Updated on 2024-05-15 GMT+08:00

Key Types

CMKs include custom keys and default keys. This section describes how to create, view, enable, disable, schedule the deletion, and cancel the deletion of custom keys.

Custom keys can be categorized into symmetric keys and asymmetric keys.

Symmetric keys are most commonly used for data encryption protection. Asymmetric keys are used for digital signature verification or sensitive information encryption in systems where the trust relationship is not mutual. An asymmetric key consists of a public key and a private key. The public key can be sent to anyone. The private key must be securely stored and only accessible to trusted users.

An asymmetric key can be used to generate and verify a signature. To securely transfer data, a signer sends the public key to a receiver, uses the private key to sign data, and then sends the data and signature to the receiver. The receiver can use the public key to verify the signature.

Table 1 Key algorithms supported by KMS

Key Type

Algorithm Type

Key Specifications

Description

Usage

Symmetric key

AES

  • AES_256

AES symmetric key

Encrypts and decrypts a small amount of data or data keys.

Digest key

SHA

  • HMAC_256
  • HMAC_384
  • HMAC_512

SHA digest key

  • Data tampering prevention
  • Data integrity verification

Digest key

SM3

  • HMAC_SM3

SM3 digest key

  • Data tampering prevention
  • Data integrity verification

Asymmetric key

RSA

  • RSA_2048
  • RSA_3072
  • RSA_4096

RSA asymmetric password

Encrypts and decrypts a small amount of data or creates digital signatures.

ECC

  • EC_P256
  • EC_P384

Elliptic curve recommended by NIST

Digital signature