Updated on 2024-03-27 GMT+08:00

Creating a Key

This section describes how to create a custom key on the KMS console.

Custom keys can be categorized into symmetric keys and asymmetric keys.

Prerequisites

The account has KMS CMKFullAccess or higher permissions.

Constraints

  • You can create up to 20 custom keys, excluding default keys.
  • Symmetric keys are created using the AES key. The AES-256 key can be used to encrypt and decrypt a small amount of data or data keys.
  • Asymmetric keys are created using RSA or ECC algorithms. RSA keys can be used for encryption, decryption, digital signature, and signature verification. ECC keys can be used only for digital signature and signature verification.
  • Aliases of default keys end with /default. When choosing aliases for your custom keys, do not use aliases ending with /default.
  • DEW does not limit the number of times that a key can be called.

Scenarios

  • Encrypt data in OBS
  • Encrypt data in EVS
  • Encrypt data in IMS
  • Encrypt an RDS DB instance
  • Use custom keys to directly encrypt and decrypt small volumes of data.
  • DEK encryption and decryption for user applications
  • Message authentication code generation and verification
  • Asymmetric keys can be used for digital signatures and signature verification.

Creating a Key

  1. Log in to the management console.
  2. Click . .
  3. Click Create Bucket in the upper right corner.
  4. Configure parameters in the Create Key dialog box.

    • Alias is the alias of the key to be created.
      • You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
      • You can enter up to 255 characters.
    • Key Algorithm: Select a key algorithm. For more information, see Table 1.
      Table 1 Key algorithms supported by KMS

      Key Type

      Algorithm Type

      Key Specifications

      Description

      Usage

      Symmetric key

      AES

      • AES_256

      AES symmetric key

      Encrypts and decrypts a small amount of data or data keys.

      Asymmetric key

      RSA

      • RSA_2048
      • RSA_3072
      • RSA_4096

      RSA asymmetric password

      Encrypts and decrypts a small amount of data or creates digital signatures.

      ECC

      • EC_P256
      • EC_P384

      Elliptic curve recommended by NIST

      Digital signature

    • Usage: Select SIGN_VERIFY, ENCRYPT_DECRYPT, or GENERATE_VERIFY_MAC.
      • For an AES_256 symmetric key, the default value is ENCRYPT_DECRYPT.
      • For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
      • For an ECC asymmetric key, the default value is SIGN_VERIFY.

      The key usage can only be configured during key creation and cannot be modified afterwards.

    • (Optional) Description is the description of the custom key.

      You can enter up to 255 characters.

    • The Enterprise Project parameter needs to be set only for enterprise users.

      If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

      If there are no Enterprise Management options displayed, you do not need to configure it.

  5. (Optional) Add tags to the custom key as needed, and enter the tag key and tag value.

    • After creating a CMK, you can click the alias of the CMK to go to the CMK details page and add a tag to the CMK.
    • The same tag (including tag key and tag value) can be used for different custom keys. However, under the same custom key, one tag key can have only one tag value.
    • A maximum of 20 tags can be added for one custom key.
    • To delete a tag, click Delete next to it.

  6. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created successfully.

    In the key list, you can view the created keys. The default status of a key is Enabled.

Related Operations

  • For details about how to upload objects with server-side encryption, see section "Uploading a File with Server-Side Encryption" in Object Storage Service User Guide.
  • For details about how to encrypt data on EVS disks, see section "Creating an EVS Disk" in Elastic Volume Service User Guide.
  • For details about how to encrypt private images, see section "Encrypting an Image" in Image Management Service User Guide.
  • For details about how to encrypt disks for a database instance in RDS, see section "Purchasing an Instance" in the Relational Database Service User Guide.
  • For details about how to create a DEK and a plaintext-free DEK, see sections "Creating a DEK" and "Creating a Plaintext-Free DEK" in Data Encryption Workshop API Reference.
  • For details about how to encrypt and decrypt a DEK for a user application, see sections "Encrypting a DEK" and "Decrypting a DEK" in Data Encryption Workshop API Conference.