When you create an asymmetric key that has an external key material origin, Key Management Service (KMS) does not generate key material. In this case, you must import your own key material. This topic describes how to import key material into an asymmetric key.
If your KMS instance of the hardware key management or software key management type does not allow you to import key material or an error is returned when you import key material, contact technical support.
Features
Keys are basic resources in KMS. A key consists of the key ID, metadata such as the key status, and key material. To create a key, you can use the key material that is generated by KMS or use external key material. If you use external key material to create a key, you must import the key material into the key. This feature is commonly known as the bring your own key (BYOK) feature.
The following table describes whether different types of keys support external key material. For more information about key types, see Key types and specifications.
: supports external key material.
: does not support external key material.
Key type | Import external key material into a symmetric key | Import external key material into an asymmetric key |
Default key |
|
|
Software-protected key | √ | √ |
Hardware-protected key | √ | × |
Usage notes
The first time you import key material into a key, the key is associated with the key material. You cannot import different key material into the key.
You can import the same key material into a key multiple times based on your business requirements.
If the key material of a key expires or is deleted, you can reimport the same key material for the key, This way, you can reuse the key. After you import key material, you cannot export the key material. We recommend that you store the key material in a secure location.
Prerequisites
A KMS instance is purchased and enabled. For more information, see Purchase and enable a KMS instance.
Import key material in the KMS console
Step 1: Create an asymmetric key
Before you import key material, create an asymmetric key that has an external key material origin.
Software-protected key
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list and click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key. Select Asymmetric Key.
Key Specifications
Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces.
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Description
The description of the key.
Advanced Settings
Policy Settings: For more information, see Overview.
Key Material Source: Select External (Import Key Material).
NoteIf you select External (Import Key Material), you must read and select I understand the implications of using the external key materials.
Hardware-protected key
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Keys tab, select the ID of a KMS instance of the hardware key management type from the Instance ID drop-down list and click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key. Select Asymmetric Key.
Key Specifications
Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces.
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Description
The description of the key.
Advanced Settings
Policy Settings: For more information, see Overview.
Key Material Source: Select External (Import Key Material).
NoteIf you select External (Import Key Material), you must read and select I understand the implications of using the external key materials.
Step 2: Download a wrapping public key and an import token
To import key material into a key, you must obtain a wrapping public key and an import token. The wrapping public key is used to encrypt key material. The import token allows you to import key material.
Find the key into which you want to import key material and click Details in the Actions column. On the Key Material tab, click Obtain Parameters for Import.
In the Obtain Parameters to Import Key Material dialog box, configure Public Key Type and Encryption Algorithm and click Next.
Key type
Key specification
Wrapping public key type
Encryption algorithm
Software-protected key
RSA_2048
RSA_3072
EC_P256
EC_P256K
RSA_2048
RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD
Hardware-protected key
RSA_2048
RSA_3072
RSA_4096
EC_P256
EC_P256K
RSA_2048
RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD
RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD: For more information about the encryption process, see Example: Use OpenSSL to generate key material for which the RSA_2048 algorithm is used.
Download a wrapping public key and an import token and store them in a secure location.
Public Key Format
If you select DER Format, the name of the public key file is in the publickey_******.bin format.
If you select PEM Format, the name of the public key file is in the publickey_******.pem format.
Import Token: The name of the import token file is in the token_******.txt format.
ImportantThe import token is valid for 24 hours and can be repeatedly used within the validity period. After 24 hours, you must download a new import token and a new public key.
You must use the wrapping public key together with the import token. You cannot mix a wrapping public key and an import token from different downloads.
Step 3: Use the wrapping public key to encrypt key material
You must generate and encrypt key material in your system environment. The following table describes the keys that are involved during the process.
Key | Purpose | Provider | Description |
Target asymmetric key (TAK) | The TAK that you want to import as key material. | Your system environment or tool such as an on-premises key management infrastructure (KMI) or a hardware security module (HSM). |
|
Import wrapping key (IWK) | The key that is used to import the TAK. | KMS. |
|
Ephemeral symmetric key (ESK) | The temporary key that is used to encrypt the private key of the TAK. | Your system environment or tool. After you export the TAK, you must immediately destroy the ESK. | N/A |
Create a private key for the TAK. The specification of the private key must be the same as the specification of the asymmetric key that you created. If you already have a private key for the TAK, skip this step.
