Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.
Data Encryption Workshop
Data Encryption Workshop
- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Tag Management
- Auditing Logs
- Sharing
- Permission Control
-
Best Practices
- Key Management Service
- Cloud Secret Management Service
- General
-
API Reference
- Before You Start
- Calling APIs
- API Overview
-
APIs
-
Key Management APIs
- Key Lifecycle Management
- DEK Management
- Small-Size Data Encryption and Decryption
- Signature and Verification
- Key Tag Management
- Key API Version Query
- Querying Key API Versions
- Key Import Management
- Querying Keys
- Key Grant Management
- Key Rotation Management
- Dedicated Keystore Management
- Signature Verification
- Key Pair Management APIs
- Secret Management APIs
-
Key Management APIs
- Historical APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- How Do I Use an Asymmetric Key to Verify the Signature Result of a Public Key Pair?
- Does an Imported Key Support Rotation?
- Does KMS Support Offline Data Encryption and Decryption?
- How Do I Convert an Original EC Private Key into a Private Key in PKCS8 Format?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
- What Can I Do If an Error Is Reported When an Account Key Is Created or Upgraded for the First Time?
- Will the Account Key Pair Quota Be Occupied After a Private Key Pair Is Upgraded to an Account Key Pair?
- Why Is the Private Key Pair Invisible After It Is Upgraded to an Account Key Pair When Logging in as a Federated User?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
-
General
- What Functions Does DEW Provide?
- What Cryptography Algorithms Does DEW Use?
- In Which Regions Are DEW Services Available?
- What Is a Quota?
- What Is the Resource Allocation Mechanism of DEW?
- What Are Regions and AZs?
- Can DEW Be Shared Across Accounts?
- How Do I Access the Functions of DEW?
- Why Do DEW Pemissions Fail to Take Effect Immediately?
-
KMS Related
- Videos
-
More Documents
- User Guide (ME-Abu Dhabi Region)
- User Guide (Paris and Amsterdam Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Auditing Logs
- Permission Control
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Types of Keys Can I Import?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- Credential Related
-
KMS Related
- Change History
-
API Reference (ME-Abu Dhabi Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Querying CMK Instances
- Querying CMK Tags
- Querying Project Tags
- Adding or Deleting CMK Tags in Batches
- Adding a CMK Tag
- Deleting a CMK Tag
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
API Reference (Paris and Amsterdam Regions)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
- General Reference
On this page
Show all
Help Center/
Data Encryption Workshop/
User Guide (Paris and Amsterdam Regions) /
Management/
Creating CMKs Using Imported Key Material/
Importing Key Material
Copied.
Importing Key Material
Scenario
If you want to use your own key material instead of the KMS-generated material, you can use the console to import your key material to KMS. CMKs created using imported material and KMS-generated material are managed together by KMS.
This section describes how to import key material through KMS Console.
NOTE:
- A CMK with imported material works in the same way as one using KMS-generated material, that is, you enable and disable them as well as schedule their deletion and cancel their scheduled deletion in the same way.
- You can only import 256-bit symmetric keys.
Prerequisites
- You have obtained an account and its password for logging in to the management console.
- You have prepared the key material to be imported.
Procedure
- Log in to the management console.
- Choose Security > Key Management Service. The Key Management Service page is displayed.
- In the upper right corner, click Import Key.
- In the Import Key dialog box, set the alias and description of the key.
- Click security and durability to read and confirm information regarding the security and durability of the imported key.
- Select I understand the security and durability of using an imported key, and create a CMK whose key material is empty.
- Click Next to go to the Download the Import Items step. Select a key-wrapping algorithm according to Table 1.
Table 1 Key wrapping algorithms Algorithm
Description
Configuration
RSAES_OAEP_SHA_256
RSA encryption algorithm that uses OAEP and has the SHA-256 hash function
Choose an algorithm from the drop-down list box.
- If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt the key material.
- If the HSMs do not support OAEP, use RSAES_PKCS1_V1_5 to encrypt the key material.
NOTICE:The RSAES_OAEP_SHA_1 encryption algorithm is no longer secure. Exercise caution when performing this operation.
RSAES_PKCS1_V1_5
RSA encryption algorithm (v1.5) of Public-Key Cryptography Standards number 1 (PKCS #1)
RSAES_OAEP_SHA_1
RSA encryption algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
- Click Download. The following files are downloaded: wrappingKey, importToken, and README. These are displayed in Figure 1.
- wrappingKey_CMK ID_download time is a wrapping key used to encrypt the key material.
- importToken_CMK ID_download time is an import token used to import key material to KMS.
