Using Key Management Service

Available in Classic and VPC

Keys created in Key Management Service can be managed directly by user, and depending on permissions, you can manage them and use them for encryption/decryption and signing/verification. Authority setting is required for Key Management Service to generate and manage keys. For more information, see Managing Key Management Service permissions guide.

Key Management Service page

The basics of using Key Management Service are as follows.

View Key list

You can view key-specific information in the key list. Take the following steps to view them.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. When the key list appears, check the summarized information or click a key to check the detailed information.
   
   • Key name: a unique name for the created key
   • Usage: there are three types of usages for the created key: encryption/decryption, signing/verification, and encryption/decryption and signing/verification
     • Encryption/decryption: for symmetric-key encryption (AES256-GCM96). It can encrypt up to 32 KB of data, and is mainly used to seal credentials
     • Encryption/decryption and signing/verification: for asymmetric-key encryption or signing/verification (RSA-2048). Up to 190B data encryption or up to 8KB
     • Signing/verification: for asymmetric-key signing/verification (ECDSA-P256). Can be used to sign and verify data up to 8 KB in size
   • Status: the availability of the created key and the date it was most recently used. For more information on the status, see Key status
   • Generation date: the date the key was created
   • Key tag: a unique identifier that distinguishes keys with key name and is used when using the encryption/decryption feature with the Rest API
   • Convergent encryption: whether convergent encryption is applied
   • Type: the type of encryption used by the key
   • Current version: the current version of the key
     • : upon clicking it, you can view the complete list of versions connected to the key, view creation date by version, and change status. For more information, see Manage key version
       
   • Automatic rotation: automatic rotation status of the key
   • Rotation cycle (next rotation date): how often in days the key will be automatically rotated if the key is set to automatic rotation
   • Number of uses: the number of times the encryption/decryption feature has been called using the key (same as the number of Client Rest API calls)
   • Memo: additional information and description about the key

Key status

Key Management Service allows you to create and manage up to 100 versions of a key. The status of a key is inherited to all versions of that key. For example, if the status of a key with 3 versions is switched to disabled, all 3 versions are disabled. If it is reactivated and become available, the version status will automatically return to the status it had before.

Each status of a key is described below.

• Created
  When a key is requested to be created, it is securely created and given a unique identifier, following key generation procedures in accordance with key management recommendations. Once the key has been given an identifier, it is securely stored in encrypted storage, and a backup point is created for emergency.

• Available
  A key that can be used for all encryption/decryption requests. Created keys are automatically activated and put into the available state, and can be deactivated at any time to stop using them. Keys in the available state are subject to billing for management.

• Disabled
  A key that has been deactivated and is no longer in use, and can be reactivated at any time to return it to the Available state. To remain available at all times, keys in the disabled state follow a rotation cycle. This means that even if a key is in the disabled state, it will be renewed with a new version by performing a rotation as scheduled on the next rotation date. A key in the disabled state cannot be used for encryption/decryption requests. Keys in the disabled state are subject to billing for management.

• Delete requested
  A key that is no longer in use and has been requested to be deleted by a user to reduce misuse and unnecessary maintenance. Keys in the delete requested status are permanently deleted 72 hours after the user's request to delete the keys. Keys deleted at the user's request cannot be recovered. When requesting a deletion, you should do so carefully, ensuring that the key is no longer in use.
  However, you can cancel the deletion request before final deletion, and a key with a canceled deletion request is immediately placed in a disabled status. As with the disabled status, keys in the delete requested status are on a rotation cycle and are subject to billing for management. If no users are using the key, you can also click the [Delete now] button to permanently delete the key immediately.

• Deleted
  A key that is permanently deleted and cannot be viewed by the user. Even within Key Management Service, the key is deleted, and you can only request management information such as the key's information and usage history through Customer Support > Contact Us in NAVER Cloud Platform. The management information of the deleted key is maintained for 1 year and then deleted.

The availability of basic features varies depending on the key status. The information of available basic features by status is as follows.

Key state must be managed carefully, and deactivation/activation and deletion request features that result in a status change should be proceeded with caution. Because user monitoring is required to ensure that key status remains secure, the console sends a key status change notification email to authorized subaccounts when key status changes. Users can check the key status in real time through the change notification email.

Create keys

You can generate an unlimited number of user-managed keys. However, you need to create them carefully because you will be charged based on the number of keys created. Take the following steps to create a key.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click the [Create keys] button.
5. When the Create keys page appears, enter the required information.
   • Key name: enter between 3 and 15 characters using a combination of English letters, numbers, and the special characters '-' and '_'. However, the first character must be an English letter and cannot be duplicated by another key name in your keystore
   • Usage: click to select between encryption/decryption (AES-256), encryption/decryption and signing/verification (RSA-2048), and signing/verification (ECDSA)
   • Encryption type: if you selected encryption/decryption (AES-256) in usage, click whether to apply convergent encryption, which always generates the same passphrase for the same plain text. If you select convergent encryption, the Context parameter is required when calling the encryption/decryption feature. For more information, see the caution box
   • Rotation type: click automatic rotation status
   • Rotation period: enter between 1 and 730 days (default: 90 days)
   • Memo: enter 100 characters or less
6. Click the [Create keys] button.

Manage key permissions

Permissions to use Key Management Service are managed through Sub Account. Key Management Service permissions can be managed using System Managed policies that are predefined in Sub Account of NAVER Cloud Platform or User Created policies that you set detailed permissions for yourself.

