Overview
Key Management Service (KMS) is a security management service that enables you to easily create and manage keys, ensuring their confidentiality, integrity, and availability. It meets the key management needs of users across multiple applications and businesses while complying with compliance requirements.
This section introduces the Key Management Service API interfaces, which are all API 3.0 interfaces.
You can call the API to operate the Key Management Service, such as creating keys, enabling key rotation, generating data keys, and updating ciphertext. For details on specific interfaces, see the API overview.
Please ensure you fully understand the Key Management Service product, how to use, and pricing before using the API.
Glossary
Common terminology for Key Management Service API interface, see the table below:
| Term | Description |
|---|---|
| Key Management Service (KMS) is a security management service that lets you easily create and manage keys, ensuring their confidentiality, integrity, and availability. It meets the key management needs of users across multiple applications and businesses while complying with compliance requirements. | |
| The root key (CMK) is a master key kept by Tencent Cloud. The master key is protected by a third-party certified hardware security module (HSM) and is used to encrypt and decrypt sensitive data such as passwords, certificates, and data keys for business operations. You can create and manage CMKs through the console and API. | |
| DEK | Data Key (DEK), the key used to encrypt business data, protected by the master key. It can be customized or created through the Tencent Cloud Key Management Service (KMS) API. |
| Cloud product key is a CMK automatically created for user when Tencent Cloud products (such as CBS, COS, TDSQL) call Key Management Service. | |
| Symmetric key Symmetric encryption and decryption is an encryption method that uses a single-key cryptographic system, where the same key is used for both encryption and decryption. | |
| Asymmetric key Asymmetric encryption requires two keys: a public key and a private key. The public key and private key form a pair. The sender uses the public key to encrypt data, and only the receiver can decrypt it with the corresponding private key. On the other hand, the sender can use the private key to sign confidential information, while the receiver verifies the signature using the corresponding public key. | |
| White-box key refers to a key secured by white-box cryptography, used to protect sensitive root key information on the terminal, such as API SecretKey, authentication keys or tokens for internal system usage, and other locally stored sensitive root key information. |
Usage limits
For API parameter limits, refer to the parameter descriptions in the API documentation.
Getting Started with APIs
You can use the API Explorer tool to call APIs online.
This document uses creating a root key as an example. The steps to make an API call via the API Explorer Tool are as follows:
- Go to the API Explorer webpage. For more API Explorer Tool usage information, see Using API Explorer.
- Call the CreateKey API (https://www.tencentcloud.com/document/product/573/34430?from_cn_redirect=1) to create a root key.
- Once the root key is created successfully, go to the console to view and manage the created root key.
Feedback