Key Management Service (KMS)¶
Table of Contents
The Key Management Service (KMS) of the Open Telekom Cloud generates and stores public keys for accessing data in the Open Telekom Cloud and makes them available to the respective user. It combines the essential security requirements placed on a cloud with high usability, as users can manage their keys directly via the console. The KMS ensures secure access to data and is integrated with other Open Telekom Cloud services. Cloud Trace monitors access to keys and thereby helps fulfill audit and compliance requirements. During implementation, the KMS also uses hardware security modules (HSM) for professional management of key security. The KMS does not store the data encryption keys (DEK) directly; instead users receive their DEKs via customer master keys. The hardware security modules serve to handle encryption and decryption processes, while a dedicated API is used to access the service. The Open Telekom Cloud also allows users to deploy their own keys (“bring your own key”). Another available function is “grant master key,” which allows owners of tenants to issue temporary permissions for access to encrypted data.
Customer Master Key¶
A Customer Master Key (CMK) is a Key Encryption Key (KEK) created by a user using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or multiple DEKs.
You can perform the following operations on CMKs:
Creating, querying, enabling, disabling, scheduling the deletion of, and canceling the deletion of CMKs
Importing CMKs and deleting CMK material
Modifying the aliases and description of CMKs
Creating, querying, and revoking a grant
Adding, searching for, editing, and deleting tags
Enabling key rotation
List Keys¶
This interface is used to query all KMS Keys and to filter the output with query parameters.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
for key in conn.kms.keys():
print(key)
Create Key¶
This interface is used to create a KMS key with parameters.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = conn.kms.create_key(
key_alias='cmk_name',
description='My KMS cmk'
)
print(key)
Get Key¶
This interface is used to get a KMS key by ID
or an instance of class
Key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_id'
key = conn.kms.get_key(key)
print(key)
Find Key¶
This interface is used to find a KMS key by id or name.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_name_or_id'
key = conn.kms.find_key(key)
print(key)
Enable Key¶
This interface is used to enable a KMS key by id or an instance of class
Key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_id'
key = conn.kms.enable_key(key)
print(key)
Disable Key¶
This interface is used to disable a KMS key by id or an instance of class
Key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_id'
key = conn.kms.disable_key(key)
print(key)
Schedule Key Deletion¶
This interface is used to schedule the KMS key deletion with a specific
retention time by id or an instance of class
Key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_id'
conn.kms.schedule_key_deletion(key)
Cancel Key Deletion¶
This interface is used to cancel the KMS key deletion by key id or an
instance of class
Key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
key = 'cmk_id'
conn.kms.cancel_key_deletion(key)
Data Encryption Key¶
Data Encryption Keys (DEKs) are used to encrypt data.
Create Datakey¶
This interface is used to create a KMS Datakey with parameters.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
dek = conn.kms.create_datakey(
cmk='cmk_id',
datakey_length='512'
)
print(dek)
Create Datakey without plain Text¶
This interface is used to create a KMS data encryption key without plain text.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
dek = conn.kms.create_datakey(
cmk='cmk_id',
datakey_length='512'
)
print(dek)
Encrypt Datakey¶
This interface is used to encrypt a KMS data encryption key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
data = conn.kms.encrypt_datakey(
datakey='datakey_id'
)
print(data)
Decrypt Datakey¶
This interface is used to decrypt a KMS data encryption key.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
data = conn.kms.decrypt_datakey(
cmk='cmk_id',
cypher_text='64_bit_cypher',
datakey_cypher_length='64'
)
print(data)
Miscellaneous¶
Generate Random Data¶
This interface is used to generate random Data.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
data = conn.kms.generate_random(random_data_length=512)
print(data)
Get Instance Number¶
This interface is used to get the total number of encrypt key instances.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
instances = conn.kms.get_instance_number()
print(instances)
List KMS quotas¶
This interface is used to query all KMS quotas.
import openstack
openstack.enable_logging(True)
conn = openstack.connect(cloud='otc')
for quota in conn.kms.quotas():
print(quota)