Key Lifecycle Management
KMS provides key lifecycle management, including key creation, Bring Your Own Key (BYOK), enabling/disabling, alias setting, rotation policy setting, version setting, scheduled deletion, and canceling the deletion.
Key Algorithm
Supported symmetric key algorithm: AES_256.
Supported asymmetric key algorithm: RSA_2048.
Hardware Protection
By deploying cryptographic devices and adopting FIPS-certified cryptographic device hardware, KMS helps comply with regulatory compliance requirements.
KMS provides a hardware protection mechanism with a higher security level to protect and secure keys, ensuring their integrity and availability.
Key Rotation
You can set up regular automatic rotation or manually create key versions to strengthen the security of keys.
For a symmetric key, you can configure the rotation policy to automatically generate the version based on the rotation period;
For an asymmetric key, you can manually create a new key version.
After a primary version is generated manually or through key rotation, KMS does not delete or disable the non-primary version, and the ciphertext encrypted by the non-primary version can still be decrypted.
Import Your Own Key
You can import your own key. If you want to use your own key material, you can use the KMS console to create a CMK with an empty key material and import your own key material.
Alias Management
Aliases are optional identifiers of a customer master key (CMK) and must be unique for the same user in a region. An alias can be bound to only one CMK in a region, but a CMK can have multiple aliases.
You can create and delete aliases on the console, or create, update, and delete aliases through the API.
Online encryption
Online encryption, a symmetric key encryption method, is suitable for protecting small-scale sensitive data (less than 6KB), such as passwords, certificates, identity information, and background configuration files. Through the online encryption API, KMS directly encrypts sensitive data and information by using the customer master key (CMK) instead of storing the plaintext, ensuring the security of sensitive data.
Envelope Encryption
Envelope encryption, a symmetric key encryption technology, supports high-performance encryption and decryption of massive data. Rather than using the CMK to directly encrypt and decrypt data, it uses the data encryption key (DEK), and seals it in an envelope (that is, encryption through CMK) for storage, transmission and use, and the randomness and security of the DEK is ensured by KMS.
This way, users do not need to upload a large number of business data to the KMS server, and can directly encrypt and decrypt data locally through offline DEKs, effectively eliminating security risks and ensuring business encryption performance.
Signature verification
Digital signature is a typical application of asymmetric encryption algorithm. You can create an asymmetric CMK in KMS, which consists of an associated public key and a private key. The public key can be distributed to all, while the private key is secured by KMS, where no API is available for exporting the private key of asymmetric keys. You can only perform signature operations by calling the private key through the API.
The following operations describe a typical signature verification scenario:
A signer sends a public key to a receiver.
The signer uses the private key that matches the public key to sign data.
The signer sends the data and signature to the message receiver.
After the data and signature are received, the receiver uses the public key to verify the signature.
Asymmetric Data Encryption and Decryption
The communication process of asymmetric key encryption is similar to symmetric encryption, but it needs a public key for data encryption and a private key for data decryption. KMS does not support exporting user private keys. You can only decrypt data by calling the private key through the API.
The following operations describe a typical scenario:
An information receiver distributes a public key to a transmitter.
The transmitter uses the public key to encrypt sensitive information.
The transmitter sends the ciphertext generated from the sensitive information to the information receiver.
The information receiver uses the private key to decrypt the ciphertext.
Cloud Product Server-side Encryption
KMS works with eSurfing Cloud products and provides server-side encryption for data in EVS and ZOS products to ensure data security on the cloud. You only need to check the KMS encryption function with one click on the Console. The encryption and decryption process is transparent and unconscious.