Creating a CMK¶
This section describes how to create a CMK on the KMS console.
Constraints¶
You can create up to 100 CMKs, excluding default master keys.
Aliases of default master keys end with /default. Therefore, in choosing aliases for your CMKs, do not use aliases ending with /default.
KMS does not limit the number of times that a CMK can be called.
Scenarios¶
Encrypt data in OBS
Encrypt data in EVS
Encrypt data in IMS
Encrypt an RDS DB instance
Direct encryption and decryption of small volumes of data
DEK encryption and decryption for user applications
Creating a CMK¶
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click . Choose Security > Key Management Service. The Key Management Service page is displayed.
Click Create Key in the upper right corner.
Configure parameters in the Create Key dialog box.
Alias is the alias of the CMK to be created.
Note
You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).
You can enter up to 255 characters.
Key Algorithm: Select a key algorithm. For more information, see Table 1.
¶ Key Type
Algorithm Type
Key Specifications
Description
Usage
Symmetric key
AES
AES_256
AES symmetric key
Encrypts and decrypts a small amount of data or data keys.
Asymmetric key
RSA
RSA_2048
RSA_3072
RSA_4096
RSA asymmetric password
Encrypts and decrypts a small amount of data or creates digital signatures.
ECC
EC_P256
EC_P384
Elliptic curve recommended by NIST
Digital signature
Usage: Select SIGN_VERIFY or ENCRYPT_DECRYPT.
For a symmetric key, the default value is ENCRYPT_DECRYPT.
For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.
For an ECC asymmetric key, the default value is SIGN_VERIFY.
Note
The key usage can only be configured during key creation and cannot be modified afterwards.
(Optional) Description is the description of the CMK.
Note
You can enter up to 255 characters.
(Optional) Add tags to the CMK as needed, and enter the tag key and tag value.
Note
When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK, click the Tags tab, and click Add Tag.
The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.
A maximum of 20 tags can be added for one CMK.
If you want to delete a tag from the tag list when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.
Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created successfully.
In the CMK list, you can view created CMKs. The default status of a CMK is Enabled.