NotePerform the following operations to make sure that the TAKpriv format meets the requirements: Encode a Rivest-Shamir-Adleman (RSA) private key based on RFC 3447 or an elliptic-curve cryptography (ECC) private key based on RFC 5915. Then, convert the RSA or ECC private key into the Public-Key Cryptography Standards (PKCS) #8 format based on RFC 5208.
Create an ESK.
Use the public key of the IWK to encrypt the ESK. The generated ciphertext is recorded as Cipher(ESK).
Use the ESK to encrypt the private key of the TAK. The generated ciphertext is recorded as Cipher(TAKpriv).
Assemble the encryption results in the Cipher(ESK) || Cipher(TAKpriv) format to obtain encrypted key material.
Step 4: Import key material
On the key details page, click Import Key Material. In the Import Wrapped Key Material dialog box, configure the parameters and click OK.
Parameter | Description |
Wrapped Key Material | Upload the key material file that is generated in Step 3: Use the wrapping public key to encrypt key material. |
Import Token | Upload the import token file that is downloaded in Step 2: Download a wrapping public key and an import token. |
Key Material Expired On | You can select Never Expire or specify an expiration time. Important If you specify an expiration time for key material, KMS deletes the key material when the expiration time is reached, and you can no longer use the key material. If you want to reuse the key material, you can reimport the same key material into the key. |
After you import the key material, the status of the key changes from Pending Import to Enabling.
Import key material by using Alibaba Cloud SDK
You can use Alibaba Cloud SDK to create an RSA or ECC key in KMS and import key material. Sample Java code:
The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey Secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all the resources that belong to your account may be compromised.
In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication.
For more information about how to configure authentication information, see Manage access credentials.
The method that is used to configure environment variables varies based on the operating system. For more information, see Configure environment variables in Linux, macOS, and Windows.
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource.PSpecified;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import com.aliyuncs.AcsRequest;
import com.aliyuncs.AcsResponse;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.exceptions.ServerException;
import com.aliyuncs.http.FormatType;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.kms.model.v20160120.CreateKeyRequest;
import com.aliyuncs.kms.model.v20160120.CreateKeyResponse;
import com.aliyuncs.kms.model.v20160120.GetParametersForImportRequest;
import com.aliyuncs.kms.model.v20160120.GetParametersForImportResponse;
import com.aliyuncs.kms.model.v20160120.ImportKeyMaterialRequest;
import com.aliyuncs.kms.model.v20160120.ImportKeyMaterialResponse;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.gm.GMNamedCurves;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.crypto.engines.SM2Engine;
import org.bouncycastle.crypto.params.ECDomainParameters;
import org.bouncycastle.crypto.params.ECPublicKeyParameters;
import org.bouncycastle.crypto.params.ParametersWithRandom;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class BringYourOwnAsymmetricKeySample {
static String regionId = "cn-hangzhou";
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String dedicatedKmsInstanceId = "*** Provide your DedicatedKmsInstanceId ***";
DefaultAcsClient kmsClient;
private final String SM2PKE_SM4_ECB = "SM2PKE_SM4_ECB";
private final String RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD = "RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD";
private static Provider BC = new BouncyCastleProvider();
private static X9ECParameters x9ECParameters = GMNamedCurves.getByName("sm2p256v1");
private static ECDomainParameters ecDomainParameters = new ECDomainParameters(x9ECParameters.getCurve(), x9ECParameters.getG(), x9ECParameters.getN());
static {
java.security.Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
public static void main(String[] args) {
// Initialize Alibaba Cloud SDK.
