- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Tag Management
- Auditing Logs
- Sharing
- Permission Control
-
Best Practices
- Key Management Service
- Cloud Secret Management Service
- General
-
API Reference
- Before You Start
- Calling APIs
- API Overview
-
APIs
-
Key Management APIs
- Key Lifecycle Management
- DEK Management
- Small-Size Data Encryption and Decryption
- Signature and Verification
- Key Tag Management
- Key API Version Query
- Querying Key API Versions
- Key Import Management
- Querying Keys
- Key Grant Management
- Key Rotation Management
- Dedicated Keystore Management
- Signature Verification
- Key Pair Management APIs
- Secret Management APIs
-
Key Management APIs
- Historical APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- How Do I Use an Asymmetric Key to Verify the Signature Result of a Public Key Pair?
- Does an Imported Key Support Rotation?
- Does KMS Support Offline Data Encryption and Decryption?
- How Do I Convert an Original EC Private Key into a Private Key in PKCS8 Format?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
- What Can I Do If an Error Is Reported When an Account Key Is Created or Upgraded for the First Time?
- Will the Account Key Pair Quota Be Occupied After a Private Key Pair Is Upgraded to an Account Key Pair?
- Why Is the Private Key Pair Invisible After It Is Upgraded to an Account Key Pair When Logging in as a Federated User?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
-
General
- What Functions Does DEW Provide?
- What Cryptography Algorithms Does DEW Use?
- In Which Regions Are DEW Services Available?
- What Is a Quota?
- What Is the Resource Allocation Mechanism of DEW?
- What Are Regions and AZs?
- Can DEW Be Shared Across Accounts?
- How Do I Access the Functions of DEW?
- Why Do DEW Pemissions Fail to Take Effect Immediately?
-
KMS Related
- Videos
-
More Documents
- User Guide (ME-Abu Dhabi Region)
- User Guide (Paris and Amsterdam Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Auditing Logs
- Permission Control
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Types of Keys Can I Import?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- Credential Related
-
KMS Related
- Change History
-
API Reference (ME-Abu Dhabi Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Querying CMK Instances
- Querying CMK Tags
- Querying Project Tags
- Adding or Deleting CMK Tags in Batches
- Adding a CMK Tag
- Deleting a CMK Tag
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
API Reference (Paris and Amsterdam Regions)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
- General Reference
Copied.
Creating a Key
This section describes how to create a custom key on the KMS console.
Custom keys can be categorized into symmetric keys and asymmetric keys.
Prerequisites
The account has KMS CMKFullAccess or higher permissions.
Constraints
- You can create up to 100 custom keys, excluding default keys.
- Symmetric keys are created using the AES key. The AES-256 key can be used to encrypt and decrypt a small amount of data or data keys. The HMAC key is used to verify data integrity.
- Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
- Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
- KMS keys can be called through APIs for 20,000 times free of charge per month.
Scenarios
- Encrypt data in OBS
- Encrypt data in EVS
- Encrypt data in IMS
- Encrypt an RDS DB instance
- Use custom keys to directly encrypt and decrypt small volumes of data.
- DEK encryption and decryption for user applications
- Message authentication code generation and verification
- Asymmetric keys can be used for digital signatures and signature verification.
Creating a Key
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation on the left, choose
> Security & Compliance > Data Encryption Workshop.
- Click Create Key in the upper right corner.
- Go to the Create Secret page. Set the parameters.
Figure 1 Creating a key
Table 1 Key parameter configuration Parameter
Description
Name
Name of the key you are creating.
NOTE:
- You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
- You can enter up to 255 characters.
Key Algorithm
Select a key algorithm. For details about the key algorithms supported by KMS, see Table 2.
Usage
Key usage. The value cannot be changed after the key is created. The value can be SIGN_VERIFY, ENCRYPT_DECRYPT, or GENERATE_VERIFY_MAC.
- For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
- For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC.
- For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
- For an ECC asymmetric key, the default value is SIGN_VERIFY.
Enterprise Project
This parameter is provided for enterprise users.
If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.
If there are no Enterprise Management options displayed, you do not need to configure it.
NOTE:
- You can use enterprise projects to manage cloud resources and project members. For more information about enterprise projects, see What Is Enterprise Project Management Service?
- For details about how to enable the enterprise project function, see Enabling the Enterprise Center.
Key Material Source
- Key management
- External
Advanced settings
- Description
- Tag
You can add tags to a secret as you need. For details about operations on tags, see Tag Management.
NOTE:
You can add at most 20 tags to a secret.
- Key Algorithm: Select a key algorithm. For more information, see Table 2.
Table 2 Key algorithms supported by KMS Key Type
Algorithm Type
Key Specifications
Description
Usage
Symmetric key
AES
- AES_256
AES symmetric key
Encrypts and decrypts a small amount of data or data keys.
Digest key
SHA
- HMAC_256
- HMAC_384
- HMAC_512
SHA digest key
- Data tampering prevention
- Data integrity verification
Digest key
SM3
- HMAC_SM3
SM3 digest key
- Data tampering prevention
- Data integrity verification
Asymmetric key
RSA
- RSA_2048
- RSA_3072
- RSA_4096
RSA asymmetric password
Encrypts and decrypts a small amount of data or creates digital signatures.
ECC
- EC_P256
- EC_P384
Elliptic curve recommended by NIST
Digital signature
- Click OK. In the CMK list, you can view created CMKs. The default status of a CMK is Enabled. The default status is Pending import whose material source is External.
Related Operations
- For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service User Guide.
- For details about how to encrypt data on EVS disks, see section Purchasing an EVS Disk in the Elastic Volume Service User Guide.
- For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service User Guide.
- For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
- For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in Data Encryption Workshop API Reference.
- For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in Data Encryption Workshop API Conference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot