The page has been translated by Gen AI.

How-to guides

Users can create the service by entering the required information for the Key Management Service through the Samsung Cloud Platform Console and selecting detailed options.

Reference

Key Management Service provides the following two key services.

Customer-managed key: To securely protect critical application data, users can generate and manage encryption keys themselves.
Platform-managed key: Since the CSP (Cloud Service Provider) creates and manages it directly, users cannot modify or delete the key’s properties.

Create a customer-managed key

You can create and use a customer-managed key in the Samsung Cloud Platform Console.

To create a customer-managed key, follow these steps.

All Services > Security > Key Management ServiceClick the menu. 1. Go to the Service Home page of Key Management Service.
On the Service Home page, click the Create Customer Managed Key button. 2. Navigate to the Customer Managed Key Creation page.

On the Customer Managed Key Creation page, enter the information required to create a service and provide additional details.

Enter or select the required information in the Service Information Input area.

Category	Required	Detailed description
key name	Required	Enter key name
Public authentication algorithm	Selection	When Use is selected, you can generate encryption keys that meet public encryption standards The public authentication algorithm option is available only in the KR SOUTH region The public authentication algorithm provides the ARIA algorithm, which has passed security verification through Korea’s cryptographic module certification system
Purpose	Required	Select the key purpose and encryption method If you do not select the public authentication algorithm, choose among encryption/decryption (AES-256), encryption/decryption and signing/verification (RSA-2048), signing/verification (ECDSA), and generation/verification (HMAC)
Auto rotation	Selection	Select whether to enable automatic key rotation If you select Use, the internal algorithm of the generated key is converted to a different value and applied at each configured rotation interval The rotation interval can be set to a value between 1 and 730 days. If no rotation interval is entered, it defaults to 90 days automatically
Explanation	Selection	Enter additional information for the key

Table. Customer-managed key service information input items

In the Additional Information Input area, enter or select the required information.
Category
required status
Detailed description
tag Selection Add Tag
Up to 50 per resource can be added
Add Tag After clicking the Add Tag button, enter or select Key, Value values
Table. Customer-managed key additional information input fields

Summary Check the detailed information and estimated charges generated in the panel, and click the Create button.
- When creation is complete, check the created resources on the Customer Managed Key List page.

Category	required status	Detailed description
tag	Selection	Add Tag Up to 50 per resource can be added Add Tag After clicking the Add Tag button, enter or select Key, Value values

Reference

When selecting a public authentication algorithm, you can create up to 100 customer-managed keys.

Check detailed information of customer-managed key

You can view and edit the complete list of resources and detailed information for customer-managed keys. Customer Managed Key Details page is composed of Details, Tags, Activity Log tabs.

Reference

If the status of a customer-managed key service is Creating, the service is still being created, so you cannot navigate to the detail page.

If it remains in the Creating state after a certain amount of time, delete the key and recreate it.

To view detailed information about the Key Management Service, follow these steps.

Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.

On the Customer Managed Key List page, click the resource to view detailed information. 3. Navigate to the Customer Managed Key Details page.

Customer Managed Key Details page displays status information and descriptions of additional features at the top.

Category	Detailed description
status	Indicates the status of a customer-managed key Active: available/activated Stop: stopped/disabled To be terminated: scheduled for deletion Creating: creating/creation error (immediate retry possible)
key rotation	Button to manually rotate the generated key
Key Deactivation	Button to deactivate the generated key
Service cancellation	Terminate service button When the status is To be terminated, display Cancel termination button

Table. Customer-managed key status information and additional features

Detailed Information

On the Customer Managed Key List page, you can view detailed information of the selected resource and, if necessary, edit the information.

Category	Detailed description
service	Service name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource name	Resource Name
Resource ID	Unique resource ID in the service
Constructor	User who created the service
Creation date and time	Service creation timestamp
key name	Name of the generated key
Public authentication algorithm	Whether to use a public authentication algorithm
Purpose	Key purposes and cryptographic methods such as encryption/decryption and signing/verification
Current version	Current version of the generated key When the key is rotated, the version increments by 1
Auto rotation	Automatic key rotation usage Click the Edit icon to modify
Next rotation day	Display the next key rotation date according to the rotation period Automatically execute key rotation on that date
rotation period	Rotation period when automatic rotation is enabled
Explanation	Show additional description for the key Click the Edit icon to modify

Table. Customer-managed key detailed information tab items

Category	Detailed description
Tag list	Tag list You can view the Key, Value information of the tag Up to 50 tags can be added per resource When entering a tag, search the existing list of created Keys and Values and select

Job History

You can view the operation history of the selected resource on the Customer Managed Key List page.

