Functions

KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.

It uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage. The HSM module meets the FIPS 140-2 Leave 3 security requirements.

It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.

Functions

On the KMS console, you can perform the following operations on CMKs:
- Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of CMKs
- Modifying the alias and description of CMKs
- Using the online tool to encrypt and decrypt small volumes of data
- Adding, searching for, editing, and deleting tags
- Creating, canceling, and querying grants
You can use the API to perform the following operations:
- Creating, encrypting, or decrypting data encryption keys (DEKs)
- Retiring grants
- Signing or verifying the signature of messages or message digests
- Generating and verifying message authentication codes.
For details, see the Data Encryption Workshop API Reference.
Generate hardware true random number.
You can generate 512-bit random numbers using the KMS API. The 512-bit hardware true random numbers can be used as or serve as basis for key materials and encryption parameters. For details, see the Data Encryption Workshop API Reference.

Key Algorithms Supported by KMS

Symmetric keys created on the KMS console use the AES algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.

**Table 1** Key algorithms supported by KMS
Key Type	Algorithm Type	Key Specifications	Description	Application Scenario
Symmetric key	AES	AES_256	AES symmetric key	Data encryption and decryption DEKs encryption and decryption NOTE: You can encrypt and decrypt a small amount of data using the online tools on the console. You need to call APIs to encrypt and decrypt a large amount of data.
Symmetric key	AES	HMAC_256 HMAC_384 HMAC_512	HMAC symmetric key	Generates and verifies a message authentication code
Asymmetric key	RSA	RSA_2048 RSA_3072 RSA_4096	RSA asymmetric password	Digital signature and signature verification Data encryption and decryption NOTE: Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.
Asymmetric key	ECC	EC_P256 EC_P384	Elliptic curve recommended by NIST	Digital signature and signature verification

Table 2 describes the key wrapping encryption and decryption algorithms supported by imported keys.

**Table 2** Key wrapping algorithms
Algorithm	Description	Configuration
RSAES_OAEP_SHA_256	RSA algorithm that uses OAEP and has the SHA-256 hash function	Select an algorithm based on your HSM functions. If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials. NOTICE: The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation.
RSAES_OAEP_SHA_1	RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function

Parent topic: KMS

Previous topic: KMS

Next topic: Product Advantages

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot