Help Center/ Data Encryption Workshop/ User Guide (ME-Abu Dhabi Region)/ Service Overview/ Functions
Updated on 2025-12-02 GMT+08:00
View PDF
Share

Functions

KMS provides the following functions:

  • Manages custom keys.
    You can perform the following operations on custom keys on the KMS console or via APIs:
    • Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of custom keys
    • Importing keys and deleting key material
    • Modifying the alias and description of a custom key
    • Using the online tool to encrypt and decrypt small-size data
    • Adding, searching for, editing, and deleting tags
  • Creates, encrypts, and decrypts DEKs.

    You can create, encrypt, and decrypt a DEK by calling KMS APIs. For details, see Data Encryption Workshop API Reference.

  • Generates hardware true random numbers.

    You can generate 512-bit hardware true random numbers using a KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for keys and encryption parameters. For details, see Data Encryption Workshop (DEW) API Reference.

Key Algorithms Supported by KMS

Symmetric keys created on the KMS console use the AES-256 algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.

Table 1 Key algorithms supported by KMS

Key Type

Algorithm Type

Key Specifications

Description

Application Scenario

Symmetric key

AES

AES_256

AES symmetric key
  • Data encryption and decryption
  • DEKs encryption and decryption
    NOTE:

    You can encrypt and decrypt a small amount of data using the online tool on the console.

    You need to call APIs to encrypt and decrypt a large amount of data.

Asymmetric key

RSA
  • RSA_2048
  • RSA_3072
  • RSA_4096

RSA asymmetric password
  • Digital signature and signature verification
  • Data encryption and decryption
    NOTE:

    Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.

ECC
  • EC_P256
  • EC_P384

Elliptic curve recommended by NIST

Digital signature and signature verification

Key wrapping algorithms describes the cryptographic key wrapping algorithms supported by imported keys.

Table 2 Key wrapping algorithms

Algorithm

Description

Configuration

RSAES_OAEP_SHA_256

RSA algorithm that uses OAEP and has the SHA-256 hash function

Select an algorithm based on your HSM functions.

If your HSM supports the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.

NOTICE:

The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation.

RSAES_OAEP_SHA_1

RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function
Parent topic: Service Overview