KMS uses hierarchical encryption for data key, master key and route key, thereby ensuring secure key management. Using the KMS mater key, users create a data key for data encryption. The KMS mater key is distributed and stored safely within the FIPS 140-2 Level 3 certified HSM (Hardware Security Module).
Key rotation enables the creation of new encrypted data for a given master key and allows users to define the frequency of key rotation based on user policy. In addition, managing usage logs become easy with KMS monitoring. By administrating the lifecycle of encryption keys, one can also delete or reactivate disabled keys to protect data against cryptographic threats.
Using a high availability infrastructure, KMS delivers a reliable service. KMS engine, which creates master key, HSM, which stores the created keys, and other tools provide high availability.
- Encryption/Decryption (AES256) : Use the AES256 key (symmetric key) for data encryption operation of up to 32KB
- Encryption/Decryption or Signature/Verification (RSA-2048) : Use the RSA key (asymmetric key, 2048 bit) for data encryption of up to 190B or 8KB signature
- Signature/Verification (ECDSA) : Use the ECDSA key (asymmetric key) for data signature of up to 8KB
- Select an account that will be granted access to the master key (An account within the same project)
- Assignment of key roles : Key manager, Encryptor/Decryptor, Encryptor, Decryptor, Key reviewer
- Key rotation : Create a new key version. Define automatic key rotation, anywhere from 1 day to 730 days.
- Key deletion : Upon request, a key will immediately be disabled and be permanently deleted after 72 hours
- View operational logs : Date of operation, operation details and results, account used for operation