How-to guides

• 1: Key Management Service Encryption example using keys
• 2: Platform Managed Key

Users can enter the required information for the Key Management Service through the Samsung Cloud Platform Console, select detailed options, and create the service.

Reference

Key Management Service provides the following two key services.

• Customer Managed Key: Add content.
• Platform Managed Key: Add content.

Create a customer-managed key

You can create and use a customer-managed key in the Samsung Cloud Platform Console.

To create a customer-managed key, follow the steps below.

1. All Services > Security > Key Management Service Click the menu. Go to the Service Home page of Key Management Service.

2. Click the Customer Managed Key Creation button on the Service Home page. You will be taken to the Customer Managed Key Creation page.

3. Customer Managed Key Creation On the page, enter the information required to create the service and enter additional information.

   • Service Information Input area, input or select the required information.

     Category	Required	Detailed description
     Key name	Required	Enter key name
     Public Authentication Algorithm	Select	Use When selected, can generate encryption keys that meet public encryption standards Public Authentication Algorithm option is available only in the KR SOUTH region In the Public Authentication Algorithm, the ARIA algorithm, which has passed security verification through the Korean cryptographic module verification system, is provided
     Purpose	Required	Select the key’s purpose and encryption method If you do not select the use of public authentication algorithms, choose among encryption/decryption (AES-256), encryption/decryption and signing/verification (RSA-2048), signing/verification (ECDSA), generation/verification (HMAC)
     Automatic rotation	Select	Select whether to use automatic rotation of the key If Use is selected, the internal algorithm of the generated key is converted to a different value and applied at each set rotation period The rotation period can be set to a value between 1 and 730 days. If no rotation period is entered, it defaults to 90 days
     Description	Selection	Enter additional key information

     Table. Customer Managed Key Service Information Input Items
   • Additional Information Input Enter or select the required information in the area.

     Category	Required	Detailed description
     Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

     Table. Customer Managed Key Additional Information Input Items

4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.

   • When creation is complete, check the created resource on the Customer Managed Key List page.

Reference

When selecting a public authentication algorithm, you can create up to 100 customer-managed keys.

Check detailed information of customer-managed key

Customers can view and edit the full resource list and detailed information of customer-managed keys. The Customer Managed Key Details page consists of Details, Tags, Activity Log tabs.

Reference

If the status of the customer-managed key service is Creating, you cannot navigate to the detail page because the service is being created.

• If it remains in Creating state after a certain amount of time has passed, delete the key and recreate it.

To view detailed information about the Key Management Service, follow these steps.

1. Click the All Services > Security > Key Management Service menu. Navigate to the Service Home page of Key Management Service.

2. Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.

3. Click the resource to view detailed information on the Customer Managed Key List page. It navigates to the Customer Managed Key Details page.

   • Customer Managed Key Details At the top of the page, status information and descriptions of additional features are displayed.

     Category	Detailed description

     | Status | Displays the status of the customer-managed key

     • Active: available/activated

     • Stop: disabled/deactivated

     • To be terminated: scheduled for deletion

     • Creating: in progress/creation error (immediate retry possible)

     | | Key Rotation | Button that can manually rotate the generated key |
     | Key Deactivation | Button to deactivate the created key | | Service termination | Button to terminate the service

     • When in To be terminated state, display Cancel termination button

     |

     Table. Customer-managed key status information and additional functions

Detailed Information

Customer Managed Key List page allows you to view detailed information of the selected resource and, if necessary, edit the information.

Category	Detailed description
Service	Service Name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Name
Resource ID	Unique resource ID in the service
Creator	User who created the service
Creation time	Service creation time
Key name	Name of the generated key
Public authentication algorithm	Whether to use public authentication algorithm
Purpose	Purpose and encryption method of keys such as encryption/decryption and signing/verification
Current version	Current version of the generated key The version increments by 1 when the key is rotated
Auto rotation	Key auto rotation usage Click the Edit icon to edit
Next rotation date	Display the next rotation date of the key according to the rotation cycle Automatically rotate the key on that date
Rotation Period	Rotation Period Duration When Auto-Rotate Is Used
Description	Show additional description for the key Edit Click the icon to edit

Table. Customer Managed Key Detailed Information Tab Items

Tag

Customer Managed Key List page, you can view the tag information of the selected resource, and you can add, modify, or delete it.

