Key Management Service glossary

Prev Next

Available in Classic and VPC

Familiarize yourself with a few key terms before using Key Management Service. The glossary and its description are as follows:

Key Management Service administrator

Sub account that has been granted the managed policy NCP_KMS_MANAGER through Sub Account.

Symmetric Key-based Encryption

An encryption type that uses the same key for encryption and decryption. Creates ciphertext and plaintext by repeatedly performing substitution and transposition on data bits. Encryption generally uses symmetric key method for ensuring data confidentiality.

Data Key (or data encryption key)

The key directly applied to data encryption. This refers to a key that you store yourself, and is referred to in this guide as a data key, data encryption key, DEK, and more.

Root key

The system's highest-level key that protects the KMS system. All key data in KMS is encrypted with the root key and stored in storage.

Raw key

Key data used for actual encryption/decryption. For example, when using AES 256 encryption, a 256-bit raw key is input into the encryption algorithm.

Decryption

The process of converting ciphertext transformed through encryption back to original data (plaintext).

Seal

The act of encrypting data keys or credentials.

Asymmetric Key-based Encryption

An encryption type that uses different keys for encryption and decryption of data (public key encryption type). Creates ciphertext/plaintext by calculating data and keys using mathematical principles, and the keys used consist of a pair of values: one key value that can be made public and another key value that must be kept secure.

User-managed key (or key)

A key that customers create and manage in KMS. Under no circumstances (even for system operators) can the key value be directly viewed or exposed outside the KMS system, and it is generally recommended to use it for sealing data keys or credentials. Referred to as key or master key in the KMS guide.

Encryption

The process of converting data (plaintext) into meaningless information (ciphertext) by randomly manipulating it using a key.

Credentials

All data used for authentication, including not only data keys but also passwords and private keys of certificates.

Key Store

Key storage space created one per Key Management Service customer. All keys created by customers are generated in their own key store, and each key store is logically isolated and managed. Key stores can be accessed and managed through Key Management Service console.

Rotation

The process of renewing keys to protect against various cryptographic threats.

Boundary

Physical scope of key usage and storage.

Isolation

Setting a boundary to limit the physical scope of key usage and storage.

Note

For more information on terms, see Glossary on the NAVER Cloud Platform portal.