Assign System Managed policies to a sub account

1. Click the Management & Governance > Sub Account > Sub Accounts menu.
2. Select the sub account to which you want to assign the policy.
3. Click [Add individual permission] on the Policy tab.
4. Search for and add the NCP_KMS_MANAGER permission.

Assign a User Created policy to a sub account

1. Click the Management & Governance > Sub Account > Policies menu.
2. Click the [Create policy].
3. Under [Service] in [Policy target], select Key Management Service.
4. Select the permissions you want to assign.
5. If you want to assign permissions by key, enable [Specify resource] and select a key resource.
6. Click [Add target] to add the target.
7. When you are finished specifying key resources, click [Create] to complete the policy creation.
8. Click the Management & Governance > Sub Account > Sub Accounts menu.
9. Select the sub account to which you want to assign the policy.
10. Click [Add individual permission] on the Policy tab.
11. Search for the permissions you created in 7 and add them.

Manage key version

For security purposes, you can manage key versions. All encryption keys have a recommended expiration date due to the existence of various security threats. Therefore, it's recommended that you renew with a new key before the expiration date to protect against security threats. In the Key Management Service, the actual "key value" used for encryption/decryption is differentiated by version, and renewing a key version has the same effect as renewing a key. A key, identified by a key tag, can have up to 100 versions internally.

Rotate keys

To renew key versions in the Key Management Service, use the Rotate keys feature. The first key created has a version of 1 and is renewed with each subsequent rotation, allowing you to have up to 100 versions. After 100 key rotations, the key can no longer be rotated and must be replaced with a new key.

The two types of key rotation are automatic which is performed automatically based on a set rotation cycle, and manual which is performed manually by the user on demand. The following is a description about each rotation.

• Automatic rotation: performs a rotation automatically every set rotation cycle.
• Manual rotation: performs a rotation manually on user's demand. Manual rotation does not affect the next automatic rotation schedule. For example, if a key with a 90-day automatic rotation cycle performs a manual rotation with 10 days remaining until the next rotation, the automatic rotation will occur as scheduled after 10 days.

Manual rotation

If you determine that a security threat to your key has occurred, or at your discretion, you can renew it immediately with a manual rotation. The following is how to manually rotate a key to renew it to a new version.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click to select the keys you want to manually rotate, then click the [Rotate keys] button.
5. When the Rotate now pop-up window appears, click the [Confirm] button.
6. Check the updated version information from the Current version.
   

Automatic rotation

The following is how to set up automatic rotation so that the key is automatically renewed with a new version at regular intervals.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click to select the key you want to automatically rotate, then click the Automatic rotation.
5. To set the automatic rotation period, click the [Edit] button for Rotation Period (Next Rotation Date).
   
6. If the Change rotation period pop-up window appears, enter a rotation period.
   • Enter between 1 and 730 days (default: 90 days)
   • Change next rotation date immediately after change
7. Click the [OK] button.

Deactivate/activate keys

You can change a normal key in use to an inactive status for certain reasons or at your discretion, or change an inactive key back to an active status. You can set key activation status as follows.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click to select the key whose activation status you want to set, and then proceed the following.
   • If you want to change the active status to inactive: click the [Deactivate keys] button
     • Deactivate keys pop-up window: if the key to be deactivated has a usage history, check the recent usage history in the pop-up window and click the [Deactivate] button
   • If you want to change the active status to inactive: click the [Deactivate keys] button
5. Check the changed key status in the key list.
   • Disabled: a key that has been deactivated and is no longer in use, and can be reactivated at any time to return it to the Available state. To remain available at all times, user in the disabled state follow a rotation schedule.
   • Available: a key that can be used for all encryption/decryption requests.

Delete keys

You can request deletion of a key that is no longer in use. Keys requested for deletion will be permanently deleted after a 72-hour waiting period. Keys requested for deletion will be placed in a pending deletion state and will not be available for encryption/decryption requests, just like in a disabled status. If you don't need to wait for deletion, you can delete it immediately. For example, if the key doesn't have a user, it can be deleted immediately without waiting 72 hours because deleting it won't cause any data loss.

To cancel a deletion request for a key that is pending deletion, click the [Cancel key deletion] button before the 72-hour waiting period has elapsed. After clicking the button, the deletion request will be canceled and the key will be immediately placed in the disabled status. If you want to use the key again, you can switch it to active status.
Take the following steps to delete keys.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click to select the keys you want to delete, then click the [Rotate keys] button.
5. When the Request key deletion pop-up window appears, click the [Request deletion] button.
   • Caution pop-up window: if the key to be deleted has a usage history, check the recent usage history in the pop-up window and click the [Request deletion] button
6. Check the key status that changed after the deletion request in the key list.
   • Pending deletion: a deletion request has been received and is waiting 72 hours for complete deletion
7. If you want to delete the key immediately without deleting it on the scheduled deletion date shown in the status field, click the [Delete now] button.
   

View key history

To protect against a variety of security threats, you can view the full usage history of your keys to monitor whether they're being used appropriately. The following describes how to view the key history.

1. From NAVER Cloud Platform console's Region menu, click and select the region you're using.
2. From the Platform menu, click and select one of VPC and Classic.
3. Click Services > Security > Key Management Service menus one by one in order.
4. Click to select the key whose usage history you want to view, and then click the [View key history] button.
5. When the Usage history pop-up window appears, confirm the information you need.
   
   • IP: IP address and access information for the account (subject) that performed the action
   • Date: the date the action was performed
   • Task: the content of the action performed
   • Result: the success of failure of the action performed
   • Account: ID of the account that performed the task