Category	Detailed description

|Tag List| Tag List

• Can view the tag’s Key, Value information

• Up to 50 tags can be added per resource

• When entering tags, search and select from the existing list of Keys and Values

|

Table. Customer Managed Key Tag Tab Items

Work History

You can view the operation history of the selected resource on the Customer Managed Key List page.

Category	Detailed description
Work History	Task Execution Details encryption, decryption, signing, verification, data key generation, rewrap API log entry display
Task Date/Time	Task Execution Date/Time
Resource Type	Resource Type
Resource Name	Resource Name
Work Result	Task Execution Result (Success/Failure)
Operator Information	Information of the user who performed the task

Table. Customer Managed Key Operation History Tab Detailed Information Items

Managing customer-managed keys

You can create a new version of a registered key or change its usage status.

Setting up customer-managed key rotation

Key rotation is a function that converts the internal algorithm of a generated key to a different value.

Reference

• When rotating the key, only the master key value changes, and the ciphertext and plaintext values of previously generated data keys do not change.
• Even if key rotation is performed, because the master key holds the data from the previous version, there is no impact on decryption performed via the master key, and the value of the data key used does not change either.
  • Note, if wrapping with the changed master key (decrypt then re-encrypt), calling the rewrapData API will trigger the key rotation function.

To create a new version of the generated customer-managed key (key rotation), follow the steps below.

1. All Services > Security > Key Management Service Click the menu. Go to the Service Home page of Key Management Service.
2. Click the Customer Managed Key menu on the Service Home page. You will be taken to the Customer Managed Key List page.
3. Customer Managed Key List page, click the resource to view detailed information. You will be taken to the Customer Managed Key Details page.
4. Customer Managed Key Details page, click the Key Rotation button. Key Rotation alert window will open.
5. Key Rotation Click the Confirm button in the notification window.

Enabling Customer Managed Key

You can set whether the selected key is used.

Reference

If you change the key to a disabled state, users who use that key will no longer be able to use the key.

To set the activation/deactivation status of the generated customer-managed key, follow the steps below.

1. All Services > Security > Key Management Service Click the menu. Navigate to the Service Home page of Key Management Service.
2. Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.
3. Click the resource to view detailed information on the Customer Managed Key List page. You will be taken to the Customer Managed Key Details page.
4. Customer Managed Key Details page, click the Key Activation/Key Deactivation button. You will be taken to the Key Activation/Key Deactivation notification window.
5. Key activation/key deactivation Click the Confirm button in the alert window.

Encryption case using Key Management Service

The example procedure for encrypting and storing important user application data by issuing a data key from KMS is as follows.

1. When the Application starts, obtain a data key using the KMS master key information, and perform and store security data encryption on the client side using the plaintext data key.
2. The data key is stored in the database in an encrypted form with the master key.
3. When performing secure data decryption, retrieve the data key stored in the database and request decryption using the KMS master key information.

The encryption/decryption procedure using the Key Management Service key is explained with the following diagram.

Encryption

Decryption

Cancel customer-managed key

You can cancel unused customer-managed keys.

Caution

If you cancel the key, you will not be able to use any requests or functions of the customer-managed key, and it will be permanently deleted either immediately upon cancellation or after 72 hours via scheduled cancellation.

To cancel a customer-managed key, follow the steps below.

1. All Services > Security > Key Management Service Click the menu. Navigate to the Service Home page of Key Management Service.
2. Click the Customer Managed Key menu on the Service Home page. Navigate to the Customer Managed Key List page.
3. Customer Managed Key List Click the resource to view detailed information on the page. Customer Managed Key Details Navigate to the page.
4. Customer Managed Key Details page, click the Service Cancellation button. Service Cancellation alert window will appear.
5. Service Termination in the alert window, select Immediate termination/Scheduled termination and confirm the details, then click the Confirm button.
6. When termination is complete, check on the Customer Managed Key List page whether the resource has been terminated.
   • When key deletion is completed, notifications are sent to both the user who created the key and the user who deleted it.

Reference

• Even if you click the Cancel Service button within the More Options menu button at the far right of the generated customer-managed key list, you can cancel the selected key.
• To cancel the cancellation of a terminated service, click the Cancel Cancellation button on the customer-managed key list page or detail page.
  • Service Cancellation popup window where Confirm is clicked, the selected key is not deleted but restored in a disabled state.
• To reuse the key, click the Activate Key button on the Customer Managed Key Details page.

