Creating a Key

Prerequisites

The account has KMS CMKFullAccess or higher permissions.

Constraints

• You can create up to 100 custom keys, excluding default keys.
• Symmetric keys are created using the AES key. The AES-256 key can be used to encrypt and decrypt a small amount of data or data keys. The HMAC key is used to verify data integrity.
• Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
• Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
• KMS keys can be called through APIs for 20,000 times free of charge per month.

Scenarios

• Encrypt data in OBS
• Encrypt data in EVS
• Encrypt data in IMS
• Encrypt an RDS DB instance
• Use custom keys to directly encrypt and decrypt small volumes of data.
• DEK encryption and decryption for user applications
• Message authentication code generation and verification
• Asymmetric keys can be used for digital signatures and signature verification.

Creating a Key

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
4. Click Create Key in the upper right corner.
5. Go to the Create Secret page. set the parameters.
   Figure 1 Creating a key
   

   Table 1 Key parameter configuration

   Parameter	Description
   Name	Name of the key you are creating. NOTE: You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/). You can enter up to 255 characters.
   Key Algorithm	Select a key algorithm. For details about the key algorithms supported by KMS, see Table 2.
   Usage	Key usage. The value cannot be changed after the key is created. The value can be SIGN_VERIFY, ENCRYPT_DECRYPT, or GENERATE_VERIFY_MAC. For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT. For an HMAC symmetric key, the default value is GENERATE_VERIFY_MAC. For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY. For an ECC asymmetric key, the default value is SIGN_VERIFY.
   Enterprise Project	This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default. If there are no Enterprise Management options displayed, you do not need to configure it. NOTE: You can use enterprise projects to manage cloud resources and project members. For more information about enterprise projects, see What Is Enterprise Project Management Service? For details about how to enable the enterprise project function, see Enabling the Enterprise Center.
   Key Material Source	Key management External
   Advanced settings	Description Description of the key. Tag You can add tags to a secret as you need. For details about operations on tags, see Tag Management. NOTE: You can add at most 20 tags to a secret.

   • Key Algorithm: Select a key algorithm. For more information, see Table 2.

     Table 2 Key algorithms supported by KMS

     Key Type	Algorithm Type	Key Specifications	Description	Usage
     Symmetric key	AES	AES_256	AES symmetric key	Encrypts and decrypts a small amount of data or data keys.
     Digest key	SHA	HMAC_256 HMAC_384 HMAC_512	SHA digest key	Data tampering prevention Data integrity verification
     Digest key	SM3	HMAC_SM3	SM3 digest key	Data tampering prevention Data integrity verification
     Asymmetric key	RSA	RSA_2048 RSA_3072 RSA_4096	RSA asymmetric password	Encrypts and decrypts a small amount of data or creates digital signatures.
     	ECC	EC_P256 EC_P384	Elliptic curve recommended by NIST	Digital signature

6. Click OK. In the CMK list, you can view created CMKs. The default status of a CMK is Enabled. The default status is Pending import whose material source is External.

Related Operations

• For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service User Guide.
• For details about how to encrypt data on EVS disks, see section Purchasing an EVS Disk in the Elastic Volume Service User Guide.
• For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service User Guide.
• For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
• For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in Data Encryption Workshop API Reference.
• For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in Data Encryption Workshop API Conference.