Creating a Custom Key

Prerequisites

When you create a key as an IAM user, you have granted the KMS CMKFullAccess or higher permissions to the IAM user. For details, see Creating a User and Authorizing the User the Permission to Access DEW.

Constraints

• You can create up to 100 custom keys, excluding default keys. Replica keys take up the custom key quota in the region.
• Symmetric keys are created using the AES key. The AES-256 key can be used to encrypt and decrypt a small amount of data or data keys. The HMAC key is used to verify data integrity.
• Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
• Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
• KMS keys can be called through APIs for 20,000 times free of charge per month.

Scenarios

• Encrypt data in OBS
• Encrypt data in EVS
• Encrypt data in IMS
• Encrypt an RDS DB instance
• Use custom keys to directly encrypt and decrypt small volumes of data.
• DEK encryption and decryption for user applications
• Message authentication code generation and verification
• Asymmetric keys can be used for digital signatures and signature verification.

Creating a Custom Key

1. Log in to the management console.
2. Click in the upper left corner and select a region or project.
3. Click on the left and choose Security & Compliance > Data Encryption Workshop.
4. Click Create Key in the upper right corner.
5. Configure the parameters as follows:
   Figure 1 Creating a key
   

   Table 1 Key parameter configurations

   Parameter	Description
   Name	Name of the key you are creating. NOTE: You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/). You can enter up to 255 characters.
   Key Algorithm	Select a key algorithm. For details about the key algorithms supported by KMS, see Table 2.
   Usage	Key usage. The value cannot be changed after the key is created. The value can be SIGN_VERIFY, ENCRYPT_DECRYPT, or GENERATE_VERIFY_MAC. For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT. For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC. For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY. For an ECC asymmetric key, the default value is SIGN_VERIFY.
   Enterprise Project	This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default. If there are no Enterprise Management options displayed, you do not need to configure it. NOTE: You can use enterprise projects to manage cloud resources and project members. For more information about enterprise projects, see What Is Enterprise Project Management Service? For details about how to enable the enterprise project function, see Enabling the Enterprise Center.
   Key Material Source	Key management External
   Advanced settings	Description Description of the key. Tag You can add tags to a secret as you need. For details about operations on tags, see Tag Management. NOTE: A maximum of 20 tags can be added for one custom key.

6. Click OK. You can view the created keys in the key list. By default, a key with KMS-generated key materials is in the Enabled state, and a key with imported key materials is in the Pending import state.

Enabling a Custom Key

This section describes how to enable one or more custom keys on the KMS console. Only enabled custom keys can be used to encrypt or decrypt data. A new custom key is in the Enabled state by default.

1. Locate the target key in the list and click Enable in the Operation column.
2. In the displayed dialog box, click OK.
   

   To enable multiple keys at a time, select them and click Enable in the upper left corner of the list.

Disabling a Custom Key

1. Locate the target key in the list and click Disable in the Operation column.
2. In the displayed dialog box, select I understand the impact of disabling keys, and click OK.
   

   To disable multiple keys at a time, select them and click Disable in the upper left corner of the list.

Scheduling the Deletion of a Key

You cannot directly delete a key on KMS. Instead, you can set a scheduled deletion date for the key, which ranges from 7 to 1,096 days.

Only custom keys in the Enabled, Disabled, or Pending import state can be deleted. Default keys cannot be deleted.

• The system will delete the key once the deletion period expires. The content encrypted using the key and the generated data key cannot be decrypted. Before deleting a key, ensure that it is no longer in use. Otherwise, your service will be unavailable. You can check the key usage in either of the following ways:
  • Check the CMK permission to determine its possible usage scope. For details, see Querying a Grant.
  • Check audit logs to determine the actual usage. For details, see Viewing CTS Traces in the Trace List.
• To delete a master key with replica key created, delete the replica key first.

To schedule the deletion of multiple keys at a time, select them and click Delete in the upper left corner of the list. The following describes how to delete a single key.

1. Locate the target key in the list and click Delete in the Operation column.
2. On the displayed page, configure Waiting Period.
3. Enter DELETE in the confirmation dialog box if deletion verification is disabled and click OK.

   If you have enabled deletion verification, select a verification mode, click Get Code, enter the code, and click OK.

   

   To disable operation protection, go to the Security Settings page, click Disable next to Operation Protection in the Critical Operations tab, or click Disable Operation Protection on the deletion page.

4. If a key is used to encrypt DDS, RDS, or NoSQL, after you click OK, a message "Key XXX is being used by XXX. Are you sure you want to delete it?" is displayed, as shown in Figure 2. Click Yes to delete the key.
   Figure 2 Confirming the deletion
   

Canceling the Scheduled Deletion of a Key

This section describes how to use the KMS console to cancel the scheduled deletion of one or more custom keys prior to deletion execution. After the cancellation, the key is in Disabled status.

To cancel the deletion of multiple keys at a time, select them and click Cancel Deletion in the upper left corner of the list. The following describes how to cancel the scheduled deletion of a key.

1. Locate the target key in the list and click Cancel Deletion in the Operation column.
2. In the displayed dialog box, click OK.

   After the cancelation, the key's status becomes Disabled. To enable the key, follow the instructions provided in Enabling a Custom Key.

Related Operations

• For details about how cloud services use KMS for encryption, see Cloud Services with KMS Integrated.
• For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in Data Encryption Workshop API Reference.
• For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in Data Encryption Workshop API Conference.