This topic describes how to use managed HSMs to create and use customer master keys
(CMKs).
Background information
You can use managed HSMs only in supported regions. For more information, see Supported regions.
Create a CMK in the Key Management Service (KMS) console
- Log on to the KMS console.
- In the top navigation bar, select the region in which you want to create a CMK.
- In the left-side navigation pane, click Keys.
- Click Create Key.
- In the Create Key dialog box, configure the KMS Instance, Key Spec, Purpose, Alias Name, Protection Level, Description, Rotation Period, and Key Material Source parameters.
Note
- We recommend that you set the Protection Level parameter to Hsm.
- For more information about the parameters, see Create a CMK.
- Click OK.
After the CMK is created, you can view the protection level of the CMK in the Protection Level column.
Create a CMK by using Alibaba Cloud CLI
- Call the CreateKey operation to create a CMK.
aliyun kms CreateKey --ProtectionLevel HSM --Description "Key1 in Managed HSM"
- Call the DescribeKey operation to query the protection level of the CMK.
aliyun kms DescribeKey --KeyId 1234abcd-12ab-34cd-56ef-12345678****
Expected output:
{
"KeyMetadata": {
"CreationDate": "2019-07-04T13:14:15Z",
"Description": "Key1 in Managed HSM",
"KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT/DECRYPT",
"DeleteDate": "",
"Creator": "151266687691****",
"Arn": "acs:kms:cn-hongkong:151266687691****:key/1234abcd-12ab-34cd-56ef-12345678****",
"Origin": "Aliyun_KMS",
"MaterialExpireTime": "",
"ProtectionLevel": "HSM"
},
"RequestId": "8eaeaa8b-4491-4f1e-a51e-f95a4e54620c"
}
Import an external CMK to a managed HSM
If you want to import an external CMK from user-managed key infrastructure to a managed
HSM, you must set the Protection Level parameter to Hsm when you create the external CMK. For more information about how to create an external
CMK, see Import key material in the KMS console.
When the import starts, KMS performs the following operations:
- When you call the GetParametersForImport operation, KMS generates a key pair in a managed HSM to import the external CMK based
on the Hsm protection level and returns the public key of the key pair.
- When you call the ImportKeyMaterial operation, KMS imports the encrypted external key material to the managed HSM and
then obtains the key material by using the key unwrapping mechanism of the managed
HSM. The plaintext of the key material cannot be exported.
Manage and use CMKs
You can apply all the management and cryptographic features that are supported by
KMS to the CMKs that are created in managed HSMs. The features allow you to perform
the following operations:
- Enable and disable CMKs.
- Manage the lifecycle of CMKs.
- Manage the aliases of CMKs.
- Manage the tags of CMKs.
- Call cryptographic API operations.
Integration with other Alibaba Cloud services
CMKs in managed HSMs can be used to protect native data in other Alibaba Cloud services,
such as Elastic Compute Service (ECS), ApsaraDB RDS, and Object Storage Service (OSS),
by using the standard KMS API. The prerequisite is that the Alibaba Cloud services
support server-side encryption (SSE) by using user-managed CMKs. To use the server-side
encryption feature, you need only to configure a CMK that is created in a managed
HSM for an Alibaba Cloud service.