Public Cloud – Flexible Engine
Key Management Service – Easily encode your data which is hosted on the cloud
Provides key management, integrates with Object Storage Service or Elastic Volume Service
Key Management Service (KMS) provides key management, integrates with Object Storage Service (OBS) or Elastic Volume Service (EVS) within the cloud platform, and uses an internationally standard password algorithm to protect tenant data through encryption. In doing so, illegal access is prevented and the security of the tenant’s data is ensured. Tenants can create, manage and use their own keys through the KMS console interface or the KMS REST API. KMS only manages the tenant’s master key (the data key is not included), including creating, querying, activating, deactivating, pre-deleting and undeleting. The data key is encrypted with the tenant’s master key.
When users use the encryption service on the cloud platform for the first time, the platform will automatically create a tenant’s default master key, different tenants have different default master keys. If users want to create extra master keys themselves, so that they can more precisely control the data encryption protection scope than with a single master key, they can access the key management console to perform management operations on customized keys. The operations include generation, enabling and disabling, reservation and deletion, and querying the status. When users use the encryption feature (encryption on the server is chosen when OBS is used to upload data) after they use the console to create a key, they can view and select the master key of the current data protected through encryption in the drop-down list of the key.
The cloud platform uses the Hardware Security Module (HSM) provided by third-party professional password device vendors as the roots of trust for KMS and the tenant’s data encryption system. The KMS system key is protected through HSM encryption. However, the security of the HSM’s internal key is protected depending on the HSM’s hardware protection mechanism.
Each service and the key management console of the cloud platform can use Hypertext Transfer Protocol Secure (HTTPS) to access key management APIs through the load balancer. The load balance node delivers requests of the key to each KM Server node. Key management APIs are provided as Representational State Transfer (REST) APIs by a set of KM Server. KM Server uses password service capabilities, such as the hardware true random number, encryption, decryption, and digital signature, provided by the third-party HSM to ensure the security of the whole process in which a key is generated, stored, and delivered. A tenant’s Key is stored on the Key Storage node after the key is encrypted. The root key used to rectify the encryption system is in the HSM and the root key’s physical security is ensured by dedicated hardware.
KMS provides the following functions:
- Web-based key management console
- Centralized key management
- Key access permission control for the unified identity authentication based on IAM
- Key security protection based on the standard algorithm and third-party HSM
- Key life cycle management operations, such as key creation, query, enabling, disabling, and deletion
- Support for invoking encryption and decryption through REST APIs
- Support role-based access control (RBAC), and the roles are managed by IAM
- Support customer master key grant
| Category | Funtion | Description |
| Basic functions | Creates a master key for a tenant using the key management console. | Tenants can log in to the key-management console and perform operations on the web interfaces to create master keys. |
| Lists and queries master-key information on the console. | A tenant’s master-key information can be queried on the console. | |
| Disables the tenant’s master key. | After tenants log in to the key management console, they can disable a specified master key (except of the default master key). After the key is disabled, it cannot be used to encrypt or decrypt any data. If you want to recover the data encryption and decryption capabilities of the master key, you can enable the master key on the console. | |
| Enables the tenant’s master key. | After tenants log in to the key management console, they can enable the disabled key. After they enable the key, its data encryption and decryption capabilities are recovered. | |
| Plans (makes a reservation) to delete a master key. | After tenants log in to the key management console, they can click the planned deletion button to delete a specified master key (except of the default master key). The key will be deleted in 7 to 3 years. The delay is determined by tenants. Before the key is deleted, the key is in the planned deletion state. In such a state, the key cannot be used for encryption or decryption and tenants can cancel the deletion plan. If the deletion plan is canceled, the keys status is set to ‘Disabled’. | |
| Cancels the plan to delete a master key. | After tenants log in to the key management console, they can click the button to cancel the planned deletion of the master key. If the deletion plan is canceled, the key becomes disabled status. | |
