user guide - static.huaweicloud.com · issue 09 (2018-03-30) huawei proprietary and confidential...

Key Management Service

User Guide

Issue 12

Date 2018-05-17

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 12 (2018-05-17) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

Contents

1 Product Overview..........................................................................................................................11.1 Key Management Service...............................................................................................................................................11.2 SSH Key Pair..................................................................................................................................................................11.3 Dedicated HSM.............................................................................................................................................................. 11.4 Region and AZ................................................................................................................................................................41.5 Project.............................................................................................................................................................................41.6 Functions........................................................................................................................................................................ 41.7 Application Scenarios.....................................................................................................................................................51.7.1 Encrypting Small Volumes of Data............................................................................................................................. 51.7.2 Encrypting Large Volumes of Data............................................................................................................................. 61.7.3 Encrypting Data in OBS.............................................................................................................................................. 71.7.4 Encrypting Data in EVS.............................................................................................................................................. 81.7.5 Encrypting Data in IMS...............................................................................................................................................81.7.6 Logging In to a Linux ECS..........................................................................................................................................81.7.7 Obtaining the Password for Logging In to a Windows ECS....................................................................................... 81.7.8 Encrypting Your Service System Using Dedicated HSM........................................................................................... 91.8 Accessing and Using KMS.............................................................................................................................................91.8.1 How to Access KMS................................................................................................................................................... 91.8.2 How to Use KMS...................................................................................................................................................... 101.8.3 Related Services.........................................................................................................................................................111.8.4 User Permissions........................................................................................................................................................11

2 Auditing........................................................................................................................................ 122.1 KMS Operations Supported by CTS............................................................................................................................ 122.2 Viewing Audit Logs......................................................................................................................................................13

3 Encryption Key ............................................................................................................................153.1 Creating a CMK............................................................................................................................................................153.2 Using the Online Tool to Encrypt and Decrypt Small Volumes of Data...................................................................... 163.3 Managing Tags..............................................................................................................................................................183.3.1 Adding a Tag..............................................................................................................................................................183.3.2 Searching for Tags..................................................................................................................................................... 203.3.3 Modifying Tag Values................................................................................................................................................213.3.4 Deleting Tags............................................................................................................................................................. 22

Key Management ServiceUser Guide Contents


ii

3.4 Managing CMKs.......................................................................................................................................................... 233.4.1 Viewing a CMK.........................................................................................................................................................233.4.2 Enabling One or Multiple CMKs.............................................................................................................................. 253.4.3 Disabling One or Multiple CMKs............................................................................................................................. 263.4.4 Scheduling the Deletion of One or Multiple CMKs..................................................................................................283.4.5 Canceling the Scheduled Deletion of One or Multiple CMKs..................................................................................30

4 SSH Key Pair................................................................................................................................ 324.1 Creating a Key Pair.......................................................................................................................................................324.2 Importing a Key Pair.................................................................................................................................................... 374.3 Using a Private Key to Log In to the Linux ECS......................................................................................................... 414.4 Using a Private Key to Obtain the Login Password of Windows ECS ....................................................................... 434.5 Managing Key Pairs..................................................................................................................................................... 444.5.1 Viewing a Key Pair....................................................................................................................................................444.5.2 Resetting a Key Pair.................................................................................................................................................. 474.5.3 Replacing a Key Pair................................................................................................................................................. 484.5.4 Binding a Key Pair.................................................................................................................................................... 514.5.5 Unbinding a Key Pair................................................................................................................................................ 544.5.6 Deleting a Key Pair....................................................................................................................................................584.6 Managing Private Keys................................................................................................................................................ 584.6.1 Importing a Private Key............................................................................................................................................ 584.6.2 Exporting a Private Key............................................................................................................................................ 614.6.3 Clearing a Private Key...............................................................................................................................................62

5 Dedicated HSM............................................................................................................................635.1 Viewing Dedicated HSM instances.............................................................................................................................. 635.2 Using Dedicated HSM Instances..................................................................................................................................64

6 FAQs...............................................................................................................................................676.1 About Concepts............................................................................................................................................................ 676.1.1 What Is Key Management Service?.......................................................................................................................... 676.1.2 What Is a Customer Master Key?..............................................................................................................................676.1.3 What Is a Default Master Key?................................................................................................................................. 676.1.4 What Are the Differences Between a CMK and a Default Master Key?.................................................................. 686.1.5 What Is a Data Encryption Key?............................................................................................................................... 686.2 About Functions........................................................................................................................................................... 686.2.1 Why Cannot I Delete a CMK Immediately?............................................................................................................. 686.2.2 Which Cloud Services Can Use KMS for Encryption?.............................................................................................696.2.3 What Functions Does KMS Provide?........................................................................................................................696.2.4 How Do Cloud Services on HUAWEI CLOUD Use Data Encrypted by KMS?......................................................696.2.5 What Are the Benefits of Envelope Encryption?...................................................................................................... 706.2.6 Is There a Limit on the Number of CMKs That I Can Create on KMS?.................................................................. 706.2.7 What Is the Length of a CMK?................................................................................................................................. 706.2.8 Can I Export a CMK from KMS?............................................................................................................................. 70



iii

6.2.9 Can I Decrypt My Data Back if I Permanently Delete My CMK?........................................................................... 706.2.10 How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?.................................................... 706.2.11 Can I Update CMKs Created by KMS-Generated Key Materials?......................................................................... 726.2.12 How Do I Create a Key Pair?.................................................................................................................................. 726.2.13 How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?..................................................... 766.2.14 What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?.................................................. 796.2.15 How Do I Log in to an ECS Running a Linux OS with a Private Key?..................................................................796.2.16 How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?............................................ 816.2.17 What Are the Conditions for Resetting, Replacing, Unbinding, or Binding a Key Pair?....................................... 826.2.18 How Do I Enable the Password Login Mode for an ECS?..................................................................................... 836.2.19 What Can I Do If a Key Pair Failed to Be Bound, Reset, or Replaced for an ECS?...............................................856.2.20 What Should I Do If No Password or Key Pair Is Available For Logging In to the ECS After the Key Pair isUnbound?............................................................................................................................................................................866.2.21 How Do I Convert the Private Key File in PPK Format to the PEM Format?........................................................886.3 About Regions.............................................................................................................................................................. 886.3.1 Which Regions Provide KMS?..................................................................................................................................896.4 About Pricing................................................................................................................................................................896.4.1 Does KMS Provide Free Keys?.................................................................................................................................896.4.2 What Are the Charging Standards?........................................................................................................................... 896.4.3 Will a CMK Be Charged After It Is Disabled?..........................................................................................................89

A Change History........................................................................................................................... 90



iv

1 Product Overview

1.1 Key Management ServiceKey Management Service (KMS) is a secure, reliable, and easy-to-use service that helps userscentrally manage and safeguard their Customer Master Keys (CMKs) and SSH key pairs.

In addition, you can purchase the Dedicated Hardware Security Module (HSM) serviceprovided by KMS. Dedicated HSM provides the capabilities for encryption, decryption,signature, signature verification, generation of keys, and secure storage of keys.

KMS uses hardware security modules (HSMs) to protect CMKs. HSMs help you create andcontrol CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage.KMS implements access control and log-based tracking on all operations on CMKs. Withrecords of use of all CMKs, it meets your audit and regulatory compliance requirements.

1.2 SSH Key PairAs an alternative to the traditional username+password authentication method, SSH key pairs(key pairs in short) are provided for users to remotely log in to Linux servers.

A pair of keys, one public key and one private key, are generated based on an encryptionalgorithm. While the public key is saved in HUAWEI CLOUD, the private key is saved by auser. You can also manage your private keys on HUAWEI CLOUD based on your needs.

If you have configured the public key in a Linux server, you can leverage the private key tolog in the server without a password. As you do not need to enter a password, the passwordwill not be intercepted, cracked, and leaked, and the server becomes more secure.

1.3 Dedicated HSMDedicated Hardware Security Module (Dedicated HSM) is a service provided by HUAWEICLOUD for encryption, decryption, signature, signature verification, key generation, and thesecure storage of keys.

Dedicated HSM enables you to migrate capabilities of off-cloud hardware security modules tothe cloud, and provides exclusive, high-performance, secure, and compliant computingresources in the encryption domain. You can fully control the generation and storage of keys,

Key Management ServiceUser Guide 1 Product Overview


1

as well as access authentication for keys. HUAWEI CLOUD offers services only formonitoring and managing HSMs, and provides network infrastructure.

Dedicated HSM offers compliant banking data HSM, cryptographic servers, and servers forsigning and signature verification to apply to various service scenarios in a flexible manner. Itensures that your data is in compliance with security regulations, and meets your privacyrequirements for cloud service data.

Business Flowchart

If you need to use Dedicated HSM in the cloud, you can purchase a Dedicated HSM instance(instance for short) on Dedicated HSM. Then initialize the instance, and authorize yourservice applications the permission to access the instance. Figure 1-1 is the businessflowchart.

Figure 1-1 Business flowchart

Table 1-1 describes the business process.

Table 1-1 Business process description

No. Description

1 Purchase an instance on Dedicated HSM. HUAWEI CLOUD securityteam will evaluate your use scenarios to ensure that the instance meetsyour service requirements. Then you can pay for the order.

2 A UKey is the only identifier of the Dedicated HSM user. Keep itproperly.HUAWEI CLOUD security expert will send the UKey to the recipientaddress provided by you.



2

No. Description

3 Once your order is paid, HUAWEI CLOUD allocates an instance to you.

4 You can use the UKey and the security management client to initializeyour instance, and register an administrator account.

5 Through the security management client, the registered administratorcan grant service applications with the permission to access the instance.

6 You can use the SDK to establish a secure connection to DedicatedHSM and access your instance.

Functions

Dedicated HSM provides the following capabilities:

l Generation, storage, import, export, and management of encryption keys (bothsymmetric and asymmetric keys)

l Data encryption and decryption by using symmetric and asymmetric algorithms

l Using cryptographic hash functions to calculation message digests and hash-basedmessage authentication code

l Signing data and code in encrypted mode and verifying signature

l Random data generation in encrypted mode

Supported Encryption Algorithms

Symmetric Encryption Algorithm SM1, SM4, DES, 3DES, and AES

Asymmetric Encryption Algorithm SM2 and RSA (1024-2048)

Digest Algorithm SM3, SHA1, SHA256, and SHA384

Permission Authenticationl Dedicated HSM devices are managed separately from their content (which are sensitive).

Even HUAWEI CLOUD O&M personnel have no access to your keys.

l Sensitive instructions are classified for hierarchical authorization, which effectivelyprevents unauthorized access.

l Several authentication types are supported, such as username/password and digitalcertificate.

Reliability

Dedicated HSM chips are exclusively used by each instance. Even if some hardware chips aredamaged, the service are not affected.



3

1.4 Region and AZA region is a geographic area where resources used by KMS are located.

Each region comprises one or more availability zones (AZs) and is completely isolated fromother regions. Only AZs in the same region can communicate with one another through aninternal network.

HUAWEI CLOUD has data centers in different regions in China. Therefore, KMS can beused in different regions. KMS is designed to meet your customized requirements or locallegal or other requirements in different regions.

Each region contains many AZs where power and networks are physically isolated. AZs in thesame region can communicate with each other over the intranet. Different AZs are physicallyisolated from each other. Each AZ provides cost-effective and low-latency networkconnections that are unaffected by faults that may occur in other AZs. Therefore, deployingKMS in separate AZs protects your applications against local faults that occur in a specificlocation.

