Key management system

The Key Management System (KMS) service centrally manages cryptographic keys and runs in the org admin cluster. The Application Operator (AO) creates, uses, and destroys the keys in the KMS.

Supported keys

KMS supports the following keys:

Key primitive Key primitive (API) Description Default algorithm

Key primitive	Key primitive (API)	Description	Default algorithm
`AEAD`	`aeadkey`	The authenticated encryption with associated data (`AEAD`) key that performs authenticated encryption using `AES-256`. The key's components represent the following: `AES-256`: the 256-bit Advanced Encryption Standard (AES) symmetric key algorithm. This algorithm is the default algorithm.	`AES_256_GCM`
`Signing`	`signingkey`	The signing key that provides asymmetric signing using elliptic curve support. The key's components represent the following: `EC`: the elliptic curve key. `P384`: the size of the EC curve. `SHA384`: the digest algorithm used in signing. This algorithm is the default algorithm.	`EC_SIGN_P384_SHA384`

AEAD

aeadkey

The authenticated encryption with associated data (AEAD) key that performs authenticated encryption using AES-256.

The key's components represent the following:

AES-256: the 256-bit Advanced Encryption Standard (AES) symmetric key algorithm. This algorithm is the default algorithm.

AES_256_GCM

Signing

signingkey

The signing key that provides asymmetric signing using elliptic curve support.

The key's components represent the following:

EC: the elliptic curve key.

P384: the size of the EC curve.

SHA384: the digest algorithm used in signing. This algorithm is the default algorithm.

EC_SIGN_P384_SHA384

Key features

The AO centrally manages symmetric and asymmetric cryptographic keys with the AEAD and Signing keys. Through the KMS Creator role, the AO has the ability to create keys.

Through the KMS Admin role, the AO can use, destroy, import, and export aeadkey and signingkey cryptographic keys.