Key Management Service overview

Available in Classic and VPC

Key Management Service is a service of NAVER Cloud Platform that provides essential cryptographic key management functions for encryption operations and implementation. It allows you to securely protect your confidential data using keys that are strictly managed in a high availability system. You can easily manage key usage permissions and statuses through NAVER Cloud Platform console, and utilize the functionalities programmatically using the provided REST APIs.

Key Management Service features

Key Management Service offers the following features:

• Data protection: conveniently and effectively protects all data requiring confidentiality, including credential data.
• Signing and validation: provides signing and verification functions for authentication and non-repudiation.
• Strict access control: easily control permissions through key manager or key user roles, or control detailed permissions by specifying specific actions.
• Key lifecycle management: prepare for security threats through key renewal, disabling, and revocation according to recommended standards.
• Hierarchical key management: allows hierarchical operation of encryption keys, making it easy to apply the enveloping (envelope encryption) method.
• Key auditing: all key usage history is recorded, allowing for periodic management and monitoring through regular history backups, which can also be used as audit trails.
• REST API: all functions are provided as REST APIs, allowing key management and encryption/decryption requests to be processed programmatically.

Key Management Service user guide

Key Management Service is available in the Korea Region, U.S. Region, Singapore Region, Japan Region, and Germany Region. The same service is provided in each Region. This guide will walk you through the information you need to start using the Key Management Service.

• Key Management Service overview: Key Management Service introduction, helpful resources, and FAQs
• Key Management Service concepts: guidance on key concepts such as encryption, key lifecycle, and envelope encryption that help in using Key Management Service
• Prerequisites for using Key Management Service: information on required specifications, precautions, and pricing plans for using Key Management Service
• Key Management Service quickstart: guides you through the entire process step-by-step
• Getting started with Key Management Service: instructions on how to start using Key Management Service
  • Manage subscriptions: how to request or cancel subscriptions for Key Management Service on NAVER Cloud Platform console
• Using Key Management Service: instructions on how to create and manage keys in Key Management Service
• Key Management Service examples: various examples, descriptions, and usage methods to help with using Key Management Service
• Key Management Service permissions management: guide on how to manage Key Management Service permissions using Sub Accounts
• Key Management Service glossary: familiarize yourself with key terms and definitions
• Key Management Service release notes: see documentation history for Key Management Service user guide

Key Management Service related resources

NAVER Cloud Platform provides a variety of related resources as well as user guides to help customers better understand Key Management Service. If you are a developer or marketer in need of detailed information while you are considering adopting Key Management Service to your company or establishing data related policies, then please make good use of the following resources:

• Improvement in comprehension and usage methods for Key Management Service
  • Key Management Service API guide: API usage methods for Key Management Service developers
  • Pricing information, characteristics, detailed functions: a summary of pricing, characteristics and detailed functions of Key Management Service
  • Latest service news: latest news on Key Management Service
  • FAQs: frequently asked questions from Key Management Service users
  • Contact us: send direct inquiries in case of any unresolved questions that are not answered by the user guide
• Guides for integrated services required for the use of Key Management Service
  • Sub Account guide: how to use Sub Accounts that help manage operation authorities of Key Management Service
  • API Gateway guide: how to use API Gateway, which is necessary for calling Key Management Service API

Check FAQs first.

You can have your questions answered quickly by referring to the answers in the FAQ before reading the user guide. If you haven't found the answer to your question in the following FAQ, search the user guide to find related contents.

Q. Why must we use key sealing or envelope encryption?
A. It ensures data confidentiality, and complete control over data can only be guaranteed when access control to encryption keys is accurately maintained. While Key Management Service strictly manages encryption keys through a centralized system. However, there are concerns about potential key leakage by the key management service provider since encryption keys are stored in the central system, which could weaken data control. "Envelope encryption" is the method used to address these issues. This method does not directly store the key that encrypts the data, but instead manages a higher-level key that seals (or wraps) that key once more. Therefore, it is recommended as it satisfies both key management and guarantee of data control.

Q. Even if data control is guaranteed, is there no possibility that system administrators could arbitrarily use user keys without authorization?
A. Entrusting encryption keys to third parties means that threats to key confidentiality may increase. Even with the most secure and trustworthy third party, the existence of such threats cannot be denied. However, by using envelope encryption to separately and hierarchically manage the key that encrypts the data and the higher-level key that protects it, these threats can be significantly reduced. In other words, even if internal administrators of the key management system maliciously access user keys, they only manage sealed higher-level keys rather than the keys that encrypt data, making it difficult to access data without authorization. Furthermore, Key Management Service is designed to have multiple administrators manage the system root key in a distributed manner, preventing unauthorized key usage by a small number of malicious administrators.

Q. Can I directly receive the keys I have generated?
A. Keys managed by Key Management Service are processed only within the internal core system, so they cannot be extracted. Whether it's the customer who generated the key or an internal system administrator, it is impossible to access and view the actual key data (Raw key).

Q. What happens if I accidentally delete a user key or lose a sealed key?
A. Access to encrypted data is determined by the key. If a key is leaked, the data is leaked, and if a key is lost, the data can no longer be accessed. Similarly, in envelope encryption, if a user key is deleted or a sealed key is lost, the data becomes unusable. Therefore, key deletion in Key Management Service must be done very carefully, and sealed keys must be thoroughly managed to prevent loss. In envelope encryption, it is recommended to store encrypted data together with the sealed key.

Q. What happens if keys managed by Key Management Service are lost or damaged due to system errors or various disasters and calamities?
A. User keys within Key Management Service are stored encrypted with root keys, and the encrypted keys are thoroughly backed up. Severe system errors, disasters, and calamities are classified as special exceptions, and key data recovery procedures are carried out according to KMS DR (Disaster Recovery) policy under the approval of NAVER Cloud's Chief Information Security Officer (CISO). Backup data sealed in secure storage media is individually delivered to administrators, unsealed, and then decrypted. Afterward, the procedure follows restarting the system, updating with new keys, and resealing. All procedures are conducted transparently in the presence of a third-party security auditor.