1 - Key Management Service Encryption example using keys

Key Management Service Encryption Example Using Keys

This is a Java code example for implementing envelope encryption (Envelope Encryption) and data signing/verification using a key generated by KMS.

Envelope Encryption

It presents an envelope encryption scenario, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Obtain a Data Key to encrypt password information using envelope encryption.
2. Use the issued Data Key information to encrypt the password.
3. Encrypt the password and encrypted Data Key information using envelope encryption and save it as a JSON file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
// END POINT
static String KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s";
static String KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s";
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
createEnvelop() {
    // Request creation of a new data key
    String encryptedDataKey = getDataKey();
    // Data to be encrypted
    String example_json_data = "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}";
    // Encrypted data envelope(Envelop encryption)
    String envelope = encryptData(example_json_data, encryptedDataKey);
    // In this example code, the encrypted data envelope is saved to a file
    File envelopeFile = new File("envelope.json");
}
  
getDataKey() {
    String endPoint = String.format(KMS_API_CREATE_DATAKEY, KEY_ID);
    String url = KMS_API_BASE_URI + endPoint;
    JSONObject data = new JSONObject();
    data.put("key_type", "plaintext");
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    return respJsonObject.get("ciphertext").toString();
}
  
encryptData() {
    Map<String, String> envelope = new HashMap<>();
    // Data key decryption
    String dataKey = decryptDataKey(encryptedDataKey);
    // Encrypt the generated data key using AES-CBC method
    // Cipher Class usage (User can use the encryption algorithm they are already using)
    SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    byte[] iv = cipher.getParameters().getParameterSpec(IvParameterSpec.class).getIV();
    byte[] cipherText = cipher.doFinal(obj.toString().getBytes());
  
    envelope.put("encryptedKey", encryptedDataKey);
    envelope.put("cipherText", encodeBase64(cipherText));
    envelope.put("iv", encodeBase64(iv));
  
    return JSONValue.toJSONString(envelope);
}
  
decryptDataKey() {
    String endPoint = String.format(KMS_API_DECRYPT, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("cipherText", sealedKey);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String plaintext = (respJsonObject.get("plaintext")).toString();
    return plaintext;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
const KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
createEnvelop() {
        // Request new data key creation
        encryptedDataKey := getDataKey()

        // data to be encrypted
        example_json_data := "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}"
        // encrypted data envelope(Envelop encryption)
        envelope := encryptData(example_json_data, encryptedDataKey)
        // In this example code, the encrypted data envelope is saved to a file
        file, _ := os.Create("envelope.json")
        defer file.Close()

        file.WriteString(envelope)
"}
  
getDataKey() {
        endPoint := fmt.Sprintf(KMS_API_CREATE_DATAKEY, KEY_ID)
        data := map[string]interface{}{
            "key_type": "plaintext",
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDatakeyInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DataKey
"}
  
encryptData() {
        envelope := make(map[string]string)
        // Data key decryption
        dataKey := decryptDataKey(encryptedDataKey)
        secretKey, _ := base64.StdEncoding.DecodeString(dataKey)
        // Encrypt the generated data key using AES-CBC method
        // Cipher Class use
        block, _ := aes.NewCipher(secretKey)
        cipherText := make([]byte, aes.BlockSize+len(example_json_data))
        iv := cipherText[:aes.BlockSize]
        if _, err := io.ReadFull(rand.Reader, iv); err != nil {
               panic(err)
        }
  
        mode := cipher.NewCFBEncrypter(block, iv)
        mode.XORKeyStream(cipherText[aes.BlockSize:], []byte(example_json_data))
  

        envelope["encryptedKey"] = encryptedDataKey
        envelope["cipherText"] = base64.StdEncoding.EncodeToString(cipherText)
        envelope["iv"] = base64.StdEncoding.EncodeToString(iv)
  
        jsonString, _ := json.Marshal(envelope)
  
        return string(jsonString)
}
  

decryptDataKey() {
        endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
        data := map[string]interface{}{
               "cipherText": sealedKey,
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDecryptInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DecryptedData
  
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
create_envelop()
    # Request new data key creation
    encrypted_data_key = get_dataKey()

  

    # Data to be encrypted
    example_json_data = {"PASSWORDTEST":"SECRET_CREDENTIALTEST"}
    json_data_str = json.dumps(example_json_data)
     
