tencent cloud

Key Management Service

Product Introduction
Product Overview
Product Strengths
Use Cases
Concepts
Purchase Guide
Billing Overview
Purchase Method
Renewal Instructions
Payment Overdue
Console Guide
Getting Started
Key Management
Access Control
Audit
TCCLI Management Guide
Operation Overview
Creating Key
Viewing Key
Editing Key
Enabling/Disabling Key
Key Rotation
Encryption and Decryption
Asymmetric key decryption
Deleting Key
Practical Tutorial
Symmetrical Encryption and Decryption
Asymmetric Encryption and Decryption
Post-Quantum Cryptography Practice In KMS
Importing External Key
Implementing Exponential Backoff to Deal with Service Frequency
Cloud Product Integration with KMS for Transparent Encryption
API documentation
History
Introduction
API Category
Key APIs
Making API Requests
Asymmetric Key APIs
Data Types
Error Codes
Service Level Agreement
FAQS
FAQs
General
KMS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationKey Management ServiceConsole GuideGetting Started

Getting Started

PDF
Focus Mode
Font Size
Last updated: 2024-01-11 16:28:54
Key Management Service (KMS) provides the capabilities for secure and compliant full-lifecycle key management, data encryption, and data decryption.
The core key components involved in KMS include customer master key (CMK) and data encryption key (DEK). A CMK is a first-level key used to encrypt and decrypt sensitive data and generate DEKs. A DEK is a second-level key used in the envelope encryption process. It is protected by a CMK, and used to encrypt business data.
For scenarios where CMKs and DEKs are used for business data encryption and decryption, please see Sensitive Data Encryption and Envelope Encryption Best Practice.

Key Overview

Customer master key (CMK)

A CMK, as a core resource in KMS, is protected by a third-party certified hardware security module (HSM) and used as a first-level key for encryption and decryption. KMS is mainly a management service for CMKs.
A CMK is a logical representation of a master key, and it contains metadata such as key ID, creation date, description, and key status. Generally, you can use the automatic CMK generation feature in KMS or import your own key to generate a CMK.
There are two types of CMKs: Customer Managed CMK and Tencent Cloud Managed CMK.
A Customer Managed CMK is a CMK that you create in the console or through APIs. You can create, enable, disable, rotate keys and manage permissions of your user keys.
A Tencent Cloud Managed CMK is a CMK that is automatically created for you when a Tencent Cloud product/service (such as CBS, COS, or TDSQL) calls the KMS service. You can query and rotate Tencent Cloud managed CMKs, but cannot disable them or set the schedule deletion for them.

Data encryption key (DEK)

A DEK is a second-level key generated based on a CMK, used for encrypting and decrypting local data. KMS allows you to use your CMKs to generate DEKs, but KMS will not store, manage, or track them or use them to perform encryption operations. You have to use and manage your DEKs outside of KMS.
Generally, DEKs are used in envelop encryption to encrypt local business data. They are protected by CMKs and customizable. DEKs can be created through the GenerateDataKey API.

Operation Overview

Operation
Description
Creates a key quickly in the console.
Views the ID and details of a key in the console.
Edits the name, description, and other information of a key in the console.
Enables and disables a key in the console.
Enables key rotation in the console.
Uses keys to encrypt and decrypt data in the console.
Deletes a key quickly in the console.
Sets KMS permissions for a sub-account.

Previous Topic: Payment OverdueNext Topic: Creating a Key

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback