Help Center/ Data Encryption Workshop/ Getting Started/ Creating a Key for Cloud Service Encryption
Updated on 2025-07-22 GMT+08:00

Creating a Key for Cloud Service Encryption

A key can be symmetric or asymmetric.

  • For symmetric keys, the same key is used to encrypt and decrypt data, which is fast and efficient, suitable for encrypting a large amount of data.
  • For asymmetric keys, a key pair, that is, a public key and a private key, are used for encryption and decryption. Public keys can be distributed to anyone, while private keys must be kept secure and provided for only trusted users. These keys are used for digital signature verification and encrypted transmission of sensitive information.

Procedure

This section uses the AES-256 symmetric key and RSA-2048 asymmetric key as examples to describe how to create a key and bind it to a cloud service. The following figure shows the process.

Figure 1 Creating a key for cloud service encryption

Procedure

Description

Preparations

Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KMS permissions to the account.

Step 1: Creating a Key

Create a key and select the key algorithm type.

Step 2: Cloud Service Encryption

After the key is created, bind the key to the instance when you create or use a cloud service instance for encryption.

Preparations

  1. Before creating key, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services.

    If you have enabled Huawei Cloud, skip this step.

  2. You have obtained KMS CMKFullAccess or higher permissions. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
    Table 1 KMS system roles

    Role

    Description

    Type

    Dependencies

    KMS administrator

    All permissions of KMS

    System-defined role

    None

    KMS CMKFullAccess

    All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

    KMS CMKReadOnlyAccess

    Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

Step 1: Creating a Key

This section describes how to create an AES-256 symmetric key and an RSA-2048 asymmetric key.

The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key.

  1. Log in to the DEW console.
  2. On the Key Management Service page, click Create Key in the upper right corner.
  3. On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 2.
    Figure 2 Creating a key

    Table 2 Mandatory parameters

    Parameter

    Example Value

    Description

    Name

    KMS-335c

    Custom key name, which cannot be empty.

    Key Algorithm

    AES-256

    Supported key algorithm types and description. For details, see Key algorithms supported by KMS.

    Usage

    ENCRYPT_DECRYPT

    The value cannot be changed after the key is created.

    For AES_256 symmetric keys, the default value is ENCRYPT_DECRYPT.

    Source

    Key Management Service

    The following key material sources are supported:

    • Key Management Service: KMS generates key materials.
    • External: Import local key materials to KMS.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.

The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key.

  1. Log in to the DEW console.
  2. On the displayed Key Management Service page, click Create Key in the upper right corner.
  3. On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 2.
    Figure 3 Creating a key

    Table 3 Mandatory parameters

    Parameter

    Example Value

    Description

    Name

    KMS-335c

    Custom key name, which cannot be empty.

    Key Algorithm

    RSA-2048

    Supported key algorithm types and description. For details, see Key algorithms supported by KMS.

    Usage

    SIGN_VERIFY

    The value cannot be changed after the key is created.

    For RSA asymmetric keys, the value can be ENCRYPT_DECRYPT or SIGN_VERIFY.

    Source

    Key Management Service

    The following key material sources are supported:

    • Key Management Service: KMS generates key materials.
    • External: Import local key materials to KMS.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.

Step 2: Cloud Service Encryption

Currently, KMS interconnects with services such as OBS and EVS to implement instance encryption. For details about the principles and operations, see the following.