    # Encrypted Data Envelope(Envelop encryption)
    envelope = encrypt_data(json_data_str,encrypted_data_key)
  
    # In this example code, the encrypted data envelope is saved to a file
    with open("envelope.json", "w") as file:
        file.write(envelope)
  
    
get_dataKey()
    end_point = f"{KMS_API_CREATE_DATAKEY}{KEY_ID}"
    data = {
        "key_type": "plaintext"
    }
    response_object = call_api(end_point, data)
  
    data_key = response_object.get("ciphertext", "")
  
    return data_key
  
  
encrypt_data()
    envelope = {}
    # Data key decryption
    dataKey = decrypt_data_key(encrypted_data_key)
    decoded_data_key = base64.b64decode(dataKey)
  
    # Encrypt the generated data key using AES-CBC
    # Cipher Class use
    iv = get_random_bytes(16)
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv)
    data_to_encrypt = obj
    data_bytes = data_to_encrypt.encode()

    padded_data = pad(data_bytes, AES.block_size)
    cipher_text = cipher.encrypt(padded_data).hex()

  
    envelope["encryptedKey"] = encrypted_data_key
    envelope["cipherText"] = cipher_text
    envelope["iv"] = base64.b64encode(iv).decode()
    
    return json.dumps(envelope)
  
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {
        "cipherText":"d3S81rzaGAl8U12LlKSlRbDekPlGuibTntXX962KCjBIKuXdPOG8N8vk3Jet8lyG",
        "iv":"0kP7QKZ6BUeQPlThk4tySA==",
        "encryptedKey":"vault:v1:KJjjLtGHTbaV5N8LWC5O9eMDCaJVeff5SM\/MAYseugjiqiXFVgdXaKXg6kym0NmjHkO\/wLPsa+YK0aVk"
    }

## Use envelope encryption

Present a use case for envelope encryption and you can check the example code in Java, Go, Python written according to the scenario and the resulting values.

### Scenario

1. Decrypt the Data Key of the encrypted envelope file.
2. Decrypt the encrypted data of the envelope file using the decrypted Data Key.

### Java Example Code
This is a Java example code written according to the presented scenario.

// URI static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}; // END POINT static String KMS_API_DECRYPT = “/v1/kms/openapi/decrypt/%s”; // KEY ID static String KEY_ID = {{Master Key ID}};;

getData() { // Encrypted data envelope(Envelop encryption) String envelope = new String(Files.readAllBytes(Paths.get(“envelope.json”))); JSONParser parser = new JSONParser(); JSONObject envelopeJson = (JSONObject) parser.parse(envelope); String encryptedDataKey = envelopeJson.get(“encryptedKey”).toString(); String cipherText = envelopeJson.get(“cipherText”).toString(); String iv = envelopeJson.get(“iv”).toString();

return decryptData(cipherText, encryptedDataKey, iv);

}

decryptData() { String dataKey = decryptDataKey(encryptedDataKey); IvParameterSpec ivParameterSpec = new IvParameterSpec(decodeBase64(iv)); SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), “AES”); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec); byte[] plaintext = cipher.doFinal(decodeBase64(cipherText));

return new String(plaintext);

}

decryptDataKey() { String endPoint = String.format(KMS_API_DECRYPT, KEY_ID); JSONObject data = new JSONObject(); data.put(“cipherText”, sealedKey); JSONObject respJsonObject = callApi(endPoint, data.toJSONString()); String plaintext = (respJsonObject.get(“plaintext”)).toString(); return plaintext; }

### Go example code
This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
getData() {
    // Load encrypted data envelope(Envelop encryption)
    jsonData, _ := os.ReadFile("envelope.json")
    var envelope map[string]interface{}
    if err := json.Unmarshal(jsonData, &envelope); err != nil {
           fmt.Println("JSON parsing error:", err)
           os.Exit(1)
    }
    encryptedDataKey := envelope["encryptedKey"].(string)
    cipherText := envelope["cipherText"].(string)
    iv := envelope["iv"].(string)
  
    return decryptData(cipherText, encryptedDataKey, iv)
}
  
decryptData() {
    dataKey := decryptDataKey(encryptedDataKey)
    ciphertext, _ := base64.StdEncoding.DecodeString(cipherText)
    dataKeyBytes, _ := base64.StdEncoding.DecodeString(dataKey)
    decodedData := ciphertext[aes.BlockSize:]
    ivparam := ciphertext[:aes.BlockSize]
    block, _ := aes.NewCipher(dataKeyBytes)
  
    mode := cipher.NewCFBDecrypter(block, ivparam)
    mode.XORKeyStream(decodedData, decodedData)
    decryptedData := string(decodedData)
  
    return decryptedData
"}
  
decryptDataKey() {
    endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
    data := map[string]interface{}{
           "cipherText": sealedKey,
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSDecryptInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    return info.DecryptedData
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}
  

# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
  
# KEY ID
KEY_ID = {{Master Key ID}}
    
get_data()
    # Open Encrypted Data Envelope(Envelop encryption)
    with open("envelope.json", "r") as file:
        envelope = file.read()

    envelope_json = json.loads(envelope)
    encrypted_data_key = envelope_json["encryptedKey"]
    cipher_text = envelope_json["cipherText"]
    iv = envelope_json["iv"]
    return decrypt_data(cipher_text, encrypted_data_key, iv)
  
decrypt_data()
    data_key = decrypt_data_key(encrypted_data_key)
    iv_bytes = base64.b64decode(iv)
    decoded_data_key = base64.b64decode(data_key)
    cipher_txt = bytes.fromhex(cipher_text)
  
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv_bytes)
    plain_text_bytes = unpad(cipher.decrypt(cipher_txt), AES.block_size)
    plain_text = plain_text_bytes.decode('utf-8')
    return plain_text
    
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {"PASSWORD":"SECRET_CREDENTIAL"}

Use Data Signature

It presents a data signature usage scenario to ensure data integrity, and you can check the Java, Go, Python example code and results written according to the scenario.

Scenario

1. Call OpenAPI with the data to be signed and sign it.
2. The signed data is enveloped and saved as a json file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_SIGN = "/v1/kms/openapi/sign/%s";
  
// KEY ID
static String KEY_ID = {{master key ID}};
  
signEnvelop() {
    // signature data envelope(Envelop encryption)
    String envelope = sign();
    // In this example code, the signature data envelope is saved to a file
    File envelopeFile = new File("signEnvelope.json");
    OutputStream os = new BufferedOutputStream(new FileOutputStream(envelopeFile));
  
    try {
        os.write(envelope.getBytes());
    } finally {
        os.close();
    }
}
  
sign() {
    Map<String, String> envelope = new HashMap<>();
  
    String example_credential = "SCP KMS Sign Test!!!";
    String endPoint = String.format(KMS_API_SIGN, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", encodeToBase64(example_credential));
  
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
  
    envelope.put("signature", respJsonObject.get("signature").toString());
    if(respJsonObject.get("batch_results") != null) {
  
        envelope.put("batch_results", respJsonObject.get("batch_results").toString());
    }
  
    return JSONValue.toJSONString(envelope);
"}

Go example code

This is a Go example code written according to the given scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  

// END POINT
const KMS_API_SIGN = "/v1/kms/openapi/sign/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  

signEnvelop() {
    // signature data envelope(Envelop encryption)
    envelope := sign()
    // In this example code, the signature data envelope is saved to a file
    file, _ := os.Create("signEnvelope.json")
    defer file.Close()
    file.WriteString(envelope)
"}
  
sign() {
    envelope := make(map[string]string)
    example_credential := "SCP KMS Sign Test!!!"
    endPoint := fmt.Sprintf(KMS_API_SIGN, KEY_ID)
    data := map[string]interface{}{
        "input": base64.StdEncoding.EncodeToString([]byte(example_credential)),
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSSignInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    envelope["signature"] = info.Signature
  
    jsonString, _ := json.Marshal(envelope)
  
    return string(jsonString)
}

Python Example Code

This is a Python example code written according to the given scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_SIGN = "/v1/kms/openapi/sign/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
sign_envelop()
    # Signature Data Envelope(Envelop encryption)
    envelope = sign()
  
    # This example code saves the signature data envelope to a file
    with open("signEnvelope.json", "w") as file:
        file.write(envelope)
  
    
sign()
    envelope = {}
  
    example_credential = "SCP KMS Sign Test!!!"
    end_point = f"{KMS_API_SIGN}{KEY_ID}"
    credential_bytes = example_credential.encode('utf-8')
  

    data = {
        "input": base64.b64encode(credential_bytes).decode('utf-8')
    }
  
    resp_json_object = call_api(end_point,data)
  
    envelope["signature"] = resp_json_object.get("signature")
  
    return json.dumps(envelope)

Example code output

Displays the result value of the example code.