1.5 ProjectA project is used to group and isolate OpenStack resources, including computing, storage, andnetwork resources. A project can be a department or a project team.

Multiple projects can be created for one account.

1.6 Functionsl CMK management

Using the KMS console or APIs, you can perform the following operations on CMKs:– Creating, querying, enabling, disabling, scheduling the deletion of, and canceling

the deletion of CMKs– Modifying the aliases and description of CMKs– Encrypting and decrypting small volumes of data– Adding, searching for, editing, and deleting tags

l SSH key pair managementUsing the KMS console or APIs, you can perform the following operations on key pairs:– Creating, importing, viewing, and deleting key pairs– Resetting, replacing, binding, and unbinding key pairs– Managing, importing, exporting, and clearing private keys

l Managing Dedicated HSM instancesYou can buy Dedicated HSM instances and view the information about purchasedinstances on the Dedicated HSM page on KMS console.

l Creating, encrypting, and decrypting DEKs; creating, revoking, querying, and retiring agrant for a CMK; importing and deleting key materials; enabling, modifying, anddisabling the CMK rotation interval.You can use the KMS APIs to perform the following operations:



4

– Creating, encrypting, or decrypting data encryption keys (DEKs)– Creating, canceling, querying, and retiring authorized grants– Obtaining parameters for importing keys, importing key materials, and deleting key

materials– Enabling or disabling the key rotation function and modifying the key rotation

intervalFor details, see the Key Management Service API Reference.

l Generating hardware true random numbersYou can generate 512-bit random numbers using the KMS API. The 512-bit hardwaretrue random numbers can be used as or serve as basis for key materials and encryptionparameters. For details, see the Data Encryption Workshop API Reference.

1.7 Application Scenarios

1.7.1 Encrypting Small Volumes of DataYou can use the online tool on the KMS console or call the necessary KMS APIs to directlyencrypt or decrypt a small volume of data with a CMK, such as passwords, certificates, orphone numbers. Currently, a maximum of 4 KB of data can be encrypted or decrypted in thisway.

Figure 1-2 shows an example about how to call the APIs to encrypt and decrypt an HTTPScertificate.

Figure 1-2 Encrypting and decrypting an HTTPS certificate

The procedure is as follows:

1. Create a CMK on KMS.



5

2. Call the encrypt-data interface of KMS and use the CMK to encrypt the plaintextcertificate.

3. Deploy the certificate onto a server.

4. The server uses the decrypt-data interface of KMS to decrypt the ciphertext certificate.

1.7.2 Encrypting Large Volumes of DataIf you want to encrypt or decrypt large volumes of data, such as pictures, videos, and databasefiles, you can use the envelope encryption method, where the data does not need to betransferred over the network.

Encrypting a local file

Figure 1-3 illustrates the process for encrypting a local file.

Figure 1-3 Encrypting a local file


1. Create a CMK on KMS.

2. Call the create-datakey interface of KMS to create a DEK. Then you get a plaintextDEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK toencrypt the plaintext DEK.

3. Use the plaintext DEK to encrypt the file. A ciphertext file is generated.

4. Save the ciphertext DEK and the ciphertext file together in a permanent storage device ora storage service.



6

Decrypting a local fileFigure 1-4 illustrates the process for decrypting a local file.

Figure 1-4 Decrypting a local file


1. Obtain the ciphertext DEK and file from the permanent storage device or the storageservice.

2. Call the decrypt-datakey interface of KMS and use the corresponding CMK (the oneused for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintextDEK.If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.

3. Use the plaintext DEK to decrypt the ciphertext file.

1.7.3 Encrypting Data in OBSl When uploading a file to Object Storage Service (OBS) in server-side encryption mode,

you can select KMS encryption to use a CMK provided by KMS to protect the file. Fordetails, see the Object Storage Service User Guide.There are two types of CMKs that can be used:– The Default Master Key obs/default created by KMS– Non-Default Master Keys created on the KMS console using KMS-generated key

materialsl Alternatively, you can call OBS APIs to upload a file with server-side encryption using

KMS-managed keys (SSE-KMS). For details, see the Object Storage Service APIReference.



7

1.7.4 Encrypting Data in EVSl When you purchase an Elastic Volume Service (EVS) disk on the EVS console, you can

select Encryption to use a CMK provided by KMS to encrypt data on the disk. Fordetails, see the Elastic Volume Service User Guide.

NOTE

Before you use the encryption function, EVS must be granted the permission to access KMS. Ifyou have the right to grant the permission, you can grant the permission directly. If you do nothave the permission, contact a user with the security administrator permissions to add the securityadministrator permission for you. Then, you can grant the permission. For details, see the ElasticVolume Service User Guide.

There are two types of CMKs that can be used:

– The Default Master Key evs/default created by KMS

– Non-Default Master Keys created on the KMS console using KMS-generated keymaterials

l You can also call EVS APIs to purchase encrypted EVS disks. For details, see the ElasticVolume Service API Reference.

1.7.5 Encrypting Data in IMSl When uploading an image file to the Image Management Service (IMS), you can choose

to encrypt the image file using a CMK provided by KMS to protect the file. For details,see the Image Management Service User Guide.

There are two types of CMKs that can be used:

– The Default Master Key ims/default created by KMS

– Non-Default Master Keys created on the KMS console using KMS-generated keymaterials

l You can also call IMS APIs to create encrypted image files. For details, see the ImageManagement Service API Reference.

1.7.6 Logging In to a Linux ECSIf your Elastic Cloud Server (ECS) runs a Linux OS, you can use a key pair to log in to theECS. For details, see the Elastic Cloud Server User Guide.

When purchasing an ECS, you can choose either of the following key pairs:

l Key pairs created or imported on the Elastic Cloud Server (ECS) console

l Key pairs created or imported on the KMS console

1.7.7 Obtaining the Password for Logging In to a Windows ECSIf your Elastic Cloud Server (ECS) runs a Windows OS, you need to obtain the loginpassword using the private key of a key pair. For details, see the Elastic Cloud Server UserGuide.

When purchasing an ECS, you can choose either of the following key pairs:

l Key pairs created or imported on the Elastic Cloud Server (ECS) console

l Key pairs created or imported on the KMS console



8

1.7.8 Encrypting Your Service System Using Dedicated HSMIf you have purchased an HSM instance provided by Dedicated HSM on HUAWEI CLOUD,you can initialize and manage your HSM instance with the UKey provided by HUAWEICLOUD. You can fully control the key generation, storage, and access authentication. Youcan use Dedicated HSM to encrypt your service systems (including encryption of sensitivedata, financial payment, and electronic tickets). Dedicated HSM helps you encrypt enterprisesensitive data (such as contracts, transactions, and SNs) and user sensitive data (such as userID numbers and mobile numbers), to prevent hackers from cracking the network and draggingthe database, which may cause data leakage, and prevent illegal access to or tampering withdata by internal users.

Figure 1-5 shows the scenario where sensitive data is encrypted.

Figure 1-5 Sensitive data encryption

1.8 Accessing and Using KMS

1.8.1 How to Access KMSHUAWEI CLOUD provides a web-based service management platform. You can access KMSusing HTTPS-compliant APIs or the management console.

l Management consoleIf you have registered with HUAWEI CLOUD, you can log in to the management

console directly. In the upper left corner of the console, click . Select a region orproject. Choose Security > Key Management Service.

l APIYou can access KMS using APIs. For details, see the Data Encryption Workshop APIReference.



9

1.8.2 How to Use KMS

Working with OBS

Users can upload objects to and download them from Object Storage Service (OBS) incommon mode or server-side encryption mode. When users upload objects in encryptionmode, data is encrypted at the server side and then securely stored on OBS in ciphertext.When users download encrypted objects, the data in ciphertext is decrypted at the server sideand then provided to users in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMSfor server-side encryption.

For details about how to upload objects to OBS in SSE-KMS mode, see the Object StorageService Console Guide.

Working with EVS

If you enable the encryption function when creating an EVS disk and select a CMK providedby KMS to encrypt the EVS disk, data stored to the EVS disk is automatically encrypted.

For details about how to use the encryption function of EVS, see the Elastic Volume ServiceUser Guide.

Working with IMS

When creating a private image using an external image file, you can enable the private imageencryption function and select a CMK provided by KMS to encrypt the image.

For details about how to use the private image encryption function of Image ManagementService (IMS), see the Image Management Service User Guide.

Working with ECS

When purchasing an ECS running a Linux OS, you can choose to authenticate users trying tolog in to your ECS with the SSH key pair provided by KMS. When purchasing an ECSrunning a Windows OS, you can choose to obtain the password used to log in to your ECSfrom the key file provided by KMS.

For details about how to use the authentication function of ECSs, see the Elastic Cloud ServerUser Guide.

You can purchase HSM instances and use the keys generated by Dedicated HSM to encryptand decrypt sensitive data in service systems on your ECS.

Working with User Applications

To encrypt plaintext data, a user application can call the necessary KMS API to generate aDEK. The DEK can then be used to encrypt the plaintext data. Then the application can storethe encrypted data. In addition, the user application can call the necessary KMS API to createCMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs. For details,see the Data Encryption Workshop API Reference.



10

1.8.3 Related Services

OBS

KMS provides central management and control capabilities of CMKs for Object StorageService (OBS). It is applied to the server-side encryption with KMS-managed keys (SSE-KMS) function of OBS.

EVS

KMS provides central management and control capabilities of CMKs for Elastic VolumeService (EVS). It is applied to the encryption function of EVS.

IMS

KMS provides central management and control capabilities of CMKs for Image ManagementService (IMS). It is applied to the private image encryption function of IMS.

ECS

KMS manages key pairs of ECSs. The key pairs are used to authenticate users logging in tothe ECSs.

Instances provided by Dedicated HSM can encrypt sensitive data in the service systems onyour ECSs. You can control the generation, storage, and access authorization of keys toensure the integrity and confidentiality of data during transmission and storage.

CTS

Cloud Trace Service (CTS) provides you with a history of KMS operations. After the CTSservice is enabled, you can view all generated traces to review and audit performed KMSoperations. For details, see the Cloud Trace Service User Guide.

IAM

Identity and Access Management (IAM) provides the permission management function forDEW.

Only users who have KMS Administrator permissions can use KMS.

Only users who have Server Administrator permissions can use the key pair function.

To apply for permissions, contact a user with Security Administrator permissions. For details,see the Identity and Access Management User Guide.

1.8.4 User PermissionsThe public cloud system provides two types of permissions by default: user management andresource management. User management refers to the management of users, user groups, anduser groups' rights. Resource management refers to the control operations that can beperformed by users on cloud service resources.

For details about DWS user permissions, see Permissions.



11

http://support.huaweicloud.com/en-us/usermanual-permissions/en-us_topic_0063498930.html

2 Auditing

2.1 KMS Operations Supported by CTSTable 2-1 lists KMS operations that are recorded by CTS.

Table 2-1 KMS operations

Operation Resource Type Trace Name

Key creation cmk createKey

Data key creation cmk createDataKey

Plaintext-free data keycreation

cmk createDataKeyWithoutPlaintext

Key enabling cmk enableKey

Key disabling cmk disableKey

Data key encryption cmk encryptDataKey

Data key decryption cmk decryptDataKey

Scheduled key deletion cmk scheduleKeyDeletion

Cancel of scheduled keydeletion

cmk cancelKeyDeletion

Random number generation rng genRandom

Key alias update cmk updateKeyAlias

Key description update cmk updateKeyDescription

Risk prompt of key deletion cmk deleteKeyRiskTips

Authentication creation cmk createGrant

Grant retiring cmk retireGrant

Key Management ServiceUser Guide 2 Auditing


12

Operation Resource Type Trace Name

Grant revoking cmk revokeGrant

Data encryption cmk encryptData

Data decryption cmk decryptData

Tag adding cmk createKeyTag

Tag deletion cmk deleteKeyTag

Batch tag adding cmk batchCreateKeyTags

Batch tag deletion cmk batchDeleteKeyTags

SSH key pair creation andimport

keypair createOrImportKeypair

SSH key pair deletion keypair deleteKeypair

Private key import keypair importPrivateKey

Private key export keypair exportPrivateKey

2.2 Viewing Audit LogsOnce CTS is enabled, the system starts recording operations on KMS. Operation records forthe last 7 days are stored on the CTS console.

Viewing Audit Logs

Step 1 Log in to the management console.

Step 2 Click Service List on the upper part of the page and select Cloud Trace Service underManagement & Deployment.

Step 3 Choose Trace List in the navigation pane on the left.

Step 4 Click Filter in the upper right corner of the event list to set the operation event conditions.

The following four filters are available:

l Trace Source, Resource Type, and Screening Type.– Select the filter from the drop-down list. Select KMS for Trace Source from the

drop-down list box.– When you select Trace name for Search By, you also need to select a specific trace

name.– When you select Resource ID for Search By, you also need to select or enter a

specific resource ID.– When you select Resource name for Search By, you also need to select or enter a

specific resource name.

l Operator: Select a specific operator (a user rather than tenant).



13

l Trace Rating: Available options include all trace status, normal, warning, andincident. You can only select one of them.

l You can specify start time and end time query traces during a time period.

Step 5 Click Search to view the corresponding operation event.

Step 6 Click on the left of a trace to expand its details, as shown in Figure 2-1.

Figure 2-1 Expanding trace details

Step 7 Click View Trace in the Operation column. On the displayed View Trace dialog box shownin Figure 2-2, the trace structure details are displayed.

Figure 2-2 Viewing traces

----End



14

3 Encryption Key

3.1 Creating a CMKThis section describes how to create a CMK on the KMS management console. You cancreate up to 100 CMKs, excluding Default Master Keys.

To create more CMKs, choose Console > View Quota > Increase Quota and increase yourquota.

The CMK applies to the following scenarios:l Server-side encryption on OBSl Encryption of data on EVS disksl Encryption of private imagesl Direct encryption and decryption of small volumes of datal DEK encryption and decryption for user applications

NOTE

Aliases of Default Master Keys end with /default. Therefore, in choosing aliases for your CMKs, do notuse aliases ending with /default.

Prerequisites

You have obtained an account and its password for logging in to the management console.

Creating a CMK


Step 2 Click in the upper left corner of the management console and select a region or project.

Step 3 Click Service List in the upper menu bar of the page. Choose Security > Key ManagementService. The Encryption Key page is displayed.

Step 4 Click Create Key. The Create Key dialog box is displayed. Enter the alias and description ofthe key.

Key Management ServiceUser Guide 3 Encryption Key


15

Step 5 Click OK. The Key created successfully message is displayed in the upper right corner ofthe Key Management Service page.

In the CMK list, you can view created CMKs. The default status of a CMK is Enabled.

----End

Related Operationsl For details about how to upload objects with server-side encryption, see section

Uploading a File with Server-Side Encryption in the Object Storage Service ConsoleOperation Guide.

l For details about how to encrypt data on EVS disks, see section Purchasing an EVSDisk in the Elastic Volume Service User Guide.

l For details about how to encrypt private images, see section Encrypting an Image in theImage Management Service User Guide.

l For details about how to create a DEK and a plaintext-free DEK, see sections Creating aDEK and Creating a Plaintext-Free DEK in the Key Management Service APIReference.

l For details about how to encrypt and decrypt a DEK for a user application, see sectionsEncrypting a DEK and Decrypting a DEK in the Key Management Service APIReference.

3.2 Using the Online Tool to Encrypt and Decrypt SmallVolumes of Data

This section describes how to use the online tool to encrypt or decrypt a small volume (4 KBor smaller) of data on the KMS console.

NOTE

l Default Master Keys cannot be used to encrypt or decrypt such data with the tool.

l You can call the necessary APIs to use a Default Master Key to encrypt or decrypt small volumes ofdata. For details, see the Key Management Service API Reference.

Prerequisitesl You have obtained an account and its password for logging in to the management

console.l The desired CMK is in Enabled status.

Encrypting Data




Step 4 Click the alias of the desired CMK to view its details, and go to the online tool for dataencryption and decryption.



16

Step 5 Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure3-1.

Figure 3-1 Encrypting data

Step 6 Click Execute. Ciphertext of the data is displayed in the text box on the right.NOTE

l Use the current CMK to encrypt the data.l You can click Clear to clear the entered data.l You can click Copy to Clipboard to copy the ciphertext and save it in a local file.

----End

Decrypting dataStep 1 Log in to the management console.



Step 4 You can click any CMK in Enabled status to go to the encryption and decryption page of theonline tool.

Step 5 Click Decrypt. In the text box on the left, enter the data to be decrypted, as shown in Figure3-2.

NOTE

l The tool will identify the original encryption CMK and use it to decrypt the data.l However, if the CMK has been deleted, the decryption fails.

Figure 3-2 Decrypting data



17

Step 6 Click Execute. Plaintext of the data is displayed in the text box on the right.

NOTE

You can click Copy to Clipboard to copy the plaintext and save it in a local file.

----End

3.3 Managing Tags

3.3.1 Adding a TagTags are used to identify CMKs. You can add tags to CMKs so that you can classify CMKs,trace them, and collect their usage status according to the tags.

NOTICEKMS does not support adding tags to the default CMK.

PrerequisitesYou have obtained an account and its password for logging in to the management console.

Adding a Tag




Step 4 Click the alias of the desired CMK to view its details.

Step 5 Click Tags to go to the tag management page, as shown in Figure 3-3.

Figure 3-3 Tag management page



18

Step 6 Click Add Tag. A dialog box is displayed, as shown in Figure 3-4.

Figure 3-4 Adding a tag

NOTE

If you want to delete a tag to be added when adding multiple tags, you can click Delete in the row wherethe tag to be added is located to delete the tag.

Step 7 In the Add Tag dialog box, enter the tag key and tag value. Table 3-1 describes theparameters.

Table 3-1 Tag parameters

Parameter

Description Value ExampleValue

Tagkey

Name of a tag.The same tag (including tag keyand tag value) can be used fordifferent CMKs. However, underthe same CMK, one tag key canhave only one tag value.A maximum of 10 tags can beadded for one CMK.

l Mandatory.l Each tag key must be

unique under the sameCMK.

l Contains a maximum of36 characters.

l The following fivecharacter types areallowed:– Uppercase letters– Lowercase letters– Digits– Special characters,

including hyphens (-)and underscores (_)

cost



19

Parameter

Description Value ExampleValue

Tagvalue

Value of the tag l This parameter can beempty.

l Can contain a maximumof 43 characters.

l The following fivecharacter types areallowed:– Uppercase letters– Lowercase letters– Digits– Special characters,

including periods (.),hyphens (-) andunderscores (_)

100

Step 8 Click OK to complete.

----End

3.3.2 Searching for TagsThis section describes how to search for tags through KMS console. You can search for tagsof all CMKs that meet the search criteria in the current project.


console.l Tags have been added.

Searching for TagsStep 1 Log in to the management console.



Step 4 Click Search Tag to show the search box, as shown in Figure 3-5.

Figure 3-5 Searching for tags



20

Step 5 In the search box, enter the tag key and tag value.

Step 6 Click to add the input to the search criteria, and click Search. The list displays theCMKs that meet the search criteria, as shown in Figure 3-6.

Figure 3-6 Search results

NOTE

l Multiple tags can be added for at one search. A maximum of 10 tags can be added for one search. Ifmultiple tags are searched for at one time, each CMK in the search result meets the combined searchcriteria.

l If you want to delete an added tag from the search criteria, click next to the tag.

l You can click Reset to reset the search criteria.

----End

3.3.3 Modifying Tag ValuesThis section describes how to modify tag values through KMS console.

Prerequisites


Modifying Tag Values








21


Step 6 Click Edit of the target tag, and the Edit Tag dialog box is displayed, as shown in Figure 3-8.

Figure 3-8 Editing a tag

Step 7 In the Edit Tag dialog box, enter a tag value, and click OK to complete the editing.

----End

3.3.4 Deleting TagsThis section describes how to delete tags through KMS console.

Prerequisites


Deleting a Tag






22




Step 6 Click Delete of the target tag, and the Delete Tag dialog box is displayed.

Step 7 In the Delete Tag dialog box, click OK to complete the deletion.

----End

3.4 Managing CMKs

3.4.1 Viewing a CMKThis section describes how to use the management console to view the information about aCMK, such as its alias, status, ID, and creation time. The status of a CMK can be Enabled,Disabled, or Scheduled deletion.

Prerequisites


Viewing CMK Details




Step 4 In the list of CMKs, view information about the desired CMK, as shown in Figure 3-10.



23

Figure 3-10 CMK list

NOTE

l The All statuses drop-down box enables you to specify a status so that only CMKs of that status aredisplayed in the list.

l Enter an alias of a CMK in the search box in the upper right corner and click or press Enter tosearch for a specified CMK.

l You can click Search Tag to search for the CMK that meets the search criteria.

l You can click at the upper right corner on top of the CMK list to show or hide columns of theCMK list.

Table 3-2 describes the parameters of a CMK list.

Table 3-2 CMK list parameters

Parameter Description

Alias Alias of a CMK

Status Status of a CMK, which can be one of the following:l Enabled

The CMK is enabled.l Disabled

The CMK is disabled.l Scheduled deletion

The CMK is scheduled for deletion.

ID Random ID of a CMK generated during the CMK creation

Created Creation time of the CMK

Step 5 You can click the alias of a CMK to view its details, as shown in Figure 3-11.



24

Figure 3-11 CMK details

NOTE

Click in the Alias or Description line to change the alias or description of the CMK.

l A Default Master Key (the alias suffix of which is /default) does not allow alias and descriptionchanges.

l The alias and description of a CMK cannot be changed if the CMK is in Scheduled deletion status.

----End

3.4.2 Enabling One or Multiple CMKsThis section describes how to use the KMS console to enable one or multiple CMKs. Onlyenabled CMKs can be used to encrypt or decrypt data. A new CMK is in the Enabled state bydefault.


console.l The CMK you want to enable is in Disabled status.

Enabling one CMK




Step 4 In the row containing the desired CMK, click Enable.



25

Figure 3-12 Enabling one CMK

Step 5 In the dialog box that is displayed, click OK to enable the CMK.

----End

Enabling multiple CMKs




Step 4 In the list of CMKs, select the desired CMKs and click Enable.

Figure 3-13 Enabling multiple CMKs

Step 5 In the dialog box that is displayed, click OK to enable the CMKs.

----End

3.4.3 Disabling One or Multiple CMKsThis section describes how to use the KMS console to disable one or multiple CMKs, therebyprotecting data in urgent cases.

After being disabled, a CMK cannot be used to encrypt or decrypt any data. Before using adisabled CMK to encrypt or decrypt data, you must enable it by following instructions inEnabling One or Multiple CMKs.

NOTE

Default Master Keys created by KMS cannot be disabled.


console.



26

l The CMK you want to disable is in Enabled status.

