Creating a CMK

This section describes how to create a CMK on the KMS console.

Constraints

  • You can create up to 100 CMKs, excluding default master keys.

  • Aliases of default master keys end with /default. Therefore, in choosing aliases for your CMKs, do not use aliases ending with /default.

  • KMS does not limit the number of times that a CMK can be called.

Scenarios

  • Encrypt data in OBS

  • Encrypt data in EVS

  • Encrypt data in IMS

  • Encrypt an RDS DB instance

  • Direct encryption and decryption of small volumes of data

  • DEK encryption and decryption for user applications

Creating a CMK

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Click image2. Choose Security > Key Management Service. The Key Management Service page is displayed.

  4. Click Create Key in the upper right corner.

  5. Configure parameters in the Create Key dialog box.

    • Alias is the alias of the CMK to be created.

      Note

      • You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).

      • You can enter up to 255 characters.

    • Key Algorithm: Select a key algorithm. For more information, see Table 1.

      Table 1 Key algorithms supported by KMS

      Key Type

      Algorithm Type

      Key Specifications

      Description

      Usage

      Symmetric key

      AES

      AES_256

      AES symmetric key

      Encrypts and decrypts a small amount of data or data keys.

      Asymmetric key

      RSA

      • RSA_2048

      • RSA_3072

      • RSA_4096

      RSA asymmetric password

      Encrypts and decrypts a small amount of data or creates digital signatures.

      ECC

      • EC_P256

      • EC_P384

      Elliptic curve recommended by NIST

      Digital signature

    • Usage: Select SIGN_VERIFY or ENCRYPT_DECRYPT.

      • For a symmetric key, the default value is ENCRYPT_DECRYPT.

      • For RSA asymmetric keys, select ENCRYPT_DECRYPT or SIGN_VERIFY. The default value is SIGN_VERIFY.

      • For an ECC asymmetric key, the default value is SIGN_VERIFY.

      Note

      The key usage can only be configured during key creation and cannot be modified afterwards.

    • (Optional) Description is the description of the CMK.

      Note

      You can enter up to 255 characters.

  6. (Optional) Add tags to the CMK as needed, and enter the tag key and tag value.

    Note

    • When a CMK has been created without any tag, you can add a tag to the CMK later as necessary. Click the alias of the CMK, click the Tags tab, and click Add Tag.

    • The same tag (including tag key and tag value) can be used for different CMKs. However, under the same CMK, one tag key can have only one tag value.

    • A maximum of 20 tags can be added for one CMK.

    • If you want to delete a tag from the tag list when adding multiple tags, you can click Delete in the row where the tag to be added is located to delete the tag.

  7. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created successfully.

    In the CMK list, you can view created CMKs. The default status of a CMK is Enabled.