Overview
A CMK contains key metadata (key ID, key alias, description, key status, and creation date) and the key material used for encrypting and decrypting data.
- When a user uses the KMS Console to create a CMK, the KMS automatically generates a key material for the CMK.
- If you want to use your own key material, you can use the key import function on KMS Console to create a CMK whose key material is empty, and import the key material to the CMK.
Important Notes
- Security
You need to ensure that random sources meet your security requirements when using them to generate key material. When using the import key function, you need to be responsible for the security of your key material. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.
- Availability and Durability
Before importing the key material into KMS, you need to ensure the availability and durability of the key material.
Differences between the imported key material and the key material generated by KMS are shown in Table 1.
- Association
When a key material is imported to a CMK, the CMK is permanently associated with the key material. Other key material cannot be imported into the CMK.
- Uniqueness
If you use the CMK created using the imported key material to encrypt data, the encrypted data can be decrypted only by the CMK that has been used to encrypt the data, because the metadata and key material of the CMK must be consistent.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
