All Products
Search

This Product

    MaxCompute:NEW_WRAPPED_KEYSET

    Document Center

    MaxCompute:NEW_WRAPPED_KEYSET

    Last Updated:Nov 17, 2023

    You can use MaxCompute with Key Management Service (KMS) to manage keys. This topic describes how to use the NEW_WRAPPED_KEYSET function to create a wrapped keyset.

    Background information and prerequisites

    You can use MaxCompute with KMS to manage keys. You can generate a wrapped keyset by encrypting a keyset based on a KMS key. After you generate a wrapped keyset, you must manually record and store the wrapped keyset for subsequent data encryption and decryption based on KMS keys. In the encryption or decryption process, all keys are automatically generated by the system. You cannot view the original key that is used for encryption and decryption. This way, data can be encrypted or decrypted in a more secure manner. The NEW_WRAPPED_KEYSET function assumes the Alibaba Cloud Resource Name (ARN) of a role that can use KMS customer master key (CMK) ARNs to MaxCompute and create a wrapped keyset. The role ARN is specified by role_arn. The KMS CMK ARN is specified by kms_cmk_arn. The function is also used to grant other Alibaba Cloud accounts the permissions to use wrapped keysets based on role_chain.

    Before you use the NEW_WRAPPED_KEYSET function, make sure that the following prerequisites are met:

    • KMS is activated and a KMS instance is created.

    • A KMS key is created and the key ARN specified by kms_cmk_arn is obtained.

    • A RAM role is created and MaxCompute is authorized to access KMS. The ARN of the RAM role is obtained. The role ARN is specified by role_arn.

    Syntax

    binary NEW_WRAPPED_KEYSET(string <kms_cmk_arn> , string <role-arn>, string <key_type>
[, string <description>, [string <role_chain>]])

    Parameters

    • kms_cmk_arn: required. This parameter specifies the ARN of the KMS CMK that is used to encrypt a keyset. The parameter value is in the format of 'acs:kms:<RegionId>:<UserId>:key/<CmkId>'. RegionId specifies the region ID, UserId specifies the user ID, and CmkId specifies the CMK ID. You can obtain the ARN from the Key Details page in the KMS console.

    • role_arn: required. This parameter specifies the ARN of the RAM role that has permissions on KMS. The role needs to be assumed by MaxCompute. The parameter value is in the format of 'acs:ram:${<userAID>}:role/${<roleName>}'. userAID specifies the user ID, and roleName specifies the role name.

    • key_type: required. This parameter specifies the algorithm type of the key in the newly generated keyset. Valid values: AES-GCM-256, AES-SIV-CMAC-128, and AES-SIV-CMAC-256.

    • description: optional. This parameter provides a description of the key.

    • role_chain: optional. This parameter specifies the role chain for user authorization. The parameter value is in the format of 'acs:ram:<userAID>:role/<roleName2>,acs:ram:<userBID>:role/<roleName3>},...'. You can use role chains to call wrapped keysets across Alibaba Cloud accounts.

    Return value

    A wrapped keyset of the BINARY type is returned. You can use the HEX function to convert the wrapped keyset of the BINARY type into a keyset of the STRING type based on your business requirements. For more information about the HEX function, see HEX.

    Examples

    • Create a wrapped keyset.

      select hex(NEW_WRAPPED_KEYSET('acs:kms:cn-hangzhou:1**************7:key/key-hzz****************1t','acs:ram::1**************7:role/kms', 'AES-GCM-256', 'hello'));

      The following result is returned:

      +-----+
| _c0 |
+-----+
| 613256354C576836656A59314D6D59344E7A6B7A624452754D6D3434627A49786443317A655859786358426F4E6A4D78434A373434582F54756C5A547A4E69337562786F4B3543412F616655573262786D345A41306B464C674A2F5758324F4E514E346746306F303236376D35335A6471797237366E57565A6836387A52687A4A673945784B6E677568794A376E6F4A68573677684B5A555A42786E4A383742536C4D46326A374F71474F4C414A6B665779694557394D58664876576E306C6D49777052746A77325643707A4259517277327944354343396C50586F31346A4351506253612F3044394C4C6E6E622F747A6B57316E4F564A6C5359354B35526130537565584F33507856773D |
+-----+

    • Create a wrapped keyset and allow other roles to call the wrapped keyset.

      select hex(NEW_WRAPPED_KEYSET('acs:kms:cn-hangzhou:1**************7:key/key-hzz****************1t','acs:ram::1**************7:role/kms', 'AES-GCM-256', 'hello','acs:ram::1**************7:role/kms1'));

      The following result is returned:

      +-----+
| _c0 |
+-----+
| 613256354C576836656A59314D6D59344E7A6B7A624452754D6D3434627A49786443317A655859786358426F4E6A4D784D59716D4C767954716B3562444779574C7A387965774966432F516B4A59616F57623648364A546A62434F7A7A42634F517A687A6E526F36543866714E4E63555546566874696C4A3947713556667A2F7851757A55686467504C517A2B6C433337485A535449744B53714E396B6639587666487A4D7957643842334D3179392F67423774726835437A556F786A74614571612F5A3543447668524A7731426566525647796A77574974476243475A4E594550714E767963532B333432743347396B714777626C54336F57706939706E437A667A4E4D6F4C63714F453D |
+-----+

    References

    References

    Description

    Use keysets

    Describes how to use keyset-related encryption functions.

    NEW_KEYSET

    Describes the NEW_KEYSET function. The function is used to create a keyset based on a specified algorithm type.

    ADD_KEY_TO_KEYSET

    Describes the ADD_KEY_TO_KEYSET function. The function is used to add a key to a keyset and configure the key as the master key.

    KEYSET_TO_JSON

    Describes the KEYSET_TO_JSON function. The function is used to convert a keyset of the BINARY type into a readable JSON string. After the conversion, you can view the details of the keyset.

    KEYSET_FROM_JSON

    Describes the KEYSET_FROM_JSON function. The function is used to convert a keyset of the JSON type into a keyset of the BINARY type.

    ROTATE_KEYSET

    Describes the ROTATE_KEYSET function. The function allows the system to automatically produce a new key and configure the new key as the master key.

    ROTATE_WRAPPED_KEYSET

    Describes the ROTATE_WRAPPED_KEYSET function. The function is used to decrypt an encrypted keyset, implement key rotation, and use a new key to encrypt data.

    USE_WRAPPED_KEYSET

    Describes the USE_WRAPPED_KEYSET function. The function is used to convert a wrapped keyset into a basic keyset that is used as a parameter in the encryption or decryption function. You can also use the USE_WRAPPED_KEYSET function to obtain information about a wrapped keyset and save the information for subsequent keyset maintenance.

    ENHANCED_SYM_ENCRYPT

    Describes the ENHANCED_SYM_ENCRYPT function. The function is used to encrypt data by using a specified keyset.

    ENHANCED_SYM_DECRYPT

    Describes the ENHANCED_SYM_DECRYPT function. The function is used to decrypt data by using a specified keyset.