DefaultAcsClient client = getClientForPublicEndpoint(regionId, accessKeyId, accessKeySecret);
BringYourOwnAsymmetricKeySample sample = new BringYourOwnAsymmetricKeySample(client);
// Create and import an external EC_SM2 key.
sample.doByok("EC_SM2", "EC_SM2", sample.SM2PKE_SM4_ECB, "SM4");
// Create and import an external EC_P256 key.
sample.doByok("EC_P256", "RSA_2048", sample.RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD, "AES_256");
// Create and import an external RSA key.
sample.doByok("RSA_2048", "RSA_2048", sample.RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD, "AES_256");
}
public static DefaultAcsClient getClientForPublicEndpoint(String regionId, String accessKeyId, String accessKeySecret) {
/**
* Construct an Aliyun Client:
* Set RegionId, AccessKeyId and AccessKeySecret
*/
IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
DefaultAcsClient client = new DefaultAcsClient(profile);
return client;
}
public BringYourOwnAsymmetricKeySample(DefaultAcsClient kmsClient) {
this.kmsClient = kmsClient;
}
public void doByok(String targetKeySpec, String wrappingKeySpec, String wrappingAlgorithm, String ephemeralKeySpec) {
try {
// Create an external ECC key.
CreateKeyResponse.KeyMetadata keyMetadata = this.createExternalKeyInDkms(dedicatedKmsInstanceId, targetKeySpec, "SIGN/VERIFY");
String keyId = keyMetadata.getKeyId();
// Obtain the parameters that are used to import key material.
GetParametersForImportResponse parametersForImportResponse = this.getParametersForImport(keyId, wrappingKeySpec,
wrappingAlgorithm);
String importToken = parametersForImportResponse.getImportToken();
String publicKeyBase64 = parametersForImportResponse.getPublicKey();
// Create an ESK.
byte[] ephemeralSymmetricKeyPlaintext = this.generateEphemeralSymmetricKey(ephemeralKeySpec);
// Create a TAK.
byte[] targetAsymmetricKeyPlaintext = this.generateTargetAsymmetricKey(targetKeySpec);
// Use the public key of an IWK to encrypt the ESK.
byte[] ephemeralSymmetricKeyCipher = this.encryptEphemeralSymmetricKey(publicKeyBase64,
wrappingAlgorithm, ephemeralSymmetricKeyPlaintext);
// Use the ESK to encrypt the TAK.
byte[] targetAsymmetricKeyCipher = this.encryptTargetAsymmetricKey(ephemeralSymmetricKeyPlaintext, targetAsymmetricKeyPlaintext,
wrappingAlgorithm);
// Generate key material.
byte[] encryptedKeyMaterial = new byte[ephemeralSymmetricKeyCipher.length + targetAsymmetricKeyCipher.length];
System.arraycopy(ephemeralSymmetricKeyCipher, 0, encryptedKeyMaterial, 0, ephemeralSymmetricKeyCipher.length);
System.arraycopy(targetAsymmetricKeyCipher, 0, encryptedKeyMaterial, ephemeralSymmetricKeyCipher.length, targetAsymmetricKeyCipher.length);
String encryptedKeyMaterialBase64 = DatatypeConverter.printBase64Binary(encryptedKeyMaterial);
// Import the key material.
this.importKeyMaterial(keyId, encryptedKeyMaterialBase64, importToken, 0L);
} catch (Exception e) {
e.printStackTrace();
}
}
private GetParametersForImportResponse getParametersForImport(String keyId, String keySpec, String algorithm) throws Exception {
GetParametersForImportRequest request = new GetParametersForImportRequest();
request.setAcceptFormat(FormatType.JSON);
request.setMethod(MethodType.POST);
request.setProtocol(ProtocolType.HTTPS);
request.setKeyId(keyId);
request.setWrappingKeySpec(keySpec);
request.setWrappingAlgorithm(algorithm);
GetParametersForImportResponse resp;
try {
resp = this.getAcsResponseWithRetry(request);
} catch (Exception e) {
throw e;
}
return resp;
}
private CreateKeyResponse.KeyMetadata createExternalKeyInDkms(String dedicatedKmsInstance, String keySpec, String keyUsage) throws Exception {
CreateKeyRequest request = new CreateKeyRequest();
// Create an external key.