Disabling one CMK




Step 4 In the row containing the desired CMK, click Disable.

Figure 3-14 Disabling one CMK

Step 5 In the dialog box that is displayed, click OK to disable the CMK.

----End

Enabling multiple CMKs




Step 4 In the list of CMKs, select the desired CMKs and click Disable.

Figure 3-15 Disabling multiple CMKs

Step 5 In the dialog box that is displayed, click OK to disable the CMKs.

----End



27

3.4.4 Scheduling the Deletion of One or Multiple CMKsThis section describes how to use the management console to schedule the deletion of one ormultiple un-needed CMKs.

In scheduled deletion of a CMK, the deletion will not take effect immediately. Instead, it willtake effect after a customizable period of 7 to 1096 days. Before the specified deletion date,you can cancel the deletion if you want to use the CMK. Once deletion has taken effect, theCMK will be deleted permanently and you will not be able to decrypt data encrypted by it.Therefore, you are advised to exercise caution when performing this operation.

Before deleting the CMK, confirm that it is not in use and will not be used.

NOTE

Default Master Keys created by KMS cannot be scheduled for deletion.


console.l The CMK you want to schedule deletion for is in Enabled or Disabled status.

Scheduling the deletion of one CMK




Step 4 In the row containing the desired CMK, click Delete.

Figure 3-16 Scheduling the deletion of one CMK

Step 5 In the dialog box that is displayed, enter the number of days after which you want the deletionto take effect.



28

Figure 3-17 Entering the period after which you want the deletion to take effect

Step 6 Click OK to schedule the deletion.

----End

Scheduling the deletion of multiple CMKs




Step 4 In the list of CMKs, select desired CMKs and click Delete.

Figure 3-18 Scheduling the deletion of multiple CMKs

Step 5 In the dialog box that is displayed, enter the number of days after which you want the deletionto take effect.



29

Figure 3-19 Entering the period after which you want the deletion to take effect

Step 6 Click OK to schedule the deletion.

----End

3.4.5 Canceling the Scheduled Deletion of One or Multiple CMKsThis section describes how to use the management console to cancel the scheduled deletion ofone or multiple CMKs prior to deletion execution. After the cancelation, the CMK is inDisabled status.


console.l The CMK for which you want to cancel the scheduled deletion is in Scheduled deletion

status.

Canceling the scheduled deletion of one CMK






30

Step 4 In the row containing the desired CMK, click Cancel Deletion.

Figure 3-20 Canceling the scheduled deletion of one CMK

Step 5 In the dialog box that is displayed, click OK to cancel the scheduled deletion.

After the cancelation, the CMK's status becomes Disabled. If you need to enable the CMK,see Enabling One or Multiple CMKs.

----End

Canceling the scheduled deletion of multiple CMKs




Step 4 In the list of CMKs, select desired CMKs and click Cancel Deletion.

Figure 3-21 Canceling the scheduled deletion of multiple CMKs

Step 5 In the dialog box that is displayed, click OK to cancel the scheduled deletion.

After the cancelation, the CMKs' statuses become Disabled. If you need to enable the CMKs,see Enabling One or Multiple CMKs.

----End



31

4 SSH Key Pair

4.1 Creating a Key PairTo ensure system security, it is recommended that you use the key pair authentication mode toauthenticate the user who attempts to log in to an ECS.

You can create a key pair and use it for authentication during login to your ECS.

NOTE

If you have already created a key pair, you do not need to create again.

You can create a key pair using either of the following methods:

l After you create a key pair, the public key is automatically stored in the system ofHUAWEI CLOUD, and the private key is manually stored in a local directory. Fordetails, see Creating a Key Pair Using the Management Console.

NOTICEKey pairs created on the KMS console use the SSH-2 (RSA, 2048) encryption anddecryption algorithm by default.

l Use PuTTYgen.exe to create a key pair. Both the public and private keys are saved bythe user. For details, see Creating a Key Pair Using PuTTYgen.

NOTE

PuTTYgen is a generating tool of public and private keys. You can obtain it from https://www.putty.org/.

Prerequisites


Key Management ServiceUser Guide 4 SSH Key Pair


32

http://www.putty.org/

http://www.putty.org/

Creating a Key Pair Using the Management Console




Step 4 In the navigation pane on the left, click SSH Key Pair. The page of key pair list displayed.

Step 5 Click Create Key Pair.

Step 6 In the Create Key Pair dialog box, enter a name for the key pair to be created, as shown inFigure 4-1.

Figure 4-1 Creating a key pair

Step 7 If you want to have your private key managed by HUAWEI CLOUD, read and confirm Iagree to have the private key managed by HUAWEI CLOUD. Select an encryption keyfrom the KMS encryption drop-down list box. Skip this step if you do not need to have theprivate key managed by HUAWEI CLOUD.

NOTE

l When you enable the KMS encryption function for a key pair, KMS automatically creates a DefaultMaster Key kps/default for the key pair.

l When selecting an encryption key, you can select an existing encryption key or click View Key Listto create a new encryption key.



33

Figure 4-2 Managing private keys

Step 8 Select I have read and agree to the Disclaimer of the Key Pair Service.

Step 9 Click OK. The browser automatically downloads the private key. When the private key isdownloaded, a dialog box is displayed.

Step 10 Save the private key as prompted by the dialog box.

NOTICEl If the private key is not managed by HUAWEI CLOUD, the private key can be

downloaded only once. Keep the private key properly.l If you have authorized HUAWEI CLOUD to manage the private key, you can export the

private key anytime as required.

Step 11 After the private key is saved, click OK. The key pair is created successfully.

After the key pair is created, you can view it in the list of key pairs. The list displaysinformation such as key pair name, fingerprint, and quantity.

----End

Creating a Key Pair Using PuTTYgen

Step 1 Generate the public and private keys. Double-click PuTTYgen.exe. The PuTTY KeyGenerator page is displayed, as shown in Figure 4-3.



34

Figure 4-3 PuTTY Key Generator

Step 2 Configure the parameters as described in Table 4-1.

Table 4-1 Parameter description


Type of key to generate Encryption and decryption algorithm of key pairsto be imported to the management console.Currently, only SSH-2 RSA is supported.

Number of bits in a generated key Length of a key pair to be imported to themanagement console. Currently, the followinglength values are supported: 1024, 2048, and4096.

Step 3 Click Generate to generate a public key and a private key.

Figure 4-4 shows a generated public key.



35

Figure 4-4 Obtaining the public and private keys

Step 4 Copy the information in the blue square and save it in a local .txt file.

NOTICEDo not save the public key by clicking Save public key. Saving a public key by clicking Savepublic key of PuTTYgen will change the format of the public key content. Such a key cannotbe imported to the management console.

Step 5 Save the private key in .ppk or .pem format.

NOTICEFor security's sake, the private key can only be downloaded once. Save it in a secure location.

l If you log in to a Linux ECS using PuTTY, save the private key in .ppk format in thefollowing procedure:

a. On the PuTTY Key Generator page, choose File > Save private key.b. Save the private key, for example, kp-123.ppk, to a local directory.



36

l If you need to use Xshell to log in to an ECS running a Linux OS or obtain the passwordto log in to an ECS running a Windows OS, save the private key in .pem format in thefollowing procedure:

a. Choose Conversions > Export OpenSSH key.

NOTE

If you use this private key file to obtain the password for logging in to a Windows ECS,when you choose Export OpenSSH key, do not configure Key passphrase. Otherwise,obtaining the password will fail.

b. Save the private key, for example, kp-123.pem, to a local directory.

Step 6 Import the public key to the management console.

----End

4.2 Importing a Key PairIf you have a key pair in your PC (for example, a key pair generated by PuTTYgen), you canimport the public key to the management console. Then, when you log in to your ECSremotely, you can use the private key for authentication. You can also manage your privatekeys on HUAWEI CLOUD based on your needs.

This section describes how to import a key pair through KMS console.


console.

l The following encryption and decryption algorithms are supported by an imported publickey:

– SSH-2 (RSA, 1024)

– SSH-2 (RSA, 2048)

– SSH-2 (RSA, 4096)

Importing a Key Pair





Step 5 In the upper right corner of the Key Pair page, click Import Key Pair. The Import Key Pairpage is displayed, as shown in Figure 4-5.



37

Figure 4-5 Importing a key pair

Step 6 Click Select File to select the file that saves the public key from your local host.Alternatively, you can copy the content and paste it in the Public Key Content box.

NOTE

You can customize the name of an imported key pair.

Step 7 If you want to have your private key managed by HUAWEI CLOUD, read and confirm Iagree to have the private key managed by HUAWEI CLOUD. Skip this step if you do notneed to have the private key managed by HUAWEI CLOUD.



38


1. Click Select File to select the file that saves the public key from your local host.Alternatively, you can copy the content and paste it in the Private Key Content box.The private key to be uploaded or copied to the text box must be in the .pem format. Ifthe file is in the .ppk format, perform the following steps to convert the .ppk file tothe .pem file.

a. Double-click PuTTYgen.exe. The PuTTY Key Generator page is displayed, asshown in Figure 4-7.



39


b. Choose Conversions > Import key to import the private key file in the .ppkformat.

c. Choose Conversions > Export OpenSSH Key, the PuTTYgen Warning dialogbox is displayed.

d. Click Yes to save the file in the .pem format.2. Select an encryption key from the KMS encryption drop-down list box.

NOTE

– When you enable the KMS encryption function for a key pair, KMS automatically creates aDefault Master Key kps/default for the key pair.

– When selecting an encryption key, you can select an existing encryption key or click ViewKey List to create a new encryption key.


Step 9 Click OK to import the key pair.

----End



40

4.3 Using a Private Key to Log In to the Linux ECS

ScenarioAfter you create or import a key pair on the KMS console, select the key pair as the loginmode when purchasing an ECS, and select the created or imported key pair.

After purchasing an ECS, you can use the private key of the key pair to log in to the ECS.

This topic describes how to log in to a Linux ECS using a private key.

Prerequisitesl You have obtained the private key file of the ECS.l You have bound an EIP to the ECS.l The network connection between the login tool (such as PuTTY) and the target ECS is

normal.

Logging In from a Windows ComputerTo log in to the Linux ECS from a Windows computer, perform the operations described inthis section.

Method 1: Use PuTTY to log in to the ECS.

The following operations use PuTTY to log in to the ECS. Before logging in, you mustconvert the private key format.

Step 1 Check whether the private key file is in the .ppk format.l Skip this step if the private key is in the .ppk format.l If the private key file is in any other format, convert it to the .ppk format according to

the following procedure:

a. Visit the following website and download PuTTY and PuTTYgen:http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

NOTE

PuTTYgen is a private key generator, which is used to create a key pair that consists of apublic key and a private key for PuTTY.

b. Run PuTTYgen.c. In the Actions area, click Load and import the private key file that you stored when

purchasing the ECS.Ensure that the private key file format is included in All files (*.*).

d. Click Save private key.e. Save the converted private key, for example, kp-123.ppk, to a local directory.

Step 2 Double-click PuTTY.EXE. The PuTTY Configuration page is displayed.

Step 3 Choose Connection > Data. Enter the image username in Auto-login username.

Step 4 Choose Connection > SSH > Auth. In Private key file for authentication, click Browseand select the private key file converted in Step 1.



41

Step 5 Click Session and enter the EIP of the ECS under Host Name (or IP address).

Figure 4-8 Configuring the EIP

Step 6 Click Open to log in to the ECS.

----End

Method 2: Use Xshell to log in to the ECS.

Step 1 Start the Xshell tool.

Step 2 Run the following command to remotely log in to the ECS through SSH:

ssh Username@EIP

An example command is provided as follows:

ssh [email protected]

Step 3 (Optional) If the system displays the SSH Security Warning dialog box, click Accept &Save.

Step 4 Select Public Key and click Browse beside the CMK text box.

Step 5 In the displayed dialog box, click Import.

Step 6 Select the locally stored key file and click Open.



42

Step 7 Click OK to log in to the ECS.

----End

Logging In from a Linux Computer

To log in to the Linux ECS from a Linux computer, perform the operations described in thissection. The following procedure uses private key file kp-123.ppk as an example to log in tothe ECS. The name of your private key file may differ.

Step 1 On the Linux CLI, run the following command to change operation permissions:

chmod 600 /path/private key file name

NOTE

In the preceding command, path is the path where the key file is saved.

Step 2 Run the following command to log in to the ECS:

ssh -i /path/kp-123 root@EIP

NOTE

l In the preceding command, path is the path where the key file is saved.

l EIP is the EIP bound to the ECS.

----End

4.4 Using a Private Key to Obtain the Login Password ofWindows ECS

Scenario

A password is required when you log in to a Windows ECS. First of all, you must obtain theadministrator password (password of account Administrator or another account set inCloudbase-Init) generated during the initial installation of the ECS from the private key filedownloaded when you create the ECS. This password is randomly generated, offering highsecurity.

You can obtain the initial password for logging in to a Windows ECS through themanagement console

NOTE

l After obtaining the initial password, you are advised to clear the password information recorded inthe system to increase system security.

Clearing the initial password information does not affect ECS operation or login. Once cleared, thepassword cannot be retrieved. Before deleting a password, you are advised to record it. For details,see the Elastic Cloud Server User Guide.

l You can also call the API to obtain the initial password of the Windows ECS. For details, see theElastic Cloud Server API Reference.


console.



43

l You have purchased a Windows ECS.

Obtaining a password

Step 1 Obtain the private key file (.pem file) used when purchasing the ECS.


Step 3 Choose Computing > Elastic Cloud Server.

Step 4 In the ECS list, select the ECS whose password you want to get.

Step 5 In the Operation column, click More and choose Get Password.

Step 6 Use either of the following methods to obtain the password:

l Click Select File and upload the key file from a local directory.

l Copy the key file content to the text field.

Step 7 Click Get Password to obtain a new random password.

----End

4.5 Managing Key Pairs

4.5.1 Viewing a Key PairThis section describes how to view the key pair information, including the names, privatekeys, used keys, and fingerprints on the KMS console.

Prerequisites


Procedure





Step 5 In the list of key pairs, view information about key pairs. Alternatively, enter the name of the

key pair you want to view in the search box in the upper right corner and click to search.

NOTE

The list provides the names, private keys, used keys, and fingerprints of key pairs created and imported.



44

Figure 4-9 Key pair list

Step 6 Click in front of the target key pair to show the list of ECSs bound to this key pair, asshown in Figure 4-10.

Figure 4-10 ECS list

NOTE

When you purchase an ECS, choose the login method of using a key pair. Then the key pair will bebound to the ECS after the ECS is purchased.

Bind a key pair to ECSs. Parameters are described in Table 4-2.



Task Status Resetting or replacing key pairs:

: Executing

: Execution failed

ECS Name/ID Name and ID of an ECS



45


Status Statuses of an ECS are as follows:l Runningl Creatingl Faultyl Shut downl DELETEl HARD_REBOOTl MIGRATINGl REBOOTl RESIZEl REVERT_RESIZEl SHELVEDl SHELVED_OFFl LOADEDl UNKNOWNl VERIFY_RESIZE

Private IP address Private IP Address

EIP Elastic IP address

Bound key pair Key pair that is bound to the ECS

Step 7 You can click to view failed key pair tasks, as shown in Figure 4-11.

Figure 4-11 Failed key pair tasks



46

NOTE

You can click Delete in the row where the target key pair is displayed to delete the failed key pair task.You can also click Delete All on top of the list to delete all failed tasks.

----End

4.5.2 Resetting a Key PairIf your private key is lost, you can use a new key pair to reconfigure the ECS on KMS. Afterresetting the key pair, you need to use the private key of the new key pair to log in to the ECS,and the original private key cannot be used to log in to the ECS.

This section describes how to reset a key pair through KMS console.


console.l The ECS whose key pair is to be reset uses the public image provided by HUAWEI

CLOUD.l To reset the key pair, you can replace the public key of the user by modifying the /

root/.ssh/authorized_keys file on the server. Ensure that the file is not modified beforeresetting the key pair. Otherwise, the reset will fail.

l The ECS must be in the Shut down state.

Resetting a Key Pair





NOTE

Alternatively, you can click ECS List to view the list of ECSs. Find the desired ECS, and click Reset toreset its key pair.





47

Step 6 Click Reset of the target tag, and the Reset Key Pair dialog box is displayed, as shown inFigure 4-13.

Figure 4-13 Resetting a key pair

Step 7 Select a new key pair from the drop-down list box of New Key Pair.

Step 8 Select the item to confirm that The server uses the default image provided by HUAWEICLOUD and the SSH configuration has not been modified.

Step 9 Select I have read and agree to the Disclaimer of the Key Pair Management Service.

Step 10 Click OK. The ECS key pair will be reset in about 10 minutes.

----End

4.5.3 Replacing a Key PairIf your private key is leaked, you can use a new key pair to replace the public key of the ECSon KMS. After replacing the key pair, you need to use the private key of the new key pair tolog in to the ECS, and the original private key cannot be used to log in to the ECS.

This section describes how to replace a key pair through KMS console.


console.

l The ECS whose key pair is to be replaced uses the public image provided by HUAWEICLOUD.



48

l To replace the key pair, you can replace the public key of the user by modifying the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified beforereplacing the key pair. Otherwise, replacing the public key will fail.

l The ECS must be in the Running state.

Replacing a Key Pair





NOTE

Alternatively, you can click ECS List to view the list of ECSs. Find the desired ECS, and click Replaceto replace its key pair.



Step 6 Click Replace of the target tag, and the Replace Key Pair dialog box is displayed, as shownin Figure 4-15.



49

Figure 4-15 Replacing a key pair


Step 8 Click Select File to upload the private key of the key pair. Alternatively, you can copy theprivate key content and paste it to the text box.

The private key to be uploaded or copied to the text box must be in the .pem format. If the fileis in the .ppk format, perform the following steps to convert the .ppk file to the .pem file.

1. Double-click PuTTYgen.exe. The PuTTY Key Generator page is displayed, as shownin Figure 4-16.



50


2. Choose Conversions > Import key to import the private key file in the .ppk format.

3. Choose Conversions > Export OpenSSH Key, the PuTTYgen Warning dialog box isdisplayed.

4. Click Yes to save the file in the .pem format.



Step 11 Click OK. The ECS key pair will be replaced in about one minute.

----End

4.5.4 Binding a Key PairIf you set the login mode to Password when purchasing an ECS that runs Linux OS, you canbind a key pair to the ECS on the KMS console. KMS will configure the key pair for the ECS,and then the ECS login mode will be changed to Key Pair. After the key pair is bound, youcan use the private key to log in to the ECS.

This section describes how to bind a key pair to an ECS through KMS console.



51

NOTICEOn the KMS management console, key pairs cannot be bound to ECSs that run the WindowsOS.


console.l The ECS must be in the Running or Shut down state.

Binding a Key Pair




Step 4 In the navigation pane on the left, click Key Pair. The page of key pair list displayed.

NOTE

You can also find the ECS corresponding to the key pair on the key pair list page and click Bind in therow where the ECS resides to bind the key pair.

Step 5 Click ECS List to view ECSs, as shown in Figure 4-17.


Step 6 Click Bind in the row where the target ECS is located. The Bind Key Pair dialog box isdisplayed.l If the ECS is shut down, a dialog box is displayed, as shown in Figure 4-18.



52

Figure 4-18 Binding a key pair (1)

l If the ECS is running, you need to provide the root password, as shown in Figure 4-19.

Figure 4-19 Binding a key pair (2)



53

NOTE

– If you have the root password of the ECS, you can directly enter the password to bind the keypair to the ECS.

– If you do not have the root password of the ECS, you can shut down the ECS and bind the keypair when the ECS is in the shut-down state.


Step 8 You can choose whether to disable the password login mode as necessary. By default, thepassword login mode is disabled.

NOTE

l If you do not disable the password login mode, you can use the password to log in to the ECS or usethe key pair to log in to the ECS.

l If the password login mode is disabled, you can use only the key pair to log in to the ECS. You canenable the password login mode again, if later you need to use the password to log in to the ECS.The procedure is as follows:

1. Log in to the ECS.

2. Run the following command to open the /etc/ssh/sshd_config file:

vi /etc/ssh/sshd_config3. Press i to enter the editing mode and change the value of PasswordAuthentication to yes.

PasswordAuthentication yes4. Press Esc to exit the editing mode.

5. Enter :wq and press Enter to save and exit.

6. Run the following command to restart the SSH service for the configuration to take effect:

systemctl restart sshd



Step 11 Click OK to complete the operation.l If the ECS is not shut down, use the root password to bind the key pair. It takes about 30

seconds to complete.l If the ECS is shut down, the binding operation may take about five minutes.

----End

4.5.5 Unbinding a Key PairIf you want to change the mode of ECS login from key pair to password, you can unbind thekey pair from the ECS on KMS console. Then the Key Pair service on the KMS console willunbind the key pair. After the key pair is unbound, you can use the password to log in to theECS.



54

NOTICEl If you have not set the password for logging in to the ECS or forget the login password,

you can reset the login password of the ECS on the ECS console. For details, see theElastic Cloud Server User Guide.

l If you want to change the mode of ECS login to key pair again, you need to shut down theECS and bind the key pair again.


console.l The ECS has been bound to a key pair.

Unbinding a Key Pair




Step 4 In the navigation pane on the left, click Key Pair. The page of key pair list displayed.

NOTE

You can also find the ECS corresponding to the key pair on the key pair list page and click Unbind inthe row where the ECS resides to bind the key pair.



Step 6 Click Unbind of the target ECS, and the Unbind Key Pair dialog box is displayed.l If the ECS is shut down, a dialog box is displayed, as shown in Figure 4-21.



55

Figure 4-21 Unbinding a key pair (1)

l If the ECS is running, a dialog box is displayed, as shown in Figure 4-22.

Figure 4-22 Unbinding a key pair (2)

Step 7 If you unbind the key pair when the ECS is in the running state, you need to upload theprivate key. Click Select File to upload the private key of the key pair. Alternatively, you cancopy the private key content and paste it to the text box. If the ECS is shut down, skip thisstep.



56









Step 10 Click OK. The key pair will be unbound from the ECS in about one minute.

NOTE

After the key pair is unbound from the ECS, reset the password for login on the ECS console in time.For details, see the Elastic Cloud Server User Guide.

----End



57

4.5.6 Deleting a Key PairYou can delete a key pair if it is no longer used.

This section describes how to delete a key pair on the KMS console.

NOTE

l A deleted key will not be recovered. Therefore, think twice before performing this operation.

l If you delete the public key configured on the KMS console and the private key has been savedlocally, you can use the private key to log in to the ECS. The deletion operation does not affect theECS login. After the public key is deleted, the new key pair cannot be used to reset or replace thekey pair of the ECS.

