Key Management Service (KMS) provides the capabilities for secure and compliant full-lifecycle key management, data encryption, and data decryption.
The core key components involved in KMS include customer master key (CMK) and data encryption key (DEK). A CMK is a first-level key used to encrypt and decrypt sensitive data and generate DEKs. A DEK is a second-level key used in the envelope encryption process. It is protected by a CMK, and used to encrypt business data.
A CMK, as a core resource in KMS, is protected by a third-party certified hardware security module (HSM) and used as a first-level key for encryption and decryption. KMS is mainly a management service for CMKs.
A CMK is a logical representation of a master key, and it contains metadata such as key ID, creation date, description, and key status. Generally, you can use the automatic CMK generation feature in KMS or import your own key to generate a CMK.
There are two types of CMKs: Customer Managed CMK and Tencent Cloud Managed CMK.
A DEK is a second-level key generated based on a CMK, used for encrypting and decrypting local data.
KMS allows you to use your CMKs to generate DEKs, but KMS will not store, manage, or track them or use them to perform encryption operations. You have to use and manage your DEKs outside of KMS.
Generally, DEKs are used in envelop encryption to encrypt local business data. They are protected by CMKs and customizable. DEKs can be created through the GenerateDataKey API.
|Creating key||Creates a key quickly in the console.|
|Viewing key||Views the ID and details of a key in the console.|
|Editing key||Edits the name, description, and other information of a key in the console.|
|Enabling and disabling key||Enables and disables a key in the console.|
|Rotating key||Enables key rotation in the console.|
|Encryption and decryption||Uses keys to encrypt and decrypt data in the console.|
|Deleting key||Deletes a key quickly in the console.|
|Access control||Sets KMS permissions for a sub-account.|