The page has been translated by Gen AI.

How-to guides

Users can enter the required information for the Key Management Service through the Samsung Cloud Platform Console, select detailed options, and create the service.

Reference

Key Management Service provides the following two key services.

Customer Managed Key: Add content.
Platform Managed Key: Add content.

Create a customer-managed key

You can create and use a customer-managed key in the Samsung Cloud Platform Console.

To create a customer-managed key, follow the steps below.

All Services > Security > Key Management Service Click the menu. Go to the Service Home page of Key Management Service.
Click the Customer Managed Key Creation button on the Service Home page. You will be taken to the Customer Managed Key Creation page.

Customer Managed Key Creation On the page, enter the information required to create the service and enter additional information.

Service Information Input area, input or select the required information.

Category	Required	Detailed description
Key name	Required	Enter key name
Public Authentication Algorithm	Select	Use When selected, can generate encryption keys that meet public encryption standards Public Authentication Algorithm option is available only in the KR SOUTH region In the Public Authentication Algorithm, the ARIA algorithm, which has passed security verification through the Korean cryptographic module verification system, is provided
Purpose	Required	Select the key’s purpose and encryption method If you do not select the use of public authentication algorithms, choose among encryption/decryption (AES-256), encryption/decryption and signing/verification (RSA-2048), signing/verification (ECDSA), generation/verification (HMAC)
Automatic rotation	Select	Select whether to use automatic rotation of the key If Use is selected, the internal algorithm of the generated key is converted to a different value and applied at each set rotation period The rotation period can be set to a value between 1 and 730 days. If no rotation period is entered, it defaults to 90 days
Description	Selection	Enter additional key information

Table. Customer Managed Key Service Information Input Items

Additional Information Input Enter or select the required information in the area.
Category
Required
Detailed description
Tag Select Add Tag
Up to 50 can be added per resource
After clicking the Add Tag button, enter or select Key, Value values
Table. Customer Managed Key Additional Information Input Items

Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
- When creation is complete, check the created resource on the Customer Managed Key List page.

Category	Required	Detailed description
Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

Reference

When selecting a public authentication algorithm, you can create up to 100 customer-managed keys.

Check detailed information of customer-managed key

Customers can view and edit the full resource list and detailed information of customer-managed keys. The Customer Managed Key Details page consists of Details, Tags, Activity Log tabs.

Reference

If the status of the customer-managed key service is Creating, you cannot navigate to the detail page because the service is being created.

If it remains in Creating state after a certain amount of time has passed, delete the key and recreate it.

To view detailed information about the Key Management Service, follow these steps.

Click the All Services > Security > Key Management Service menu. Navigate to the Service Home page of Key Management Service.
Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.
Click the resource to view detailed information on the Customer Managed Key List page. It navigates to the Customer Managed Key Details page.
- Customer Managed Key Details At the top of the page, status information and descriptions of additional features are displayed.
  Category Detailed description
  | Status | Displays the status of the customer-managed key
  - Active: available/activated
  - Stop: disabled/deactivated
  - To be terminated: scheduled for deletion
  - Creating: in progress/creation error (immediate retry possible)
  | | Key Rotation | Button that can manually rotate the generated key |
  | Key Deactivation | Button to deactivate the created key | | Service termination | Button to terminate the service
  - When in To be terminated state, display Cancel termination button
  |
  Table. Customer-managed key status information and additional functions

Detailed Information

Customer Managed Key List page allows you to view detailed information of the selected resource and, if necessary, edit the information.

Category	Detailed description
Service	Service Name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Name
Resource ID	Unique resource ID in the service
Creator	User who created the service
Creation time	Service creation time
Key name	Name of the generated key
Public authentication algorithm	Whether to use public authentication algorithm
Purpose	Purpose and encryption method of keys such as encryption/decryption and signing/verification
Current version	Current version of the generated key The version increments by 1 when the key is rotated
Auto rotation	Key auto rotation usage Click the Edit icon to edit
Next rotation date	Display the next rotation date of the key according to the rotation cycle Automatically rotate the key on that date
Rotation Period	Rotation Period Duration When Auto-Rotate Is Used
Description	Show additional description for the key Edit Click the icon to edit

Table. Customer Managed Key Detailed Information Tab Items

Tag

Customer Managed Key List page, you can view the tag information of the selected resource, and you can add, modify, or delete it.