Prerequisites


Deleting a Key Pair





Step 5 In the row containing the desired key pair, click Delete.

Step 6 In the Delete Key Pair dialog box that is displayed, click OK. When Key pair deletedsuccessfully is displayed in the upper right corner, the key pair is deleted.

----End

4.6 Managing Private Keys

4.6.1 Importing a Private KeyTo facilitate local private key management, you can import the private key to the KMSconsole for centrallized management of your private keys. The managed private key isencrypted by the key provided by KMS, ensuring security for storage, import, and export ofthe private key. You can download the private key from the KMS console for multiple times.To ensure the security of the private key, keep the downloaded private key properly.

This section describes how to import a private key through KMS console.

Prerequisites




58

Importing a Private Key





Step 5 Click Import Private Key in the row where the target public key is located to import theprivate key.

Step 6 In the Import Private Key dialog box, enter the private key name to be imported, as shownin Figure 4-24.

Figure 4-24 Importing a private key

Step 7 Click Select File to select the file that saves the public key from your local host.Alternatively, you can copy the content and paste it in the Private Key Content box.

NOTE

Only the private key that matches the public key can be imported to a public key.



59




2. Choose Conversions > Import key to import the private key file in the .ppk format.3. Choose Conversions > Export OpenSSH Key, the PuTTYgen Warning dialog box is

displayed.4. Click Yes to save the file in the .pem format.

Step 8 Select an encryption key from the KMS encryption drop-down list box.

NOTE




Step 10 Click OK to complete the import.

----End



60

4.6.2 Exporting a Private KeyIf you have the private key managed by HUAWEI CLOUD on the KMS console, you candownload the private key for multiple times. To ensure the security of the private key, keepthe downloaded private key properly.


console.l The private key has been managed on the KMS console.

Exporting a Private Key





Step 5 Click Export Private Key in the row where the target key pair resides. The Export PrivateKey dialog box is displayed, as shown in Figure 4-26.

Figure 4-26 Exporting a private key


Step 7 Click OK. The browser automatically downloads the private key.



61

NOTICEWhen exporting a private key, you need to use the encryption key that encrypts the privatekey to decrypt the private key. If the encryption key has been completely deleted, exportingthe private key will fail.

----End

4.6.3 Clearing a Private KeyIf you not need to have the private key managed by HUAWEI CLOUD on the KMS console,you can clear the managed private key.


console.l The private key has been managed on the KMS console.

Clearing a private key





Step 5 Click Clear Private Key in the row where the target public key is located to clear the privatekey.

Step 6 In the displayed Clear Private Key dialog box, click OK to clear the private key.

NOTE

After the private key is cleared, you cannot obtain the private key from HUAWEI CLOUD. Exercisecaution when performing this operation. If you need to have the private key managed again, you canimport the private key to the KMS console.

----End



62

5 Dedicated HSM

5.1 Viewing Dedicated HSM instancesThis section describes how to view information about purchased Dedicated HSM instances,including the instance name, status, device vendor, device model, IP address, and expirationtime on the management console.

Prerequisites


Procedure




Step 4 In the navigation pane on the left, choose Dedicated HSM. The Dedicated HSM instance Listpage is displayed.

Step 5 In the HSM instance list, view the information about the HSM instances, as shown in Figure5-1.

Figure 5-1 Dedicated HSM instance list

Key Management ServiceUser Guide 5 Dedicated HSM


63

NOTE

You can select a device vendor or device model from the Name drop-down list box, enter the device

vendor or device model, and click to search for the specified instance.

Table 5-1 describes the parameters in the HSM instance list.

Table 5-1 HSM instance parameters


Name Name of a Dedicated HSM instance

Status Status of the purchased Dedicated HSM instance. The possible values areas follows:l Reviewing

Once an order for purchasing an HSM instance is submitted for review,the HSM instance will be in the status of Reviewing.

l Review failedHUAWEI CLOUD security expert will confirm with the customer. Ifthe HSM instance to be purchased does not meet the customer's servicerequirements, and the review fails.

l Pending paymentYou need to pay for the HSM instance once the review is approved, andthe status of the HSM instance will change to Pending payment.

l CreatingOnce the purchase order is paid. The system will allocate an HSMinstance to you. The status of the HSM instance then changes toCreating.

l RunningOnce the HSM instance is allocated successfully, the status of the HSMinstance changes to Running.

DeviceVendor

Indicates the name of a device vendor.

DeviceModel

Model of the device

IP Address IP address

ExpirationTime

Expiration time of the purchased HSM instance.

----End

5.2 Using Dedicated HSM InstancesAfter obtaining a Dedicated HSM instance (instance for short), you need to initialize it.Before initializing the instance, you need to obtain the following items:



64

Table 5-2 Items required for initializing an instance

Name Description Source

UKey Stores the permissionmanagement information aboutthe instance.

After the order is paid,HUAWEI CLOUD will sendthe UKey to the recipientaddress provided by you.

UKey driver Windows driver used to identifythe UKey

HUAWEI CLOUD securityexpert will contact you andprovide you with the softwarepackage link for downloadingthe driver.

Dedicated HSMmanagement tool

Working with the UKey toremotely manage instances.

Security agentsoftware

Establishes a secure connectionwith the instance.

SDK Provides APIs for DedicatedHSM. You can use the SDK toestablish secure connectionswith instances.

HUAWEI CLOUDECS instance runningWindows OS

Runs the Dedicated HSMmanagement tool, and allocatesthe elastic IP address (EIP) forremote connection. The HSMinstance and the ECS instancemust be in the same VPCgroup.

HUAWEI CLOUDECS instance runningLinux OS

Runs the security agentsoftware and your serviceapplications. The ECS instanceand the HSM instance must bein the same VPC group.

Initializing a Dedicated HSM Instance

Step 1 Install the UKey driver on your local Windows PC.

Step 2 Remotely connect to the HUAWEI CLOUD Windows ECS instance.

1. Run the mstsc remote connection tool on your local Windows PC and use the EIP of theWindows ECS instance on the HUAWEI CLOUD to remotely connect to the ECSinstance.

2. Insert the UKey into the USB port of your local PC and remotely map the local UKeyport to the Windows ECS instance.

Step 3 Manage Dedicated HSM instances using the Dedicated HSM management tool.

1. Run the management tool on the HUAWEI CLOUD Windows ECS instance.



65

2. Connect to the VPC subnet IP address of the HSM instance, use the UKey to initializethe HSM, and generate, back up, and restore keys.

----End

Configuring Security Agent Software

Step 1 Use the Dedicated HSM management tool to connect to the HSM instance, and issue thelicense file to the security agent on the HUAWEI CLOUD Linux ECS instance.

Step 2 Run the security agent software on the Linux ECS instance, import the license file to thesecurity agent software, and establish a secure connection with the HSM instance.

----End

Calling APIsThe application program establishes a connection with the security agent software through theAPIs provided by the SDK, and thus uses the HSM instance through the security agentsoftware.



66

6 FAQs

6.1 About Concepts

6.1.1 What Is Key Management Service?Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps userscentrally manage and safeguard their Customer Master Keys (CMKs) and SSH key pairs.

In addition, you can purchase the Dedicated Hardware Security Module (HSM) serviceprovided by KMS. Dedicated HSM provides the capabilities for encryption, decryption,signature, signature verification, generation of keys, and secure storage of keys.

KMS uses hardware security modules (HSMs) to protect CMKs. HSMs help you create andcontrol CMKs with ease. All CMKs are protected by root keys in HSMs to avoid leakage.KMS implements access control and log-based tracking on all operations on CMKs. Withrecords of use of all CMKs, it meets your audit and regulatory compliance requirements.

6.1.2 What Is a Customer Master Key?A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user withKMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be usedto encrypt one or multiple DEKs.

6.1.3 What Is a Default Master Key?A Default Master Key is automatically created by another cloud service using KMS, such asObject Storage Service (OBS). The alias of a Default Master Key ends with /default.

You can use the management console to query but cannot disable or schedule the deletion ofDefault Master Keys.

Table 6-1 Default Master Keys

Alias Cloud Service

obs/default OBS

Key Management ServiceUser Guide 6 FAQs


67

Alias Cloud Service

evs/default Elastic Volume Service (EVS)

ims/default Image Management Service (IMS)

NOTE

A Default Master Key is automatically created when a user employs the KMS encryption function forthe first time in another cloud service.

6.1.4 What Are the Differences Between a CMK and a DefaultMaster Key?

Table 6-2 illustrates the differences between a CMK and a default master key.

Table 6-2 Differences between a CMK and a Default Master Key

Item Description Difference

CMK A CMK is a Key EncryptionKey (KEK) created usingKMS. A CMK encrypts andprotects DEKs.A CMK can encrypt multipleDEKs.

Can be disabled and scheduled fordeletion.

Default MasterKey

A Default Master Key isautomatically generated bythe system when you useKMS to encrypt data inanother cloud service for thefirst time. The suffix of aDefault Master Key is /default.Example: evs/default

l Can be viewed on the KMSconsole.

l Cannot be disabled or scheduled fordeletion.

6.1.5 What Is a Data Encryption Key?A data encryption key (DEK) is used to encrypt data.

6.2 About Functions

6.2.1 Why Cannot I Delete a CMK Immediately?The decision to delete a CMK should be considered with great caution. Before deletion,confirm that the CMK's encrypted data has all been migrated. As soon as the CMK is deleted,you will not be able to decrypt data with it. Therefore, KMS offers a user-specified period of



68

7 to 1096 days for the deletion to finally take effect. On the scheduled day of deletion, theCMK will be permanently deleted. However, prior to the scheduled day, you can still cancelthe pending deletion. This is a means of precaution within KMS.

6.2.2 Which Cloud Services Can Use KMS for Encryption?Object Storage Service (OBS), Elastic Volume Service (EVS), and Image ManagementService (IMS) use KMS to implement encryption features.

6.2.3 What Functions Does KMS Provide?l CMK management

Using the KMS console or APIs, you can perform the following operations on CMKs:– Creating, querying, enabling, disabling, scheduling the deletion of, and canceling

the deletion of CMKs– Modifying the aliases and description of CMKs– Encrypting and decrypting small volumes of data– Adding, searching for, editing, and deleting tags

l SSH key pair managementUsing the KMS console or APIs, you can perform the following operations on key pairs:– Creating, importing, viewing, and deleting key pairs– Resetting, replacing, binding, and unbinding key pairs– Managing, importing, exporting, and clearing private keys

l Managing Dedicated HSM instancesYou can buy Dedicated HSM instances and view the information about purchasedinstances on the Dedicated HSM page on KMS console.

l Creating, encrypting, and decrypting DEKs; creating, revoking, querying, and retiring agrant for a CMK; importing and deleting key materials; enabling, modifying, anddisabling the CMK rotation interval.You can use the KMS APIs to perform the following operations:– Creating, encrypting, or decrypting data encryption keys (DEKs)– Creating, canceling, querying, and retiring authorized grants– Obtaining parameters for importing keys, importing key materials, and deleting key

materials– Enabling or disabling the key rotation function and modifying the key rotation

intervalFor details, see the Key Management Service API Reference.

l Generating hardware true random numbersYou can generate 512-bit random numbers using the KMS API. The 512-bit hardwaretrue random numbers can be used as or serve as basis for key materials and encryptionparameters. For details, see the Data Encryption Workshop API Reference.

6.2.4 How Do Cloud Services on HUAWEI CLOUD Use DataEncrypted by KMS?

Services (OBS, IMS, and EVS) on HUAWEI CLOUD use the envelope encryption methodprovided by KMS to protect data.



