Skip to content

Latest commit

 

History

History
123 lines (93 loc) · 5.81 KB

index.md

File metadata and controls

123 lines (93 loc) · 5.81 KB
copyright lastupdated keywords subcollection
years
2017, 2019
2019-04-03
key management service, kms, manage encryption keys, data encryption, data-at-rest, protect data encryption keys
key-protect

{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"} {:pre: .pre} {:tip: .tip} {:note: .note} {:important: .important}

Getting started tutorial

{: #getting-started-tutorial}

{{site.data.keyword.keymanagementservicefull}} helps you provision encrypted keys for apps across {{site.data.keyword.cloud_notm}} services. This tutorial shows you how to create and add existing cryptographic keys by using the {{site.data.keyword.keymanagementserviceshort}} dashboard, so you can manage data encryption from one central location. {: shortdesc}

Getting started with encryption keys

{: #get-started-keys}

From the {{site.data.keyword.keymanagementserviceshort}} dashboard, you can create new keys for cryptography, or you can import your existing keys.

Choose from two key types:

Root keys
Root keys are symmetric key-wrapping keys that you fully manage in {{site.data.keyword.keymanagementserviceshort}}. You can use a root key to protect other cryptographic keys with advanced encryption. To learn more, see Protecting data with envelope encryption.
Standard keys
Standard keys are symmetric keys that are used for cryptography. You can use a standard key to directly encrypt and decrypt data.

Creating new keys

{: #create-keys}

After you create an instance of {{site.data.keyword.keymanagementserviceshort}}, you're ready to designate keys in the service.

Complete the following steps to create your first cryptographic key.

  1. On the application details page, click Manage > Add key.

  2. To create a new key, select the Create a key window.

    Specify the key's details:

    Table 1. Description of the Create a key settings
    Setting Description
    Name

    A unique, human-readable alias for easy identification of your key.

    To protect your privacy, ensure that the key name does not contain personally identifiable information (PII), such as your name or location.
    Key type The type of key that you would like to manage in {{site.data.keyword.keymanagementserviceshort}}.

  3. When you are finished filling out the key's details, click Create key to confirm.

Keys that are created in the service are symmetric 256-bit keys, supported by the AES-GCM algorithm. For added security, keys are generated by FIPS 140-2 Level 2 certified hardware security modules (HSMs) that are located in secure {{site.data.keyword.cloud_notm}} data centers.

Importing your own keys

{: #import-keys}

You can enable the security benefits of Bring Your Own Key (BYOK) by introducing your existing keys to the service.

Complete the following steps to add an existing key.

  1. On the application details page, click Manage > Add key.

  2. To upload an existing key, select the Import your own key window.

    Specify the key's details:

    Table 2. Description of the Import your own key settings
    Setting Description
    Name

    A unique, human-readable alias for easy identification of your key.

    To protect your privacy, ensure that the key name does not contain personally identifiable information (PII), such as your name or location.
    Key type The type of key that you would like to manage in {{site.data.keyword.keymanagementserviceshort}}.
    Key material The key material, such as a symmetric key, that you want to store in the {{site.data.keyword.keymanagementserviceshort}} service. The key that you provide must be base64 encoded.

  3. When you are finished filling out the key's details, click Import key to confirm.

From the {{site.data.keyword.keymanagementserviceshort}} dashboard, you can inspect the general characteristics of your new keys.

What's next

{: #get-started-next-steps}

Now you can use your keys to code your apps and services. If you added a root key to the service, you might want to learn more about using the root key to protect the keys that encrypt your at-rest data. Check out Wrapping keys to get started.