  {
    "signature":"vault:v1:qHGf4ALkTao1Yy\/lpSbLQ2l8YVpsHWBP6ic3Ux1BKSodQQxnEIrjPyUwXXQ1NZfGSVxdeVe5Y6kb0nUPNADQpzkOh9\/e8T\/QCOs9==",
    "projectId":"PROJECT-qWrHRJX5sZnTkopcr9N1dk"
}

Data Validation Use

It presents a verification usage scenario for validating data integrity, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Retrieve the signature value of the signed envelope file.
2. Verify the signed data and output the result.

Java example code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_VERIFY = "/v1/kms/openapi/verify/%s";
  
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
getSign() {
    // signature data envelope(Envelop encryption)
    String envelope = new String(Files.readAllBytes(Paths.get("signEnvelope.json")));
    JSONParser parser = new JSONParser();
    JSONObject envelopeJson = (JSONObject) parser.parse(envelope);
    String signature = envelopeJson.get("signature").toString();
  
    return verify(signature);
}
  
verify() {
    String endPoint = String.format(KMS_API_VERIFY, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", "U0NQIEtNUyBTaWduIFRlc3QhISE=");
    data.put("signature", signature);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String valid = (respJsonObject.get("valid")).toString();
    return valid;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}

// END POINT const KMS_API_VERIFY = “/v1/kms/openapi/verify/%s”

// KEY ID const KEY_ID = {{Master Key ID}}

getSign() { // Load signature data envelope (Envelop encryption) jsonData, _ := os.ReadFile(“signEnvelope.json”) var envelope map[string]interface{} if err := json.Unmarshal(jsonData, &envelope); err != nil { fmt.Println(“JSON parsing error:”, err) os.Exit(1) } signature := envelope[“signature”].(string)

return verify(signature)

}

verify() { endPoint := fmt.Sprintf(KMS_API_VERIFY, KEY_ID) data := map[string]interface{}{ “input”: “U0NQIEtNUyBTaWduIFRlc3QhISE=”, “signature”: signature, } jsonData, _ := json.Marshal(data) respJsonObject := callApi(endPoint, jsonData) info := &KMSVerifyInfo{} json.Unmarshal([]byte(respJsonObject), info)

return info.Valid

}

### Python example code
This is a Python example code written according to the presented scenario.

URI

KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}

END POINT

KMS_API_VERIFY = “/v1/kms/openapi/verify/”

KEY ID

KEY_ID = {{Master Key ID}}

get_sign() # Signature data envelope(Envelop encryption) Open with open(“signEnvelope.json”, “r”) as file: envelope = file.read()

envelope_json = json.loads(envelope)
signature = envelope_json["signature"]

return verify(signature)

verify() end_point = f"{KMS_API_VERIFY}{KEY_ID}"

data = {
    "input": "U0NQIEtNUyBTaWduIFRlc3QhISE=",
    "signature": signature
}

resp_json_object = call_api(end_point,data)
valid = resp_json_object.get("valid")

return valid

### Example code output
Displays the result value of the example code.

{ “valid”: true “}

2 - Platform Managed Key

Users can view detailed information of the platform-managed key automatically generated for service provision on Samsung Cloud Platform.

Check detailed information of platform managed key

You can view the full resource list and detailed information of platform-managed keys. Platform Managed Key Details page consists of Details, Operation History tabs.

To view detailed information about the Key Management Service, follow these steps.

1. All Services > Security > Key Management Service Click the menu. Navigate to the Service Home page of Key Management Service.
2. Click the Platform Managed Key menu on the Service Home page. Navigate to the Platform Managed Key List page.
3. Click the resource to view detailed information on the Platform Managed Key List page. You will be taken to the Platform Managed Key Details page.
   • Platform Managed Key Details At the top of the page, status information and descriptions of additional features are displayed.

     Category	Detailed description
     Status	Displays the status of the platform-managed key Active: Available/Enabled

     Table. Platform Managed Key Status Information

Detailed Information

You can view detailed information of the selected resource on the Platform Managed Key List page.

Work History

Platform Managed Key List page allows you to view the operation history of the selected resource.