request.setOrigin("EXTERNAL");
request.setKeyStoreId(dedicatedKmsInstance);
request.setKeySpec(keySpec);
request.setKeyUsage(keyUsage);
request.setProtocol(ProtocolType.HTTPS);
request.setAcceptFormat(FormatType.JSON);
request.setMethod(MethodType.POST);
CreateKeyResponse.KeyMetadata ret = null;
String requestId = null;
try {
CreateKeyResponse response = getAcsResponseWithRetry(request);
ret = response.getKeyMetadata();
requestId = response.getRequestId();
} catch (Exception e) {
throw e;
}
return Pair.of(ret, requestId).getKey();
}
private <T extends AcsResponse> T getAcsResponseWithRetry(AcsRequest<T> request) throws ServerException,
ClientException {
String expStr = "Retry Max Times";
for (int i = 0; i < 3; i++) {
try {
T resp = this.kmsClient.getAcsResponse(request);
if (resp == null) {
throw new ClientException("Get a null response");
}
return resp;
} catch (ServerException e) {
throw e;
} catch (ClientException e) {
expStr = e.toString();
//need retry
if (expStr.contains("SDK.ServerUnreachable")) {
continue;
}
throw e;
}
}
throw new ClientException(expStr);
}
private byte[] generateEphemeralSymmetricKey(String ephemeralSymmetricKeySpec) throws Exception {
// If the ESK is of the AES_256 type, set the length to 32 bits.
int ephemeralSymmetricKeyLength = 32;
if ("SM4".equals(ephemeralSymmetricKeySpec)) {
ephemeralSymmetricKeyLength = 16;
}
byte[] key = new byte[32];
new Random().nextBytes(key);
return key;
}
private byte[] generateTargetAsymmetricKey(String keySpec) throws Exception {
PrivateKey privateKey = null;
// Create an SM2 key and obtain the value of the D parameter for the private key.
if ("EC_SM2".equals(keySpec)) {
ECPrivateKey ecPrivateKey = (ECPrivateKey)generateSm2KeyPair().getPrivate();
byte[] dT = ecPrivateKey.getS().toByteArray();
byte[] d = new byte[32];
if (dT.length == 33) {
System.arraycopy(dT, 1, d, 0, 32);
}
return dT.length == 32 ? dT : d;
}
// Generate an RSA or ECC private key.
if (keySpec.contains("RSA")) {
String[] keySpecAttrs = keySpec.split("_");
int bits = Integer.parseInt(keySpecAttrs[keySpecAttrs.length - 1]);
privateKey = generateRsaKeyPair(bits).getPrivate();
} else if (keySpec.contains("EC")) {
if (keySpec.contains("P256K")) {
// Generate an EC_P256K private key.
privateKey = generateEccKeyPair("secp256k1").getPrivate();
} else {
// Generate an EC_P256 private key.
privateKey= generateEccKeyPair("secp256r1").getPrivate();
}
}
if (privateKey != null) {
// Return the private key in the PKCS #8 format.
return privateKey.getEncoded();
}
return null;
}
private KeyPair generateEccKeyPair(String keySpec)
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
ECGenParameterSpec ecSpec = new ECGenParameterSpec(keySpec);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
keyPairGenerator.initialize(ecSpec, new SecureRandom());
return keyPairGenerator.generateKeyPair();
}
private KeyPair generateRsaKeyPair(int length) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(length);
return keyGen.genKeyPair();
}
private KeyPair generateSm2KeyPair() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC", "BC");
keyGen.initialize(new ECGenParameterSpec("sm2p256v1"), new SecureRandom());
return keyGen.genKeyPair();
}
private byte[] encryptEphemeralSymmetricKey (String publicKeyBase64, String wrappingAlgorithm, byte[] ephemeralSymmetricKeyPlaintext) throws Exception {
PublicKey publickey = null;
byte[] enchbk = null;
if ("RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD".equals(wrappingAlgorithm)) {
publickey = parseDerPublicKey("RSA", publicKeyBase64);
Cipher oaepFromAlgo = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSpecified.DEFAULT);
oaepFromAlgo.init(Cipher.ENCRYPT_MODE, publickey, oaepParams);
enchbk = oaepFromAlgo.doFinal(ephemeralSymmetricKeyPlaintext);
} else if ("SM2PKE_SM4_ECB".equals(wrappingAlgorithm)) {
publickey = parseDerPublicKey("EC", publicKeyBase64, BC);
BCECPublicKey localECPublicKey = (BCECPublicKey) publickey;
ECPublicKeyParameters ecPublicKeyParameters = new ECPublicKeyParameters(localECPublicKey.getQ(), ecDomainParameters);
SM2Engine sm2Engine = new SM2Engine(SM2Engine.Mode.C1C3C2);
sm2Engine.init(true, new ParametersWithRandom(ecPublicKeyParameters));
enchbk = sm2Engine.processBlock(ephemeralSymmetricKeyPlaintext, 0, ephemeralSymmetricKeyPlaintext.length);
} else {
throw new Exception("Invalid wrappingAlgorithm");
}
return enchbk;
}