Category	Detailed description

|Tag List| Tag List

Can view the tag’s Key, Value information

Up to 50 tags can be added per resource

When entering tags, search and select from the existing list of Keys and Values

Table. Customer Managed Key Tag Tab Items

Work History

You can view the operation history of the selected resource on the Customer Managed Key List page.

Category	Detailed description
Work History	Task Execution Details encryption, decryption, signing, verification, data key generation, rewrap API log entry display
Task Date/Time	Task Execution Date/Time
Resource Type	Resource Type
Resource Name	Resource Name
Work Result	Task Execution Result (Success/Failure)
Operator Information	Information of the user who performed the task

Table. Customer Managed Key Operation History Tab Detailed Information Items

Managing customer-managed keys

You can create a new version of a registered key or change its usage status.

Setting up customer-managed key rotation

Key rotation is a function that converts the internal algorithm of a generated key to a different value.

Reference

When rotating the key, only the master key value changes, and the ciphertext and plaintext values of previously generated data keys do not change.
Even if key rotation is performed, because the master key holds the data from the previous version, there is no impact on decryption performed via the master key, and the value of the data key used does not change either.
- Note, if wrapping with the changed master key (decrypt then re-encrypt), calling the rewrapData API will trigger the key rotation function.

To create a new version of the generated customer-managed key (key rotation), follow the steps below.

All Services > Security > Key Management Service Click the menu. Go to the Service Home page of Key Management Service.
Click the Customer Managed Key menu on the Service Home page. You will be taken to the Customer Managed Key List page.
Customer Managed Key List page, click the resource to view detailed information. You will be taken to the Customer Managed Key Details page.
Customer Managed Key Details page, click the Key Rotation button. Key Rotation alert window will open.
Key Rotation Click the Confirm button in the notification window.

Enabling Customer Managed Key

You can set whether the selected key is used.

Reference

If you change the key to a disabled state, users who use that key will no longer be able to use the key.

To set the activation/deactivation status of the generated customer-managed key, follow the steps below.

All Services > Security > Key Management Service Click the menu. Navigate to the Service Home page of Key Management Service.
Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.
Click the resource to view detailed information on the Customer Managed Key List page. You will be taken to the Customer Managed Key Details page.
Customer Managed Key Details page, click the Key Activation/Key Deactivation button. You will be taken to the Key Activation/Key Deactivation notification window.
Key activation/key deactivation Click the Confirm button in the alert window.

Encryption case using Key Management Service

The example procedure for encrypting and storing important user application data by issuing a data key from KMS is as follows.

When the Application starts, obtain a data key using the KMS master key information, and perform and store security data encryption on the client side using the plaintext data key.
The data key is stored in the database in an encrypted form with the master key.
When performing secure data decryption, retrieve the data key stored in the database and request decryption using the KMS master key information.

The encryption/decryption procedure using the Key Management Service key is explained with the following diagram.

Encryption

Decryption

Cancel customer-managed key

You can cancel unused customer-managed keys.

Caution

If you cancel the key, you will not be able to use any requests or functions of the customer-managed key, and it will be permanently deleted either immediately upon cancellation or after 72 hours via scheduled cancellation.

To cancel a customer-managed key, follow the steps below.

All Services > Security > Key Management Service Click the menu. Navigate to the Service Home page of Key Management Service.
Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.
Customer Managed Key List Click the resource to view detailed information on the page. Customer Managed Key Details Navigate to the page.
Customer Managed Key Details page, click the Service Cancellation button. Service Cancellation alert window will appear.
Service Termination in the alert window, select Immediate termination/Scheduled termination and confirm the details, then click the Confirm button.
When termination is complete, check on the Customer Managed Key List page whether the resource has been terminated.
- When key deletion is completed, notifications are sent to both the user who created the key and the user who deleted it.

Reference

Even if you click the Cancel Service button within the More Options menu button at the far right of the generated customer-managed key list, you can cancel the selected key.
To cancel the cancellation of a terminated service, click the Cancel Cancellation button on the customer-managed key list page or detail page.
- Service Cancellation popup window where Confirm is clicked, the selected key is not deleted but restored in a disabled state.
To reuse the key, click the Activate Key button on the Customer Managed Key Details page.

Overview

Key Management Service Encryption example using keys