Creating a Key for Cloud Service Encryption
A key can be symmetric or asymmetric.
- For symmetric keys, the same key is used to encrypt and decrypt data, which is fast and efficient, suitable for encrypting a large amount of data.
- For asymmetric keys, a key pair, that is, a public key and a private key, are used for encryption and decryption. Public keys can be distributed to anyone, while private keys must be kept secure and provided for only trusted users. These keys are used for digital signature verification and encrypted transmission of sensitive information.
Procedure
This section uses the AES-256 symmetric key and RSA-2048 asymmetric key as examples to describe how to create a key and bind it to a cloud service. The following figure shows the process.
Procedure |
Description |
---|---|
Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KMS permissions to the account. |
|
Create a key and select the key algorithm type. |
|
After the key is created, bind the key to the instance when you create or use a cloud service instance for encryption. |
Preparations
- Before creating key, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing up for a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
- You have obtained KMS CMKFullAccess or higher permissions. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
Table 1 KMS system roles Role
Description
Type
Dependencies
KMS administrator
All permissions of KMS
System-defined role
None
KMS CMKFullAccess
All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.
System-defined policy
None
KMS CMKReadOnlyAccess
Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.
System-defined policy
None
Creating a Key
The following describes how to create a key.
- Log in to the management console. Click on the left and choose .
- On the displayed Key Management Service page, click Create Key in the upper right corner.
- Configure the parameters as follows:
- Key Algorithm: Choose AES_256.
The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.
- Set other parameters as needed.
- Key Algorithm: Choose AES_256.
- Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.
- Log in to the management console. Click on the left and choose .
- On the displayed Key Management Service page, click Create Key in the upper right corner.
- Configure the parameters as follows:
- Key Algorithm: Choose RSA_2048.
The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.
- Set other parameters as needed.
- Key Algorithm: Choose RSA_2048.
- Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.
Creating a Digest Key
- Log in to the management console. Click on the left and choose .
- On the displayed Key Management Service page, click Create Key in the upper right corner.
- Configure the parameters as follows:
- Key Algorithm: Choose HMAC_256.
The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.
- Set other parameters as needed.
- Key Algorithm: Choose HMAC_256.
- Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot