Using Key Management Service
  • PDF

Using Key Management Service

  • PDF

Available in Classic and VPC

Keys created in Key Management Service can be managed directly by users. Keys can be managed according to their usage permissions and roles, and can be used for encryption/decryption and signature/verification. To create and manage keys in Key Management Service, you need to set up additional console access permissions.
Note

Encryption/decryption and signature/verification features using created keys are provided through the Key Management Service API. The Key Management Service API is called through API Gateway. For more information, refer to the Key Management Service API Guide and API Gateway Guide.

Key Management Service page

The basics of using Key Management Service are as follows.

kms-use_01_en

Area Description
① Menu name Service name and the number of keys created
② Basic features Create keys, view key details, refresh the page
③ Post-creation features Manage key permissions, rotate keys, change key status (deactivate, activate), delete keys, view key history
④ Key list View key list and details, manage automatic rotation and rotation cycle, set key activation status by version, enter notes

View key list

You can check the information for each key in the key list. The following describes how to check the information.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. When the key list appears, view the summarized information or click a key to check the details.
    kms-use_02_en
    • Key name: unique name of the created key
    • Purpose: It refers to the use of the created key, and there are three types: encryption/decryption, signature/verification, encryption/decryption and signature/verification.
      • Encryption/decryption: When creating a symmetric AES256-GCM96 key and using it to encrypt data up to 32 KB. Generally used for sealing credentials.
      • Signature/verification: When creating an asymmetric ECDSA-P256 key and using it to sign and verify data up to 8 KB
      • Encryption/decryption and signature/verification: When creating an asymmetric RSA-2048 key and using it to encrypt data up to 190 B or sign and verify data up to 8 KB
    • Status: It refers to the availability of the created key and most recently used date. For more details about the status, refer to Key status.
    • Creation date: date that the key was created
    • Key tag: A unique identifier that distinguishes the key along with the key name. Used when using the encryption/decryption feature with the Rest API.
    • Convergent encryption: convergent encryption application status
    • Type: encryption method used by the key
    • Current version: current version of the key
      • clouddbforredis_ico-02_vpc_en: Upon clicking it, you can view the complete list of versions connected to the key, view creation date by version, and change status. For more information, refer to Manage key version.
        kms-use_03_en
    • Automatic rotation: automatic rotation status of the key
    • Rotation cycle (next rotation date): If the key is set to be rotated automatically, it refers to the number of days at which the key is rotated automatically.
    • Number of uses: number of times the encryption/decryption feature was called using the key (identical to the number of Client Rest API calls)
    • Note: additional information and description of the key
Note

Key tags are not considered as confidential information.

Key status

In Key Management Service, you can create and manage up to 100 versions per key, and the status of the key is inherited by all versions of that key. For example, if the status of a key with 3 versions switches to Disabled, all 3 versions will become Disabled. If it is activated again and becomes Available, the version status automatically reverts to the status it had previously.

Note

For a detailed concept of key status by lifecycle, refer to Key Management Service concept.

The following describes each status of a key.

  • Creation
    When a key creation is requested, it is created securely according to the key creation procedure from the key management recommendation, and a unique identifier is given. Once an identifier is given to the key, it is stored safely in encrypted storage, and a backup point is created in preparation of emergency.

  • Available
    It refers to keys that can be used for all encryption/decryption requests. Created keys are automatically activated and switched into Available, and they can be deactivated at any time to stop being used. Keys in the Available status are subject to administrative billing.

  • Disabled
    It refers to keys that are deactivated to stop being used, and they can be activated at any time to be switched back to the Available status. In order to maintain them to be available at any time, keys in the Disabled status follow the rotation cycle. It means that even keys in the Disabled status are rotated as scheduled on the next rotation day and updated to the new version. Keys in the Disabled status can't be used for encryption/decryption requests. Keys in the Disabled status are subject to administrative billing.

