The page has been translated by Gen AI.

Overview

Service Overview

Key Management Service(KMS) is a service that easily creates encryption keys and securely stores/manages them to safely protect an application’s critical data. The user encrypts and decrypts data using an encryption key, and the encryption key is reliably managed through a centrally managed hierarchical encryption key system.

Provided Features

Key Management Service provides the following features.

Key Management: KMS can create, delete, and manage customer-managed keys. * The user directly generates a data key that encrypts data using the master key created by KMS.
Key Permission Management: You can control and manage usage permissions for master keys based on custom policy.
Key Lifecycle Management: Through key rotation, you can generate new encrypted data for the master key without creating a new key, and the key rotation interval can be set according to customer policy. * Through lifecycle management, encryption keys that are no longer used are deactivated or deleted, ensuring data is safely protected from cryptographic threats.
Platform-managed key: When another product within the Samsung Cloud Platform uses a KMS key for encryption, the CSP (Cloud Service Provider) creates a platform-managed key and performs encryption, so the user does not need to generate a key directly in KMS.

Component

Master key

The master key is used to generate data keys for encrypting data, and depending on the purpose, you can generate symmetric key (encryption/decryption (AES), generation/verification (HMAC)) and asymmetric key (encryption/decryption and signing/verification (RSA), signing/verification (ECDSA)) respectively. Proper master key management encrypts data keys, allowing you to protect frequently used data keys during operation.

The master key is a key generated through the creation of a KMS product service in the Samsung Cloud Platform Console.

Data key

The data key is used to encrypt the actual data and is generated for each target service that performs encryption. Thus, even if a single data key is compromised, it does not affect services encrypted with other data keys.

HSM (hardware security module)

Stores the root key of the KMS system domain. The master key is generated using the root key stored in an HSM (Hardware Security Module) that complies with the FIPS 140-2 Lv3 standard, and is securely distributed and stored in the KMS for protection.

Constraints

The Key Management Service of Samsung Cloud Platform limits the number of key creations and rotations as follows.

Item	Detailed description	Quota
KMS Key	Number of KMS Keys created per region	10000
KMS Validation Password Key	Number of public authentication algorithm keys that can be generated per account	100
KMS Key rotation	Number of versions that can be generated when rotating a customer-managed Key Each time the key is rotated, the key version changes, and it is compatible up to the 100th key version regardless of the encryption algorithm By using the newly generated key version from key rotation, data encrypted with a previous key version can be decrypted, maintaining compatibility	100

Item

Detailed description

Quota

KMS Key

Number of KMS Keys created per region

10000

KMS Validation Password Key

Number of public authentication algorithm keys that can be generated per account

100

KMS Key rotation

Number of versions that can be generated when rotating a customer-managed Key

Each time the key is rotated, the key version changes, and it is compatible up to the 100th key version regardless of the encryption algorithm

By using the newly generated key version from key rotation, data encrypted with a previous key version can be decrypted, maintaining compatibility

100

Table. Key Management Service constraints

Reference

In KMS, keys created as a regional service can be used only within that region.
The restrictions on the public authentication algorithm key apply only to the KR SOUTH region.

Preceding Service

Key Management Service has no prerequisite service.

Security

How-to guides