Encrypting a Secret

Last updated: 2020-11-16 11:20:40

    This document describes how to activate Key Management Service (KMS) in Secrets Manager (SSM) and authorize SSM. It also guides you on how to use KMS to encrypt secrets in SSM.

    Background

    Secret management is important for the OPS security of an enterprise IT system. You can use SSM to host secrets of all types, including access keys, API keys, private keys, account passwords, and much more. SSM uses keys hosted in Tencent Cloud KMS to encrypt and protect secrets, ensuring secret security on the server. With a more secure and convenient SSM, you no longer need to build and maintain infrastructure for secret management.

    Note:

    When SSM uses KMS hosted keys for encryption, KMS fees might be incurred. For more information, please see Billing Overview.

    Directions

    Step 1: Activate KMS and authorize SSM

    • SSM uses KMS to store encrypted sensitive secrets. Therefore, before using SSM, ensure that KMS is activated.
    • To ensure that you can use SSM normally, please grant service role permissions to SSM in KMS. You can go to CAM to authorize SSM.

    To activate KMS and authorize SSM, you can perform the following steps:

    1. Log in to the SSM console and click CAM in the instructions at the top of the page.
    2. On the Service Authorization page, click Grant.
    3. After service role authorization, click KMS in the instructions at the top of the page.
    4. On the KMS activation page, click Activate Now.

    Step 2: Select a key for secret encryption

    As the core resources of KMS, CMKs are protected by hardware security modules certified by third parties. CMK contains metadata information such as key ID, creation date, description, and key status.
    When using SSM to create secrets, you will be provided with two types of encryption keys. Select a type as needed.

    • After KMS is activated, KMS will create a Tencent Cloud managed CMK for SSM by default. The default key cannot be deleted or disabled. You can use the default key as the encryption key.
    • You can also go to the KMS console to create a key on your own and define the key policies and usage. KMS enables users to choose keys as needed. You can either create keys in KMS or import external keys (BYOK). For more information, please see Creating Keys and Importing External Keys for KMS.