Can I Export the CMK?
No. To ensure the security of the CMK, you can only create it in KMS, and encrypt data by calling the API, but cannot export the CMK.
If you choose eSurfing Cloud for the key material source when creating a key, KMS will automatically generate the key material for the CMK, and the key material cannot be deleted separately or exported, but can only be deleted together with the CMK;
If you choose External for the key material source when creating a key, you can manually delete the key material.
Which Cloud Services Support the KMS to Encrypt Data?
KMS is seamlessly integrated with EVS, ZOS, elastic files, and database products to provide server-side encryption. You only need to select Encryption when creating an EVS to enable the disk encryption function with one click. The encryption process is transparent and imperceptible to users.
The bottom layer of the product encrypts the data in the cloud product using envelope encryption.
What Is the Difference Between a User-Built CMK and a Default CMK?
CMK: It is the user master key created by the user on the console or through the API. You can create/set aliases, upload your own key materials, enable, disable, rotate, or delete user keys or perform version management and other operations. CMKs are charged based on standard rates.
Default CMK: It is automatically generated by the system when a user invokes KMS to encrypt data through the cloud service for the first time. The alias is named after the cloud product such as alias/ecs. You cannot disable, delete, rotate, or upload your own key materials. The default CMK provides free key management, and the API call is charged together with the CMK.
Can User Data Be Decrypted If CMK Is Disabled/Deleted?
No. A disabled key cannot be used for encryption and decryption. To continue to use the key to decrypt data, you need to set the key to Enabling.
If a CMK is completely deleted, KMS will no longer retain any data of the CMK, and the data encrypted using the CMK cannot be decrypted;
Therefore, KMS does not support immediate deletion, and only supports scheduled deletion. The key is only deleted during the scheduled deletion period. You can cancel scheduled deletion on the KMS page.
If the CMK is imported through KMS and only the key material is deleted, you can import the locally backed up key material to the original key again to reclaim user data. If the key material is not backed up locally, you cannot reclaim user data.