private PublicKey parseDerPublicKey(String keyType, String pemKey) throws Exception {
byte[] derKey = DatatypeConverter.parseBase64Binary(pemKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
return KeyFactory.getInstance(keyType).generatePublic(keySpec);
}
private PublicKey parseDerPublicKey(String keyType, String pemKey, Provider provider) throws Exception {
byte[] derKey = DatatypeConverter.parseBase64Binary(pemKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
return KeyFactory.getInstance(keyType, provider).generatePublic(keySpec);
}
private byte[] encryptTargetAsymmetricKey (byte[] secretKey, byte[] targetAsymmetricKeyPlaintext, String wrappingAlgorithm)
throws Exception {
if ("RSAES_OAEP_SHA_256_AES_256_ECB_PKCS7_PAD".equals(wrappingAlgorithm)) {
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
return cipher.doFinal(targetAsymmetricKeyPlaintext);
} else if ("SM2PKE_SM4_ECB".equals(wrappingAlgorithm)) {
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "SM4");
Cipher cipher = Cipher.getInstance("SM4/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
return cipher.doFinal(targetAsymmetricKeyPlaintext);
}
throw new Exception("Invalid WrappingAlgorithm");
}
private boolean importKeyMaterial(
String keyId,
String material,
String token,
Long expire
) throws Exception {
ImportKeyMaterialRequest req = newImportKeyMaterialRequest(
keyId, material, token, expire);
try {
ImportKeyMaterialResponse resp = this.getAcsResponseWithRetry(req);
} catch (Exception e) {
throw e;
}
return true;
}
private ImportKeyMaterialRequest newImportKeyMaterialRequest(
String keyId,
String material,
String token,
Long expire
) {
ImportKeyMaterialRequest request = new ImportKeyMaterialRequest();
request.setAcceptFormat(FormatType.JSON);
request.setMethod(MethodType.POST);
request.setProtocol(ProtocolType.HTTPS);
request.setEncryptedKeyMaterial(material);
request.setImportToken(token);
request.setKeyId(keyId);
request.setKeyMaterialExpireUnix(expire);
return request;
}
}
FAQ
Can I delete key material?
Yes, you can delete key material.
After imported key material expires or is deleted, the key that uses the key material becomes unavailable until you reimport the same key material.
Directly delete key material
KMS console: On the details page of the key, click Delete Key Material on the Key Material tab.
KMS API: Call the DeleteKeyMaterial operation to delete key material. This operation does not delete your key.
KMS deletes key material
Specify an expiration time for key material when you import the key material. KMS deletes the key material when the expiration time is reached.
How do I reimport the same key material?
After key material of a key expires or is deleted, you can reimport the same key material to continue using the key.
Delete the expired key material.
On the key details page, click the Key Material tab and then click Delete Key Material.
Re-download a wrapping public key and an import token. For more information, see Step 2: Download a wrapping public key and an import token.
NoteThe key wrapping process does not affect the content of key material. You can use a different wrapping public key and a different wrapping algorithm to reimport the same key material.
Use the wrapping public key to encrypt the key material. For more information, see Step 3: Use the wrapping public key to encrypt key material.
NoteThe key material must be the same as the expired key material.
Import the encrypted key material by using the import token. For more information, see Step 4: Import key material.
How do I view the key material origin of a key?
Method 1: Use the KMS console
On the Keys page, click the Keys tab, select the ID of the KMS instance that you want to manage from the Instance ID drop-down list, find the key whose key material origin you want to view, and then click Details in the Actions column. On the details page, view the value of Key Material Source.
Method 2: Call the DescribeKey operation.
If the value of
Origin
isEXTERNAL
, the key material is imported. If the value ofOrigin
isAliyun_KMS
, KMS generated the key material.
How do I rotate a key that uses external key material?
KMS does not support automatic rotation for a key that uses external key material. If you want to rotate a key that uses external key material, you must create a different key and import different key material into the key.