- README_CMK ID_download time is a description file recording information such as a CMK's serial number, wrapping algorithm, wrapping key name, token file name, and the expiration time of the token file and wrapping key.
NOTICE:
The wrapping key and import token expire within 24 hours of creation. If they have expired, download them again.
Alternatively, you can obtain the wrapping key and import token by calling the API.- Call the get-parameters-for-import API to obtain the wrapping key and import token.
The following example describes how to obtain the wrapping key and import token of a CMK (ID: 43f1ffd7-18fb-4568-9575-602e009b7ee8; encryption algorithm: RSAES_PKCS1_V1_5).
public_key: The content of the wrapping key (Base-64 encoding) returned after calling the API
import_token: Content of the import token (Base-64 encoding) returned after calling the API
- Request example
{ "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", "wrapping_algorithm":"RSAES_PKCS1_V1_5" } - Response example:
{ "key_id": "43f1ffd7-18fb-4568-9575-602e009b7ee8", "public_key":"public key base64 encoded data", "import_token":"import token base64 encoded data", "expiration_time":1501578672 }
- Request example
- Save the wrapping key, and convert its format according to the following procedure. Only the key material that is encrypted using the converted wrapping key can be imported to the management console.
- Copy the content of the wrapping key public_key, save it to the .txt file as PublicKey.b64.
- Run the following command to convert the Base-64 coding of the PublicKey.b64 file to binary data, and save the converted file as PublicKey.bin:
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
- Save the import token, copy the content of the import_token token, paste it to a .txt file, and save the file as ImportToken.b64.
- You use the downloaded wrappingKey file to encrypt the key material to be imported.
- Method 1: Use the downloaded wrapping key to encrypt the key material on your HSM. For details, see the operation guide of your HSM.
- Method 2: Use OpenSSL to encrypt the key material.
NOTE:
If you need to run the openssl pkeyutl command, the OpenSSL version must be 1.0.2 or later.
The following example describes how to use the downloaded wrapping key to encrypt the generated key material (256-bit symmetric key). The procedure is as follows:- Run the following command to generate the key material (256-bit symmetric key) and save the generated key material as PlaintextKeyMaterial.bin:
openssl rand -out PlaintextKeyMaterial.bin 32
- Use the downloaded wrapping key to encrypt the key material and save the encrypted key material as EncryptedKeyMaterial.bin.
Replace PublicKey.bin in the command with the name of the wrapping key wrappingKey_key ID_download time downloaded in 8.
Table 2 Encrypting the generated key material using the downloaded wrapping key Wrapping Key Algorithm
Key Materials Encryption
RSAES_OAEP_SHA_256
openssl pkeyutl
-in PlaintextKeyMaterial.bin
-inkey PublicKey.bin
-out EncryptedKeyMaterial.bin
-keyform der
-pubin -encrypt
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
RSAES_PKCS1_V1_5
openssl rsautl -encrypt
-in PlaintextKeyMaterial.bin
-pkcs
-inkey PublicKey.bin
-keyform der
-pubin
-out EncryptedKeyMaterial.bin
RSAES_OAEP_SHA_1
openssl pkeyutl
-in PlaintextKeyMaterial.bin
-inkey PublicKey.bin
-out EncryptedKeyMaterial.bin
-keyform der
-pubin -encrypt
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1
- Run the following command to generate the key material (256-bit symmetric key) and save the generated key material as PlaintextKeyMaterial.bin:
- Click Next to go to the Import Key Material step. Configure the parameters as described in Table 3.
Table 3 Parameters for importing key material Parameter
Description
Key ID
Random ID of a CMK generated during the CMK creation
Key material
- Use the key material encrypted by the wrappingKey file downloaded in 8.
- Click Import to import the key material.
- Click Next to go to the Import Key Token step. Configure the parameters as described in Table 4.
Table 4 Parameters for importing a key token Parameter
Description
Key ID
Random ID of a CMK generated during the CMK creation
Token
Select the importToken downloaded in 8.
Key material expiration mode
- Key material will never expire: This option specifies that key material will not expire after import.
- Key material expires on: This option specifies the expiration time of the key material. By default, the key material expires in 24 hours after import.
When the key material expires, KMS will delete them in 24 hours, making the CMK unusable and the CMK status Pending import.
- Click OK.
NOTICE:
Key material can be successfully imported when it matches the corresponding CMK ID and token.
Your imported material is displayed in the list of CMKs. The default status of an imported CMK is Enabled.
Parent topic: Creating CMKs Using Imported Key Material
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
