Help Center/ Database Security Service/ User Guide/ Database Security Encryption Management/ System administrator operation guide/ Initializing a Key
Updated on 2025-04-16 GMT+08:00
View PDF
Share

Initializing a Key

Before using encryption for the first time, you need to initialize keys.

Keys for database encryption and access control include root keys (RKs), data source keys (DSKs), and data encryption keys (DEKs). For details, see Initializing a Key.

Table 1 Key types

Type

Description

Root key (RK)

Generated after a key is initialized. It is not exposed externally.

Data source key (DSK)

Generated when a data source is added. It is encrypted by RK for storage.

Data encryption key (DEK)

Generated during initialization when an encryption task is added. It is encrypted by DSK for storage.

Procedure

  1. Log in to database encryption and access control.
  2. In the navigation pane on the left, choose Key Management > Key Configuration.
  3. Click Initialize Key. In the displayed dialog box, enter the security password and click OK.
  4. In the password verification dialog box, enter the security password and click Confirm.

    For details about how to change the security password, see Changing the Security Password.

  5. In the Initialize Key dialog box, set the key sources. For details about the parameters, see Table 2.

    Figure 1 Initializing a key

    Table 2 Initializing a key

    Parameter

    Description

    RK Key Source
    RK source. The following sources are supported:
    • System Built-in: fixed key built in the system, which is used only for tests.
    • KEY_Service: key platform connected to the system.

      For details about how to configure a key platform, see Interconnecting with KMS.

      After the configuration, select a platform vendor.

      NOTE:

      KMS requires the KMS CMKFullAccess permission.

    DSK Key Source
    DSK source. The following sources are supported:
    • System Built-in: fixed key built in the system, which is used only for tests.
    • KEY_Service: key platform connected to the system.

      For details about how to configure the key platform, see Interconnecting with KMS.

      After the configuration, select a platform vendor.
      NOTE:

      KMS requires the KMS CMKFullAccess permission.

    DEK Key Source
    DEK source. The following sources are supported:
    • System Built-in: fixed key built in the system, which is used only for tests.
    • KEY_Service: key platform connected to the system.

      For details about how to configure the key platform, see Interconnecting with KMS.

      After the configuration, select a platform vendor.

      NOTE:

      KMS requires the KMS CMKFullAccess permission.

  6. Click Initialize.