  • Deletion requested
    It refers to keys requested to be deleted by the user to reduce misuse and unnecessary maintenance, as they're no longer used. Keys in the Deletion requested status are permanently deleted 72 hours after the user's key deletion request. Keys deleted by the user's request can't be restored. When requesting deletion, you must carefully request it after checking that no users are using it anymore. However, the deletion request can be canceled before the final deletion, and the key whose deletion request has been canceled is immediately switched into the Disabled status. As with the Disabled status, keys in the Deletion requested status follow the rotation cycle, and are subject to administrative billing. If no user is currently using the key, you can click the [Delete immediately] button to proceed with permanent deletion right away.

  • Deleted
    It refers to permanently deleted keys, and they can't be directly verified by the user. These keys are also deleted within Key Management Service. You can only request to check the management information such as key information and usage history through NAVER Cloud Platform's Support > Contact us. The management information of deleted keys is maintained for one year and then deleted.

Key status determines the availability of the basic features. The features available for use in each status are as follows.

Manage key permissions Rotate keys Deactivate/activate keys Request key deletion/cancel key deletion View key history
Available O O Deactivate O O O
Disabled O X Activate O O O
Deletion requested X X X Cancel key deletion O O
Deleted - - - - -

Key status must be managed carefully. Please make sure to review thoroughly before you use the deactivation/activation and deletion request features which cause the status to change. Because the user's monitoring is required to keep the key status safe, the console sends key status change notification emails to sub accounts granted with usage permissions when the key status changes. The user can check the key status in real time through change notification emails.

Create key

You can create unlimited number of user managed keys. However, you need to be careful when creating keys since charges occur according to the number of created keys. To create keys, the NCP_KMS_MANAGER (Key Management Service admin) permission is required. The following describes how to create a key.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click the [Create key] button.
  5. When the Create key page appears, enter the required information.
    • Key name: Enter between 3 to 15 characters using English letters, numbers, and special characters - and _. However, the first character must be an English letter, and the name can't be duplicated with other key names in the user's keystore.
    • Purpose: Click to select from encryption/decryption (AES-256), encryption/decryption and signature/verification (RSA-2048), and signature/verification (ECDSA).
    • Encryption type: When selecting encryption/decryption (AES-256) for the purpose, click to select whether to apply convergent encryption, which always creates the same ciphertext for the same plaintext. When selecting convergent encryption, the context parameter is required when calling the encryption/decryption feature. Refer to the caution box shown below for details.
    • Rotation type: Click to select the automatic rotation status.
    • Rotation cycle: Enter between 1 - 730 days (default: 90 days)
    • Note: Enter up to 100 characters.
  6. Click the [Create key] button.
Note

Convergent encryption: Context derives the key to be used for the actual encryption/decryption and initial vector (IV) from the seed key. If an incorrect context is entered, it won't be decrypted. When you select convergent encryption, the same key and IV are used every time for the same context, so you can always create the same ciphertext for the same plaintext. Encryption by applying the same context to multiple plaintexts may be cryptographically vulnerable to threats. For secure encryption, it is recommended to change the context appropriately for each data. When convergent encryption is not applied, additional entry of context is not required since all values are derived randomly, but a different ciphertext is created each time even for the same plaintext. The application status of convergent encryption can't be changed after key creation.

Manage key permissions

You can manage usage permissions for keys. Usage permissions are defined by mapping "roles" to "sub accounts" issued by NAVER Cloud Platform's Sub Account. To manage key permissions, the NCP_KMS_MANAGER (Key Management Service admin) or KMS_KEY_MANAGER (key admin) permission is required.

  • Sub account: Sub accounts issued by the main account through NAVER Cloud Platform's Sub Account can access the keystore in the Key Management Service console. Also, key usage permissions can only be granted to sub accounts. Thus, to manage key usage permissions, you need to first create sub accounts through Sub Account. The following describes each sub account.

