Overview
Service Overview
Key Management Service(KMS) is a service that creates and safely stores/manages encryption keys in a convenient way to securely protect important data of applications. The user uses the encryption key to encrypt/decrypt data, and the encryption key is managed stably with a hierarchically encrypted centralized encryption key method.
Provided Function
Key Management Service provides the following functions.
- Key Management: KMS can create/delete and manage keys. Users can create data keys for encrypting data using the master key created through KMS.
- Key Authority Management: You can control and manage access rights to the master key based on a user-defined policy.
- Key Life Cycle Management: through key rotation, it is possible to generate new encryption data for the corresponding master key without having to create a new key, and the key rotation cycle can be set according to customer policy. Key life cycle management safely protects data from cryptographic threats by deactivating or deleting encryption keys that are no longer in use.
Components
Master Key
The master key is used to generate a data key used for encrypting data, and depending on the purpose, it can generate symmetric keys (encryption/decryption (AES), generation/verification (HMAC)) and asymmetric keys (encryption/decryption and signing/verification (RSA), signing/verification (ECDSA)) respectively. With proper master key management, data keys can be encrypted to protect frequently used data keys during operation.
- The master key is a key created through the creation of KMS product services in the Samsung Cloud Platform Console.
Data Key
The data key is used to encrypt actual data, and is created for each target service that performs encryption, thereby ensuring that even if one data key is leaked, it will not affect services encrypted with other data keys.
HSM (Hardware Security Module)
The root key of the KMS system area is stored, the master key is created through the root key stored in the HSM (Hardware Security Module) that complies with the FIPS 140-2 Lv3 standard, and it is safely distributed and protected in the KMS.
Limitations
Samsung Cloud Platform’s Key Management Service limits the number of Key creations as follows.
| Item | Detailed Description | Allocation Amount |
|---|---|---|
| KMS Key | Number of KMS Keys created per region | 10000 |
| KMS Validation Password Key | Number of public authentication algorithm keys that can be created per account | 100 |
- KMS keys created by region services can only be used within the region.
- The constraints of the public certification algorithm Key only apply to the SCP Sovereign.
Preceding service
Key Management Service has no preceding service.