Category	Detailed description
Work History	Task execution details encryption, decryption, signing, verification, data key generation, rewrap API log entry display
Work Date/Time	Task execution date and time
Resource Type	Resource Type
Resource name	Resource Name
Work result	Task execution result (success/failure)
Operator Information	User information for the performed task

Table. Customer Managed Key Operation History Tab Detailed Information Items

Managing Customer-Managed Keys

You can create a new version of a registered key or change its usage status.

Configure customer-managed key rotation

Key rotation is a function that converts the internal algorithm of a generated key to a different value.

Reference

When rotating the key, only the master key value changes, and the ciphertext and plaintext values of previously generated data keys remain unchanged.
Even if key rotation is performed, the master key retains the previous version’s data, so decryption using the master key is unaffected, and the value of the data key in use also remains unchanged.
- Note that if you wrap with the updated master key (decrypt and then re‑encrypt), calling the rewrapData API will trigger the key rotation function.
When rotating a customer-managed key, the key’s version is changed internally. * By using the newly generated version of the key, you can decrypt information that was encrypted with the previous version of the key. * (maintain compatibility)
- Versions through key rotation are compatible up to the 100th version regardless of the encryption algorithm.

To create a new version of a customer-managed key (key rotation), follow these steps.

Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
Customer Managed Key List page, click the resource to view detailed information. 3. Navigate to the Customer Managed Key Details page.
On the Customer Managed Key Details page, click the Key Rotation button. 4. Key Rotation Go to the notification window.
In the Key Rotation notification window, click the Confirm button.

Configure Customer-Managed Key Activation

You can configure the usage of the selected key.

Reference

When you set a key to a disabled state, users who rely on that key can no longer use it.

To set the activation/deactivation status of a customer-managed key you created, follow these steps.

Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
On the Customer Managed Key List page, click the resource to view its details. 3. Navigate to the Customer Managed Key Details page.
On the Customer Managed Key Details page, click the Key Activation/Key Deactivation button. 4. Key activation/Key deactivation Navigate to the notification dialog.
In the Key activation/key deactivation notification window, click the OK button.

Encryption case using Key Management Service

The following is an example procedure for encrypting and storing important data of a user application by obtaining a data key from KMS.

When the application starts, it obtains a data key using the KMS master key information, then performs and stores secure data encryption on the client side with the plaintext data key.
The data key is stored in the database in an encrypted form using the master key.
When performing secure data decryption, the data key stored in the database is retrieved and a decryption request is made using the KMS master key information.

The encryption/decryption process using the Key Management Service key is explained with the following diagram.

Encryption

Decryption

Terminate customer-managed key

You can revoke customer-managed keys that are not in use.

Caution

If you revoke the key, you will no longer be able to use any requests or features of the customer-managed key, and it will be permanently deleted either immediately upon revocation or 72 hours later through a scheduled revocation.

To cancel a customer-managed key, follow these steps.

Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
On the Customer Managed Key List page, click the resource to view its details. 3. Navigate to the Customer Managed Key Details page.
On the Customer Managed Key Details page, click the Terminate Service button. 4. Navigate to the Service Cancellation alert window.
In the Service termination alert window, select Immediate termination/Scheduled termination, verify the details, and click the Confirm button.
When termination is complete, verify on the Customer Managed Key List page whether the resource has been terminated.
- When the key deletion is complete, a notification is sent to both the user who created the key and the user who deleted it.

Reference

Even if you click the Service Termination button in the More Options menu at the far right of the generated customer-managed key list, you can terminate the selected key.
To cancel the cancellation of a reserved service, click the Cancel Termination button on the customer-managed key list page or the detail page.
- Cancel Service Termination popup window, when you click Confirm, the selected key is not deleted and is restored in a disabled state.
- To reuse the key, click the Customer Managed Key Details page’s Activate Key button.

Overview

Encryption Example Using Key Management Service Keys