCS1_V1_5 to encrypt key materials. NOTICE: The RSAES_OAEP_SHA_1 encryption algorithm is no longer secure. Exercise caution when performing this operation.
   RSAES_OAEP_SHA_1	RSA encryption algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function

   

   If you stop a key material import process and want to try again, click Import Key Material in the row of the required CMK, and import key material in the dialog box that is displayed.

10. Obtain the wrapping key and import token. If you already have a key material, skip this step.
    1. Obtain the wrapping key and import token.
       • Method 1: Click Download and Continue. The downloaded files include the wrapping key, import token, and description file, as shown below.
         Figure 3 Downloading a file
         
         • wrappingKey_KeyID_DownloadTime is the wrapping key. It is encoded in binary format and used to encrypt the wrapping key of the key material.
         • importToken_KeyID_DownloadTime is a token used to import key materials to KMS.
         • README_KeyID_DownloadTime is a description file recording information such as a CMK's serial number, wrapping algorithm, wrapping key name, token file name, and the expiration time of the token file and wrapping key.
         

         The wrapping key and import token expire in 24 hours. If they have expired, download them again.

       • Method 2: Obtain the wrapping key and import token by calling APIs.
         1. Call the get-parameters-for-import API to obtain the wrapping key and import token.
            • public_key: content of the wrapping key (Base-64 encoding) returned after the API call
            • import_token: content of the import token (Base-64 encoding) returned after the API call
            The following example describes how to obtain the wrapping key and import token of a CMK (ID: 43f1ffd7-18fb-4568-9575-602e009b7ee8; encryption algorithm: RSAES_OAEP_SHA_256).

            • Example request

              {      
                  "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",
                  "wrapping_algorithm":"RSAES_OAEP_SHA_256"
              }

            • Example response

              {
                  "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8",    
                  "public_key":"public key base64 encoded data",
                  "import_token":"import token base64 encoded data",
                  "expiration_time":1501578672
              }

         2. Save the wrapping key and convert its format. Only the key material encrypted using the converted wrapping key can be imported to the management console.
            1. Copy the content of the wrapping key public_key, paste it to a .txt file, and save the file as PublicKey.b64.
            2. Use OpenSSL to run the following command to perform Base-64 coding on the content of the PublicKey.b64 file to generate binary data, and save the converted file as PublicKey.bin:

               openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin

         3. Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
    2. Use the wrapping key to encrypt the key material.
       

       After performing this step, you will obtain either of the following files:

       Symmetric key scenario: EncryptedKeyMaterial.bin (key material)

       Asymmetric key scenario: EncryptedKeyMaterial.bin (temporary key material) and out_rsa_private_key.der (private key ciphertext)

       Method 1: Use the downloaded wrapping key to encrypt key materials on your HSM. For details, see the operation guide of your HSM.

       Method 2: Use OpenSSL to generate a key material and use the downloaded wrapping key to encrypt the key material.

       

       If you need to run the openssl pkeyutl command, ensure your OpenSSL version is 1.0.2 or later.

       1. Generate a key material (256-bit symmetric key) and save it as PlaintextKeyMaterial.bin.
          • If the AES256 symmetric key algorithm is used, run the following command on the client where the OpenSSL tool has been installed:

            openssl rand -out PlaintextKeyMaterial.bin 32

          • If the SA and ECC asymmetric key algorithms are used, run the following command on the client where the OpenSSL tool has been installed:
            1. Generate a hexadecimal AES256 key.

               openssl rand -out 0xPlaintextKeyMaterial.bin -hex 32

            2. Convert the hexadecimal AES256 key to the binary format.

               cat 0xPlaintextKeyMaterial.bin | xxd -r -ps > PlaintextKeyMaterial.bin

       2. Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.

          If the wrapping key was downloaded from the console, replace PublicKey.bin in the following command with the wrapping key name wrappingKey_keyID_DownloadTime.

          Table 3 Encrypting the generated key material using the downloaded wrapping key

          Wrapping Key Algorithm	Key Material Encryption
          RSAES_OAEP_SHA_256	openssl pkeyutl -in PlaintextKeyMaterial.bin -inkey PublicKey.bin -out EncryptedKeyMaterial.bin -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
          RSAES_OAEP_SHA_1	openssl pkeyutl -in PlaintextKeyMaterial.bin -inkey PublicKey.bin -out EncryptedKeyMaterial.bin -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1

       3. (Optional) To import an asymmetric key, generate an asymmetric private key, use the temporary key material (EncryptedKeyMaterial.bin) to encrypt the private key, and import the encrypted file as the private key ciphertext.
          • Take the RSA4096 algorithm as an example. Perform the following operations:
            1. Generate a private key.

               openssl genrsa -out rsa_private_key.pem 4096

            2. Convert the key to DER format.

               openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private_key.pem -out rsa_private_key.der -nocrypt

            3. Use a temporary key material to encrypt the private key.

               openssl enc -id-aes256-wrap-pad -K $(cat 0xPlaintextKeyMaterial.bin) -iv A65959A6 -in rsa_private_key.der -out out_rsa_private_key.der

               

               By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first. For details, see .

11. If you already have the key material, click Existing Key Material. The Import Key Material page is displayed.

    Table 4 Parameters for importing key materials (for symmetric keys)

    Parameter	Description
    Key ID	Random ID of a CMK generated during the CMK creation
    Key material	This API allows you to import CMK material. For example, use the EncryptedKeyMaterial.bin file in 10.b.ii.

    Table 5 Parameters for importing key materials (for asymmetric keys)

    Parameter	Description
    Key ID	Random ID of a CMK generated during the CMK creation
    Temporary key material	Import a temporary key material. For example, select the EncryptedKeyMaterial.bin file in 10.b.ii.
    Private key ciphertext	Select private key ciphertext. For example, select the out_rsa_private_key.der file in 10.b.iii.

    Figure 4 Importing key materials
    

12. Click Next to go to the Import Key Token step. Configure the parameters as described in Table 6.
    Figure 5 Importing a key token
    

    Table 6 Parameters for importing a key token

    Parameter	Description
    Key ID	Random ID of a CMK generated during the CMK creation
    Key import token	Select the token downloaded in 10.a.
    Key material expiration mode	Key material will never expire: You use this option to specify that key materials will not expire after import. Key material will expire: You use this option to specify the expiration time of the key materials. By default, key materials expire in 24 hours after import. After the key material expires, the system automatically deletes the key material within 24 hours. Once the key material is deleted, the key cannot be used and its status changes to Pending import.

13. Click OK. When the Key imported successfully message is displayed in the upper right corner, the materials are imported.
    

    Key materials can be successfully imported when they match the corresponding CMK ID and token.

    Your imported materials are displayed in the list of CMKs. The default status of an imported CMK is Enabled.