69

NOTE

Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in"envelopes" of CMKs. As a result, CMKs do not directly encrypt and decrypt data.

l When users encrypt data on HUAWEI CLOUD, they need to specify a CMK in KMS.HUAWEI CLOUD generates a DEK (in plaintext). Then the CMK encrypts the DEKand generates the ciphertext of the DEK. HUAWEI CLOUD uses the plaintext DEK toencrypt data. Encrypted data and the ciphertext DEK are saved together in the service.

l When users download the data from HUAWEI CLOUD, the service uses the same CMKto decrypt the ciphertext DEK, use the decrypted DEK to decrypt data, and provide thedecrypted data for users to download.

6.2.5 What Are the Benefits of Envelope Encryption?The advantages of envelope encryption over direct encryption are as follows:

A CMK can directly encrypt and decrypt 4 KB of data but envelope encryption is used toencrypt and decrypt large volumes of data. In envelope encryption and decryption, only DEKsare transferred to the KMS server.

6.2.6 Is There a Limit on the Number of CMKs That I Can Createon KMS?

Yes. You can create a maximum of 100 CMKs, including CMKs in Enabled, Disabled, andScheduled Deletion statuses. However, Default Master Keys are not included.

To create more CMKs, go to the console and choose Console > View Quota > IncreaseQuota to increase your quota.

6.2.7 What Is the Length of a CMK?The length of a CMK is 256 bits.

6.2.8 Can I Export a CMK from KMS?No.

To ensure CMK security, users can only create and use CMKs in KMS.

6.2.9 Can I Decrypt My Data Back if I Permanently Delete MyCMK?

No.

If you have permanently deleted your CMK, the data encrypted using it cannot be decrypted.If the scheduled deletion date of the CMK has not arrived, you can cancel its scheduleddeletion.

6.2.10 How Do I Use the Online Tool to Encrypt or Decrypt SmallVolumes of Data?

You can use the online tool to encrypt or decrypt data in the following procedures:



70

Encrypting Data




Step 4 Click the alias of the desired CMK to view its details, and go to the online tool for dataencryption and decryption.

Step 5 Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure6-1.

Figure 6-1 Encrypting data

Step 6 Click Execute. Ciphertext of the data is displayed in the text box on the right.

NOTE

l Use the current CMK to encrypt the data.

l You can click Clear to clear the entered data.

l You can click Copy to Clipboard to copy the ciphertext and save it in a local file.

----End

Decrypting data




Step 4 You can click any CMK in Enabled status to go to the encryption and decryption page of theonline tool.

Step 5 Click Decrypt. In the text box on the left, enter the data to be decrypted, as shown in Figure6-2.



71

NOTE

l The tool will identify the original encryption CMK and use it to decrypt the data.

l However, if the CMK has been deleted, the decryption fails.

Figure 6-2 Decrypting data

Step 6 Click Execute. Plaintext of the data is displayed in the text box on the right.

NOTE

You can click Copy to Clipboard to copy the plaintext and save it in a local file.

----End

6.2.11 Can I Update CMKs Created by KMS-Generated KeyMaterials?

No.

Keys created using KMS-generated materials cannot be updated. You can only use KMS tocreate new CMKs to encrypt and decrypt data.

6.2.12 How Do I Create a Key Pair?

Creating a Key Pair Using the Management Console





Step 5 Click Create Key Pair.

Step 6 In the Create Key Pair dialog box, enter a name for the key pair to be created, as shown inFigure 6-3.



72

Figure 6-3 Creating a key pair

Step 7 If you want to have your private key managed by HUAWEI CLOUD, read and confirm Iagree to have the private key managed by HUAWEI CLOUD. Select an encryption keyfrom the KMS encryption drop-down list box. Skip this step if you do not need to have theprivate key managed by HUAWEI CLOUD.

NOTE





Step 9 Click OK. The browser automatically downloads the private key. When the private key isdownloaded, a dialog box is displayed.

Step 10 Save the private key as prompted by the dialog box.



73

NOTICEl If the private key is not managed by HUAWEI CLOUD, the private key can be

downloaded only once. Keep the private key properly.

l If you have authorized HUAWEI CLOUD to manage the private key, you can export theprivate key anytime as required.

Step 11 After the private key is saved, click OK. The key pair is created successfully.

After the key pair is created, you can view it in the list of key pairs. The list displaysinformation such as key pair name, fingerprint, and quantity.

----End

Creating a Key Pair Using PuTTYgen

Step 1 Generate the public and private keys. Double-click PuTTYgen.exe. The PuTTY KeyGenerator page is displayed, as shown in Figure 6-5.


Step 2 Configure the parameters as described in Table 6-3.



74



Type of key to generate Encryption and decryption algorithm of key pairsto be imported to the management console.Currently, only SSH-2 RSA is supported.

Number of bits in a generated key Length of a key pair to be imported to themanagement console. Currently, the followinglength values are supported: 1024, 2048, and4096.

Step 3 Click Generate to generate a public key and a private key.

Figure 6-6 shows a generated public key.

Figure 6-6 Obtaining the public and private keys




75


Step 5 Save the private key in .ppk or .pem format.

NOTICEFor security's sake, the private key can only be downloaded once. Save it in a secure location.

l If you log in to a Linux ECS using PuTTY, save the private key in .ppk format in thefollowing procedure:

a. On the PuTTY Key Generator page, choose File > Save private key.b. Save the private key, for example, kp-123.ppk, to a local directory.

l If you need to use Xshell to log in to an ECS running a Linux OS or obtain the passwordto log in to an ECS running a Windows OS, save the private key in .pem format in thefollowing procedure:

a. Choose Conversions > Export OpenSSH key.

NOTE

If you use this private key file to obtain the password for logging in to a Windows ECS,when you choose Export OpenSSH key, do not configure Key passphrase. Otherwise,obtaining the password will fail.

b. Save the private key, for example, kp-123.pem, to a local directory.


----End

6.2.13 How Do I Handle an Import Failure of a Key Pair CreatedUsing PuTTYgen?

Symptom

When a key pair created using PuTTYgen.exe was imported to the management console, thesystem displayed a message indicating that importing the public key failed.

Possible Causes

The format of the public key content does not meet system requirements.

Storing a public key by clicking Save public key will change the format of the public keycontent. Importing such a public key will fail because the key does not pass the formatverification by the system.



76

ProcedureUse the locally stored private key and PuTTY Key Generator to restore the format of thepublic key content. Then, import the public key to the management console.

Step 1 Double-click PuTTYgen.exe. The PuTTY Key Generator page is displayed, as shown inFigure 6-7.


Step 2 Click Load and select the private key.

The system automatically loads the private key and restores the format of the public keycontent in PuTTY Key Generator. The content in the red box in Figure 6-8 is the public keywith the format meeting system requirements.



77

Figure 6-8 Restoring the format of the public key content




1. Log in to the management console.

2. Choose Security > Key Management Service.

3. In the navigation tree, click Key Pair.

4. On the Key Pair page, click Import Key Pair.

5. Copy the public key content in the .txt file to Public Key Content and click OK.Alternatively, click Select File and import the public key in .txt file to the managementconsole.

----End



78

6.2.14 What Should I Do When I Fail to Import a Key Pair UsingInternet Explorer 9?

Symptom

Importing a key pair may fail if Internet Explorer 9 is used.

Procedure

Step 1 Click in the upper right corner of the browser.

Step 2 Select Internet Options.

Step 3 Click the Security tab in the displayed dialog box.

Step 4 Click Internet.

Step 5 If the security level indicates Custom, click Default Level to restore to the default settings.

Step 6 Move the scroll bar to set the security level to Medium and click Apply.

Step 7 Click Custom Level.

Step 8 Set Initialize and script ActiveX controls not marked as safe for scripting to Prompt.

Step 9 Click Yes.

----End

6.2.15 How Do I Log in to an ECS Running a Linux OS with aPrivate Key?

Prerequisitesl You have obtained the private key file of the ECS.l You have bound an EIP to the ECS.l The network connection between the login tool (such as PuTTY) and the target ECS is

normal.

Logging In from a Windows Computer

To log in to the Linux ECS from a Windows computer, perform the operations described inthis section.

Method 1: Use PuTTY to log in to the ECS.

The following operations use PuTTY to log in to the ECS. Before logging in, you mustconvert the private key format.





79


NOTE











----End



80

Method 2: Use Xshell to log in to the ECS.

Step 1 Start the Xshell tool.

Step 2 Run the following command to remotely log in to the ECS through SSH:

ssh Username@EIP

An example command is provided as follows:

ssh [email protected]

Step 3 (Optional) If the system displays the SSH Security Warning dialog box, click Accept &Save.

Step 4 Select Public Key and click Browse beside the CMK text box.

Step 5 In the displayed dialog box, click Import.

Step 6 Select the locally stored key file and click Open.

Step 7 Click OK to log in to the ECS.

----End

Logging In from a Linux ComputerTo log in to the Linux ECS from a Linux computer, perform the operations described in thissection. The following procedure uses private key file kp-123.ppk as an example to log in tothe ECS. The name of your private key file may differ.

Step 1 On the Linux CLI, run the following command to change operation permissions:

chmod 600 /path/private key file name

NOTE

In the preceding command, path is the path where the key file is saved.

Step 2 Run the following command to log in to the ECS:

ssh -i /path/kp-123 root@EIP

NOTE

l In the preceding command, path is the path where the key file is saved.

l EIP is the EIP bound to the ECS.

----End

6.2.16 How Do I Use a Private Key to Obtain the Password to LogIn to a Windows ECS?

SymptomA password is required when you log in to a Windows ECS. First of all, you must obtain theadministrator password (password of account Administrator or another account set inCloudbase-Init) generated during the initial installation of the ECS from the private key filedownloaded when you create the ECS. This password is randomly generated, offering highsecurity.



81

You can obtain the initial password for logging in to a Windows ECS through themanagement console

NOTE

l After obtaining the initial password, you are advised to clear the password information recorded inthe system to increase system security.

Clearing the initial password information does not affect ECS operation or login. Once cleared, thepassword cannot be retrieved. Before deleting a password, you are advised to record it. For details,see the Elastic Cloud Server User Guide.

l You can also call the API to obtain the initial password of the Windows ECS. For details, see theElastic Cloud Server API Reference.

Procedure

Step 1 Obtain the private key file (.pem file) used when purchasing the ECS.


Step 3 Choose Computing > Elastic Cloud Server.

Step 4 In the ECS list, select the ECS whose password you want to get.

Step 5 In the Operation column, click More and choose Get Password.

Step 6 Use either of the following methods to obtain the password:l Click Select File and upload the key file from a local directory.l Copy the key file content to the text field.

Step 7 Click Get Password to obtain a new random password.

----End

6.2.17 What Are the Conditions for Resetting, Replacing,Unbinding, or Binding a Key Pair?

To reset, replace, or bind a key pair, the following conditions must be met:

l Resetting a Key Pair– The ECS must be in the Shut down state.– The ECS whose key pair is to be reset uses the public image provided by HUAWEI

CLOUD.– To reset the key pair, you can replace the public key of the user by modifying the /

root/.ssh/authorized_keys file on the server. Ensure that the file is not modifiedbefore resetting the key pair. Otherwise, the reset will fail.

l Replacing a Key Pair– The ECS must be in the Running state.– The ECS whose key pair is to be replaced uses the public image provided by

HUAWEI CLOUD.– To replace the key pair, you can replace the public key of the user by modifying

the /root/.ssh/authorized_keys file on the server. Ensure that the file is notmodified before replacing the key pair. Otherwise, replacing the public key will fail.

l Binding a Key Pair



82

– If the ECS is in the shutdown state, the key pair is bound to the ECS by resetting thekey pair. Therefore, the condition for resetting the key pair must be met.

– If the ECS is in the running state, the key pair is bound to the ECS by replacing thekey pair. Therefore, the condition for replacing the key pair must be met.

l Unbinding a Key Pair– If the ECS is in the shutdown state, the key pair is unbound from the ECS by

resetting the key pair. Therefore, the condition for resetting the key pair must bemet.

– If the ECS is in the running state, the key pair is unbound from the ECS byreplacing the key pair. Therefore, the condition for replacing the key pair must bemet.

6.2.18 How Do I Enable the Password Login Mode for an ECS?If you disable the password login mode when binding a key pair to an ECS, you can enablethe password login mode again later when you need to.

The following example describes how to log in to the ECS using PuTTY and enable thepassword login mode.




NOTE











83



Step 7 Run the following command to open the /etc/ssh/sshd_config file:

vi /etc/ssh/sshd_config

Step 8 Press i to enter editing mode. Change the value of PasswordAuthentication to yes. Thepassword login mode is enabled.PasswordAuthentication yes

NOTE

Change the value of PasswordAuthentication to no. The password login mode is disabled. If thePasswordAuthentication parameter is not contained in the /etc/ssh/sshd_config file. Add it and set it tono.

Step 9 Press Esc to exit the editing mode.

Step 10 Enter :wq and press Enter to save and exit.

Step 11 Run the following command to restart the SSH service for the configuration to take effect:


----End



84

6.2.19 What Can I Do If a Key Pair Failed to Be Bound, Reset, orReplaced for an ECS?

Symptom

When you bind, reset, or replace a key pair on an ECS, the operation may fail, and a failurerecord will be displayed on the management console.

Possible Causes1. An incorrect or invalid password has been provided.

2. An incorrect or invalid private key has been provided.

3. The network connection is faulty.

4. When a key pair is being bound, reset, or replaced for an ECS, the ECS is shut down,started, or disks are removed from the ECS.

ProcedureNOTE

The Failed Key Pair Task dialog box only records and displays failed key pair operations on ECSs,which do not affect the ECS status and subsequent operations. You can click Delete in the row where thefailure record resides to delete it, or you can click Delete All to delete all failure records.

Step 1 If the password login mode is enabled, use the password to log in to the ECS and checkwhether the password is correct.

l If the password is correct, go to Step 2.

l If the password is incorrect, provide the correct password and bind, reset, or replace thekey pair again.

Step 2 If the SSH key pair login mode is enabled, check whether the private key of the key pair iscorrect.

l If the private key is correct, go to Step 3.

l If the private key is incorrect, provide the correct one.

Step 3 Check whether the network is faulty.

l Contact Huawei technical support if the network is faulty.

l If the network is well connected, go to Step 4.

Step 4 Check whether the ECS can be properly powered on, powered off, and logged in to.

l If the ECS functions properly, perform the binding, resetting, or replacing operationagain.

l If the ECS is faulty, contact Huawei technical support engineer to check and locate thefault.

----End



85

6.2.20 What Should I Do If No Password or Key Pair Is AvailableFor Logging In to the ECS After the Key Pair is Unbound?

Symptoml When the login mode for an ECS is the key pair but the initial key pair has been unbound

later, there is no password or key pair available for logging in to the ECS. What can Ido?

l When I bind a key pair to an ECS on the KMS console, I select to disable the passwordlogin mode. After the key pair is unbound, I have no password and key pair to log in tothe ECS. How can I solve this problem?

ProcedureOption 1:

Reset the password on the ECS console and use the password to log in to the ECS. For details,see the Elastic Cloud Server User Guide.

Option 2:

Shut down the ECS, bind the key pair to the ECS on the KMS console, and use the key pair tolog in to the ECS. The procedure is as follows:







Step 6 Click the name of the target ECS. The ECS details page is displayed.

Step 7 Click Shut Down in the upper right corner of the page to shut down the ECS.




86


Step 10 Click ECS List to view ECSs.

Step 11 Click Bind of the target ECS, and the Bind Key Pair dialog box is displayed, as shown inFigure 6-12.

Figure 6-12 Binding a key pair


Step 13 You can choose whether to disable the password login mode as necessary. By default, thepassword login mode is disabled.

NOTE

l If you do not disable the password login mode, you can use the password to log in to the ECS or usethe key pair to log in to the ECS.

l If the password login mode is disabled, you can use only the key pair to log in to the ECS. You canenable the password login mode again, if later you need to use the password to log in to the ECS.The procedure is as follows:

1. Log in to the ECS.

2. Run the following command to open the /etc/ssh/sshd_config file:

vi /etc/ssh/sshd_config

3. Press i to enter the editing mode and change the value of PasswordAuthentication to yes.PasswordAuthentication yes

4. Press Esc to exit the editing mode.

5. Enter :wq and press Enter to save and exit.

6. Run the following command to restart the SSH service for the configuration to take effect:






87

Step 16 Click OK. The key pair is bound. After the binding is complete, you can use the key pair tolog in to the ECS.

----End

6.2.21 How Do I Convert the Private Key File in PPK Format tothe PEM Format?







6.3 About Regions



88

6.3.1 Which Regions Provide KMS?l Encryption Key: CN North-Beijing1 and CN East-Shanghai2l SSH Key Pair: CN North-Beijing1l Dedicated HSM: CN South-Guangzhou

6.4 About Pricing

6.4.1 Does KMS Provide Free Keys?Yes.

You can use KMS free of charge in two scenarios:

l You can use Default Master Keys created by KMS free of charge.l The first 20,000 times of API calling is free of charge each month.

6.4.2 What Are the Charging Standards?KMS adopts a pay-per-use system, with no bottom requirement set. Once a CMK is created, itwill be charged by hour. You pay for CMKs that you create and API requests that are beyondthe free-of-charge range.

6.4.3 Will a CMK Be Charged After It Is Disabled?Yes.

You can disable CMKs on KMS. However, you will still be charged for the disabled CMKs.Only deleted CMKs are not charged.



89

A Change History

Released On Description

2018-05-17 This issue is the twelfth official release.l Added section "Logging In to the Linux ECS Using a

Private Key".l Added section "Using a Private Key to Obtain the

Login Password of Windows ECS".l Added section "Unbinding a Key Pair".l Added section "Importing a Private Key".l Added section "Exporting a Private Key".l Changed section "Creating a Key Pair": added

description about the private key hosting.l Changed section "Importing a Key Pair": added

description about the private key hosting.l Changed section "Viewing a Key Pair": added

description about the private key hosting.l Changed section "Related Services": added

description about operations of importing andexporting private keys.

l Added the following FAQs:– What Are the Conditions for Resetting, Replacing,

Unbinding, or Binding a Key Pair?– What Should I Do If No Password or Key Pair Is

Available For Logging In to the ECS After theKey Pair is Unbound?

– How Do I Convert the Private Key File in PPKFormat to the PEM Format?

Key Management ServiceUser Guide A Change History


90


2018-04-30 This issue is the eleventh official release.l Added section "KMS Operations Supported by CTS".l Added section "Viewing Audit Logs".l Added section "Using HSM for User Service

System".l Added section "Viewing Dedicated HSM Instances".l Added section "Using Dedicated HSM Instances".l Added the question "What Is a DMK?".

2018-04-12 This issue is the tenth official release.l Added section "Binding a Key Pair".l Changed section "Functions": added description

about binding a key pair.l Changed section "Viewing a Key Pair": added

description about deleting failure records.l Added the following FAQs:

– How Do I Enable the Password Login Mode foran ECS?

– What Can I Do If a Key Pair Failed to Be Bound,Reset, or Replaced for an ECS?



91


2018-03-30 This issue is the ninth official release.l Added section "Adding a Tag".l Added section "Searching for Tags".l Added section "Modifying Tag Values".l Added section "Deleting Tags".l Added section "Creating a Key Pair".l Added section "Importing a Key Pair".l Added section "Viewing a Key Pair".l Added section "Resetting a Key Pair".l Added section "Replacing a Key Pair".l Added section "Deleting a Key Pair".l Changed section "Application Scenarios": added

description about logging in to an ECS that runsLinux OS.

l Changed section "Functions": added descriptionsabout creating, importing, and deleting key pairs.

l Changed section "How to Use KMS": addeddescription about ECS.

l Changed section "Related Services": addeddescription about ECS, including adding and deletingtags, creating and importing key pairs, and deletingkey pairs.

l Added the following FAQs:– Can I Decrypt My Data Back if I Permanently

Delete My CMK?– How Do I Create a Key Pair?– How Do I Handle an Import Failure of a Key Pair

Created Using PuTTYgen?– What Should I Do When I Fail to Import a Key

Pair Using Internet Explorer 9?– Can I Update CMKs Created by KMS-Generated

Key Materials?– How Do I Log in to an ECS Running a Linux OS

with an SSH Key Pair?– How Do I Use a Private Key File of an SSH Key

Pair to Obtain the Password to Log In to aWindows ECS?

2018-03-01 This is the eighth official release.Updated screenshots.



92


2018-02-01 This is the seventh official release.Added FAQ "Can I Decrypt My Data Back if IPermanently Delete My CMK?"

2017-12-15 This is the sixth official release.l Added section "Using the Online Tool to Encrypt or

Decrypt Data."l Changed section "Functions": added description

about encrypting and decrypting a small volume ofdata.

l Deleted section "Service Tariff."

2017-11-16 This is the fifth official release.l Added support for Elastic Volume Service (EVS)

disks.l Added section "Project."l Added the step of selecting a project.l Added the following FAQs:

– Which Regions Provide KMS?– What Functions Does KMS Provide?– How Do Cloud Services on HUAWEI CLOUD

Use Data Encrypted by KMS?– What Are the Benefits of Envelope Encryption?– What Are the Differences Between a CMK and a

Default Master Key?– Is There a Limit on the Number of CMKs That I

Can Create on KMS?– What Is the Length of a CMK?– Can I Export a CMK from KMS?

l Changed section "Application Scenarios."l Added operations encrypting data and decrypting

data to the table of supported KMS operations insection "Related Services."

l Added description about increasing quota in section"Creating a CMK."

2017-08-25 This is the fourth official release.l Added operations changing the alias of a CMK,

changing the description of a CMK, prompting risksabout CMK deletion, retiring a grant, and revoking agrant to table "KMS operations that CTS supports" insection "Related Services."

l Added section "Changing the Alias and Descriptionof a CMK."



93


2017-04-20 This is the third official release.Added section "Service Tariff."

2017-01-20 This is the second official release.l Added KMS-related concepts, description about

accessing and using KMS, and description aboutrelationships with other cloud services.

l Added description about enabling, disabling,scheduling the deletion of, and canceling the deletionof multiple CMKs.

l Added description about Default Master Keys.l Added definitions of OBS, EVS, and IMS and

optimized description about application scenarios.l Optimized description about SSE-KMS and

description about KMS operations that CTS supports.l Added description about how to create a DEK and a

plaintext-free DEK.l Added description about relationships between KMS,

EVS and IMS as well as how to use these servicestogether with KMS.

l Added description about how to encrypt privateimages.

2016-08-25 This is the first official release.



94

user guide - static.huaweicloud.com · issue 09 (2018-03-30) huawei proprietary and confidential...

Documents