    • Key Management Service admin (NCP_KMS_MANAGER): The user who manages all keys owned by the account in Key Management Service. They perform all features for all keys owned by the user.
    • Key Management Service user (NCP_KMS_USER): The user with service usage permissions. They can only check keys with usage permissions in the console.
    Note
  • Role: Without the burden of individually setting detailed permissions to perform key features, you can specify roles defined by bundling predefined permissions. If you use roles, you can easily manage access control according to the nature of the key usage. However, the admin must consider the principle of least permissions, which is a fundamental principle of security, when granting key usage roles to sub accounts. The following describes each role.

    • Manager: a key manager who can use all features that can be performed with keys, including management and deletion of keys
    • Encryptor: a user who can only use encryption and signature features through keys
    • Decryptor: a user who can only use decryption and verification features through keys
    • Encryptor/Decryptor: a user who can use all encryption/decryption and signature/verification features through keys
    • Reviewer: A user who can search the usage history of keys. While they don't use encryption/decryption directly through keys, they can check the status of whether keys are being used well.

The following describes how to manage usage permissions.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click to select the key to manage permissions for, and then click the [Manage key permissions] button.
  5. When the Key permissions pop-up window appears, add or delete permissions.
    kms-use_04_en
    • Add: Click to select the sub account to add, and then click the [Add] button.
    • Delete: Click the [Delete] button of the sub account to delete.
  6. Click the [Close] button.
Note

From the Key permissions pop-up window in Step 5, if you click the [Register Sub Account account] button, you can go to Sub Account and add, modify, and delete sub accounts.

Manage key version

You can manage key versions for security. Since various security threats exist for all encryption keys, there is a recommended expiration date. Thus, to prepare for security threats, it is recommended to renew keys before the expiration date. In Key Management Service, the actual “key value” used for encryption/decryption is distinguished based on the version. If you update the key version, you can expect the same effect as renewing the key. A key identified by the key tag can have up to 100 versions internally. To manage key versions, the NCP_KMS_MANAGER (Key Management Service admin) or KMS_KEY_MANAGER (key admin) permission is required. KMS_KEY_REVIEWER (key reviewer) can only check the version information.

Rotate key

Use the key rotation feature to renew key versions in Key Management Service. The version of an initially created key is 1, and it is renewed at each rotation. Up to 100 versions can be maintained. A key can no longer be rotated after 100 key rotations, so it must be replaced with a new key.

There are two types of key rotation: automatic rotation, which is performed automatically according to the set rotation cycle, and manual rotation, which is performed manually by the user as needed. The following describes each rotation.

  • Automatic rotation: It performs automatic rotation at every set rotation cycle.
  • Manual rotation: The user performs manual rotations as needed. Manual rotation doesn’t affect the next automatic rotation schedule. For example, when a manual rotation is performed for a key with an automatic rotation cycle of 90 days and 10 days remaining until the next rotation date, the automatic rotation is performed as scheduled 10 days after.
Caution
  • Keys that don't have the automatic rotation applied may be compromised in security, since they're not rotated unless you perform manual rotations. Users are fully responsible for periodic key renewal and management for safety.
  • The following are some things to keep in mind after key rotation.
    • Encryption is only possible with the most recent version of the key, so when a key is rotated and renewed, the old version of the key can no longer be used for encryption and can only be used for decryption.
    • When a key is rotated and renewed to a new version, users who were using the previous version of the key are advised to re-encrypt with the new version of the key as soon as possible and deactivate the previous version. For more information on the API usage method for re-encryption, refer to Re-encrypt.
    • When decrypting, you need to set an accurate version to get the correct result. If you arbitrarily change the prefix included in the ciphertext (e.g., ncpkms:v1), then the decryption won’t be processed correctly.

