Key Concepts
This section explains the core components and policies that make up KakaoCloud Key Management Service (KMS). Understanding these concepts will help you use KMS more effectively.
User keys
Encryption keys that users create and manage directly. Users can control the key’s name, description, and rotation settings.
They are used in scenarios where the user needs to actively manage keys, such as encrypting specific application data or databases.
Service keys
Keys that are created and managed by a specific KakaoCloud service on behalf of the user. They provide symmetric AES256-GCM96 encryption.
For example, when encryption is enabled for a particular storage service, the service automatically uses a service key in the background to protect data. Users cannot modify or manage these keys directly; they are automatically used to encrypt data for the integrated service.
Key versions
Each unique cryptographic element within a key is called a version. A new version is generated whenever key rotation occurs. This ensures that previously encrypted data can still be decrypted securely while new data is protected with the latest key.
When a key is first created, version 1 is generated. Upon rotation, version 2 is created with new cryptographic information and set to Active, while version 1 remains preserved. All new encryption requests use version 2, but data encrypted with version 1 is decrypted automatically by the system using the embedded version information. Users only need the key name or ID and do not have to manage versions manually.
Key rotation
A feature that periodically generates a new key version to replace the existing one for enhanced security. Rotation reduces the risk of key exposure and ensures compliance with security standards.
Automatic rotation
The system automatically creates and activates a new version based on the rotation cycle set by the user (default: 365 days). This automates regular key management and helps maintain security conveniently.
Manual rotation
Administrators can immediately generate a new version if a risk arises, such as key exposure or suspected compromise. This is useful when urgent key replacement is required.
Key states
A key can have multiple versions, and each version is managed by a unique state. The usability of a key depends on the state of its versions.
| State | Description |
|---|---|
Pre-activation | The key has been created but no active version exists yet. - Encryption and decryption are not possible in this state. |
Active | The version is active and is the only state in which encryption and decryption can be performed. - When a new version is created, it becomes Active and the previous version is set to Deactivated. |
Deactivated | The version is inactive and cannot perform encryption, but it can still decrypt data encrypted previously. - If all versions are deactivated or destroyed, the key itself is automatically deactivated. |
Destroyed | The version is permanently deleted and cannot be recovered. - If all versions of a key are destroyed, the key itself can be permanently deleted. |
Roles
KMS uses a role-based access control (RBAC) model to securely and systematically manage access permissions to key resources. Roles are assigned through the IAM service to ensure that users can only perform permitted operations.
KMS Project Viewer
Has permission to view all resources in a project, including key lists, states, and version information. However, they cannot perform management tasks such as creating or changing key states.
KMS Project Manager
Includes all viewer permissions plus the ability to create, modify, delete keys, and manage key rotation. This role grants full administrative control over KMS within a project.