A customer master key (CMK) is a basic element of the KMS service. The CMK contains key ID, key metadata (alias, description, status, etc.), and key material used to encrypt and decrypt data.
By default, when creating a CMK through the KMS service, secure key material is generated by the underlying encryption engine. If you prefer to use your own key material, implementing a Bring Your Own Key (BYOK) solution, you can generate a CMK with empty key material using the KMS service. Then, import your key material into the customer master key, forming an external CMK (EXTERNAL CMK). The KMS service will then handle the distribution and management of this external key.
Features
KMS allows you to use your own key material to encrypt and decrypt sensitive data by implementing a Bring Your Own Key (BYOK) solution in Tencent Cloud.
KMS gives you full control over the key services used in Tencent Cloud, including importing and deleting key material as needed.
You can back up your key material in local key management infrastructure as an additional disaster recovery measure for KMS.
You can use your own key material for encryption and decryption operations in the cloud to meet your industry-specific compliance requirements.
Supports and Limits
It is essential to ensure the security of the imported key material:
When using the key import feature, ensure the security and reliability of the random source used to generate your key material. Currently, KMS only allows importing 128-bit symmetric keys for the Chinese cryptographic version and 256-bit symmetric keys for the FIPS version.
Ensure the availability of the imported key material:
While KMS provides high availability and backup recovery capabilities for its own service, the availability of imported key material must be managed by the user. It is strongly recommended that you securely store the original backup of your key material to ensure timely re-importation into KMS in case of accidental deletion or expiration of the key material.
It is essential to ensure the correctness of key importing operations:
When you import key material into a CMK, it becomes permanently associated with that CMK, meaning no other key material can be imported into the external CMK. When encrypting data with the external CMK, the encrypted data must be decrypted using the same CMK (i.e., the CMK's metadata and key material must match the imported key) or decryption will fail. Please handle key material and CMK deletion operations with caution.
You need to pay attention to the key importing status:
Keys in "Pending Import" status are actually enabled keys and incur fees.