| The cloud service automatically creates a default master key for tenants. | This API is invoked by the cloud service components. Tenants cannot invoke this API. Tenants can query the default master key created by the cloud service and use this key to encrypt or decrypt data. However, they cannot use this key to change its status or delete it. | |
| Creates a data encryption key (DEK). | A DEK can be created for tenants and they can use this key to encrypt or decrypt data. | |
| Encrypts a DEK. | A master key of a tenant is used to encrypt a DEK. For example, if a tenant has more than one master key, the tenant can specify any of these keys. | |
| Decrypts a DEK. | The master key used for encryption is adopted to decrypt the DEK. | |
| Grant Feature(Only API based) | Create Grant | Adds a grant to a key to a specify user who can use the key and under what conditions (max number of grants per CMK is 100). |
| Revoke Grant | Revokes a grant. You can revoke a grant to actively deny operations that depend on the CMK. | |
| Retire Grant | Retires a grant. To clean up, you can retire a grant when you’re done using the CMK. You should revoke a grant when you intend to actively deny operations that depend on the CMK. | |
| List Grants | List the grants for a specified key. | |
| List of grants able to retire | A typical use is to list all grants that you are able to retire. To retire a grant, use Retire Grant. | |
| Bring your own key(BYOK) | Import Keys | Import keys located in private data centers into KMS and encrypt resources on the cloud. |
| Delete Key Material | Delete the key material when the tenant no longer needs it, the key cannot be used until the same key material has been reimported. |
The overall specifications of KMS are as follows:
- Maximum number of users: 30,000
- Maximum number of master keys supported by the system: 30 million. Calculation formula: Number of tenants x Maximum number of master keys for each tenant. It is estimated that each tenant has 100 master keys on average.
KMS has the following advantages
Fast and efficient resource classification
On the TMS console, users can perform Easy to use: Users do not need to worry about the installation and deployment of the HSM and KM Server. They do not even need to subscribe to the service. They can use this service through the encryption feature of the cloud platform if encryption and keys are required. Normally, users can use this service by selecting or entering encryption parameters on the service console or through APIs.
Low cost
Customers do not need to purchase a KM Server or encryption devices because KMS is used on demand and charged per use. Therefore, costs to purchase hardware decrease to a large extent.
Highly secure
Keys are stored and delivered using the international standard password algorithm, mode, and protocol. Two-way authentication and encryption channel negotiation between the cloud service node and KMS are achieved based on digital certificates, taking the HSM as the trust anchor. Keys are generated using the true random number of the HSM. The physical security of the root key is ensured by the HSM and control key access using Identity and Access Management (IAM).
KMS supports the following general-purpose scenarios:
Encryption for OBS on the Cloud
Encryption process: A user uses Object Storage Service (OBS) APIs to upload objects. If encryption is selected, OBS will represent the user to access KMS, assign a DEK for the object data that the user uploads, and use this DEK to encrypt the data uploaded by tenants. Then, OBS will store the DEK’s cipher text (DEK’) in the metadata of the encrypted object, which is encrypted by tenant’s Customer Master Key (CMK). The DEK’s encryption is done by KMS.
Note :
- Data is data’s plain text
- Data’ is data’s cipher text
- DEK is DEK’s plain text
- DEK’ is DEK’s cipher text
UDS Storage node Data’ (i.e. ciphertext of user data)
Decryption for OBS on the Cloud
Decryption process: A user uses OBS APIs to download encrypted objects. OBS reads the DEK’s cipher text from the metadata of the encrypted objects, invokes KMS to decrypt the DEK, uses the DEK to decrypt the plaintext of the object data, and sends the plaintext to the user.
Note :
- Data is data’s plain text
- Data’ is data’s cipher text
- DEK is DEK’s plain text
- DEK’ is DEK’s cipher text
UDS Storage node Data’ (i.e. cipher text of user data)
CMK grant
Online encrypted document sharing: The tenant A wants to share his encrypted document to the tenant B. If the tenant A is only sharing the document to the tenant B, he does not have the authorization of the key. The tenant B still cannot see the document. In this scenario, you need to do the grant of the key, and the tenant A can revoke the grant at any time.
How KMS supports online encrypted document sharing services to share its documents showing as below.
- The tenant A shares the encrypted document to the tenant B
- Tenant A grant the key to the tenant B
- Tenant B accesses the shared encrypted file
- Online encrypted document sharing service access KMS decrypted the document
- Tenant A revokes the key grant of tenant B.