Manual rotation

A key can renewed immediately through manual rotation if it is determined that a security threat to the key has occurred, or at the discretion of the user. The following describes how to manually rotate a key to renew it to a new version.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click to select the key to manually rotate, and then click the [Rotate key] button.
  5. When the Rotate now pop-up window appears, click the [OK] button.
  6. Check the renewed version information from Current version.
    kms-use_05_en

Automatic rotation

The following describes how to set up automatic rotation so that keys are automatically renewed to a newer version at regular intervals.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click to select the key to automatically rotate, and then click and select Automatic rotation.
  5. To set the automatic rotation cycle, click the [Edit] button of Rotation cycle (next rotation date).
    kms-use_06_en
  6. When the Change rotation cycle pop-up window appears, enter the rotation cycle.
    • Enter between 1 - 730 days (default: 90 days)
    • The next rotation date changes immediately upon change.
  7. Click the [OK] button.

Deactivate/activate keys

You can deactivate a key that was being used normally according to a specific cause or at the discretion of the user, or reactivate a deactivated key. To set the key activation status, the NCP_KMS_MANAGER (Key Management Service admin) or KMS_KEY_MANAGER (key admin) permission is required. The following describes how you can activate or deactivate a key.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click and select the key to set the activation status for, and proceed with the following steps.
    • When changing the activated status to the deactivated status: Click the [Deactivate key] button.
      • [Deactivate key] pop-up window: It appears when one or more other users are using the key to be deactivated. After checking the list of key users in the pop-up window, click the [Deactivate] button.
    • When changing the deactivated status to the activated status: Click the [Activate key] button.
  5. Check the status of the changed key from the key list.
    • Disabled: It refers to keys that are deactivated to stop being used, and they can be activated at any time to be switched back to the Available status. In order to maintain them to be available at any time, keys in the Disabled status follow the rotation schedule.
    • Available: status where keys can be used for all encryption/decryption requests
Caution

When deactivating a key, please be careful since users who were using the key won't be able to use the key.

Delete key

You can request deletion of the keys that are no longer in use. Keys requested for deletion are permanently deleted after a 72-hour grace period. Keys requested to be deleted are switched into the Pending deletion status, and can't be used for encryption/decryption request, just like the Disabled status. If there's no need to wait for deletion, it can be deleted immediately. For example, if the key has no users, it can be deleted immediately without waiting for 72 hours since there is no risk of data loss even if it is deleted.

Caution

Once deleted, the key is permanently deleted and can't be restored, so please choose carefully. Especially for [Delete immediately], note that the key is deleted immediately, which can’t be reverted.

If you want to cancel a deletion request for a key pending deletion, then click the [Cancel deletion] button before the 72-hour grace period is up. The deletion request is withdrawn once you click the button, and the key is immediately switched to the Disabled status. You can activate the key to use it again. The following describes how to delete a key.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click and select the key to delete, and then click the [Request key deletion] button.
  5. When the Request key deletion pop-up window appears, click the [Request deletion] button.
    • Caution pop-up window: It appears when one or more other users are using the key to be deleted. After entering the name of the key, click the [Request deletion] button.
      kms-use_07_en
  6. Check the changed key status after the deletion request from the key list.
    • Pending deletion: It refers to a status where the deletion request has been received and the key is in the 72-hour grace period before being permanently deleted.
  7. If you want to delete it immediately instead of deleting on the scheduled deletion date displayed on the Status field, click the [Delete now] button.
    kms-use_08_en

View key history

To prepare for various security threats, you can monitor whether keys are being operated properly by searching all usage histories of keys. To check the key usage history, the NCP_KMS_MANAGER (Key Management Service admin), KMS_KEY_MANAGER (key admin), or KMS_KEY_REVIEWER (key reviewer) permission is required. The following describes how to check the key usage history.

  1. From the NAVER Cloud Platform console's Region menu, click and select the region you're using.
  2. From the Platform menu, click to select between VPC and Classic.
  3. Click the Services > Security > Key Management Service menus, in that order.
  4. Click to select the key to check the usage history of, and then click the [View key history] button.
  5. When the Usage history pop-up window appears, check the required information.
    kms-use_09_en
    • IP: IP address and access information of the account (subject) that performed the job
    • Date: date the job was performed
    • Job: content of the performed job
    • Result: whether the performed job was successful
    • Account: ID of the account that performed the job

Was this article helpful?