Help Center/ Data Encryption Workshop/ Getting Started/ Creating a Key for Cloud Service Encryption
Updated on 2024-11-29 GMT+08:00

Creating a Key for Cloud Service Encryption

A key can be symmetric or asymmetric.

  • For symmetric keys, the same key is used to encrypt and decrypt data, which is fast and efficient, suitable for encrypting a large amount of data.
  • For asymmetric keys, a key pair, that is, a public key and a private key, are used for encryption and decryption. Public keys can be distributed to anyone, while private keys must be kept secure and provided for only trusted users. These keys are used for digital signature verification and encrypted transmission of sensitive information.

Procedure

This section uses the AES-256 symmetric key and RSA-2048 asymmetric key as examples to describe how to create a key and bind it to a cloud service. The following figure shows the process.

Figure 1 Creating a key for cloud service encryption

Procedure

Description

Preparations

Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KMS permissions to the account.

Create a key and select the key algorithm type.

Cloud Service Encryption

After the key is created, bind the key to the instance when you create or use a cloud service instance for encryption.

Preparations

  1. Before creating key, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing up for a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. You have obtained KMS CMKFullAccess or higher permissions. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
    Table 1 KMS system roles

    Role

    Description

    Type

    Dependencies

    KMS administrator

    All permissions of KMS

    System-defined role

    None

    KMS CMKFullAccess

    All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

    KMS CMKReadOnlyAccess

    Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

Creating a Key

The following describes how to create a key.

  1. Log in to the management console. Click on the left and choose Security & Compliance > Data Encryption Workshop.
  2. On the displayed Key Management Service page, click Create Key in the upper right corner.
  3. Configure the parameters as follows:
    • Key Algorithm: Choose AES_256.

      The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.

    • Set other parameters as needed.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.
  1. Log in to the management console. Click on the left and choose Security & Compliance > Data Encryption Workshop.
  2. On the displayed Key Management Service page, click Create Key in the upper right corner.
  3. Configure the parameters as follows:
    • Key Algorithm: Choose RSA_2048.

      The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.

    • Set other parameters as needed.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.

Creating a Digest Key

  1. Log in to the management console. Click on the left and choose Security & Compliance > Data Encryption Workshop.
  2. On the displayed Key Management Service page, click Create Key in the upper right corner.
  3. Configure the parameters as follows:
    • Key Algorithm: Choose HMAC_256.

      The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key. For details about regions of replica keys, see Function Overview.

    • Set other parameters as needed.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.

Cloud Service Encryption

Currently, KMS interconnects with services such as OBS and EVS to implement instance encryption. For details about the principles and operations, see the following.