Key Concepts

This section explains the core components and policies that make up KakaoCloud Key Management Service (KMS). Understanding these concepts will help you use KMS more effectively.

KMS keys

All encryption keys created and managed in KMS are called KMS keys.
KMS keys are provided as customer keys and service keys.
KMS keys are used only to encrypt data keys and do not directly encrypt data.
KMS keys are not exported outside KMS and are used only within KMS.
For more information about managing KMS key versions and states, see Key versions and Key states.

User keys

Encryption keys that users create and manage directly. Users can control the key’s name, description, and rotation settings.
They are used in scenarios where the user needs to actively manage keys, such as encrypting specific application data or databases.

Service keys

Keys that are created and managed by a specific KakaoCloud service on behalf of the user. They provide symmetric AES256-GCM96 encryption.
For example, when encryption is enabled for a particular storage service, the service automatically uses a service key in the background to protect data. Users cannot modify or manage these keys directly; they are automatically used to encrypt data for the integrated service.

Key versions

Each unique cryptographic element within a key is called a version. A new version is generated whenever key rotation occurs. This ensures that previously encrypted data can still be decrypted securely while new data is protected with the latest key.
When a key is first created, version 1 is generated. Upon rotation, version 2 is created with new cryptographic information and set to Active, while version 1 remains preserved. All new encryption requests use version 2, but data encrypted with version 1 is decrypted automatically by the system using the embedded version information. Users only need the key name or ID and do not have to manage versions manually.

Data keys

Data keys are used to encrypt and decrypt actual data. When used, they are returned in both plaintext and encrypted forms. After encryption is complete, delete the plaintext data key immediately and store only the encrypted data key.

Key rotation

A feature that periodically generates a new key version to replace the existing one for enhanced security. Rotation reduces the risk of key exposure and ensures compliance with security standards.

Automatic rotation

The system automatically creates and activates a new version based on the rotation cycle set by the user (default: 365 days). This automates regular key management and helps maintain security conveniently.

Manual rotation

Administrators can immediately generate a new version if a risk arises, such as key exposure or suspected compromise. This is useful when urgent key replacement is required.

Key states

A key can have multiple versions, and each version is managed by a unique state. The usability of a key depends on the state of its versions.

State	Description
`Pre-activation`	The key has been created but no active version exists yet. - Encryption and decryption are not possible in this state.
`Active`	The version is active and is the only state in which encryption and decryption can be performed. - When a new version is created, it becomes Active and the previous version is set to Deactivated.
`Deactivated`	The version is inactive and cannot perform encryption, but it can still decrypt data encrypted previously. - If all versions are deactivated or destroyed, the key itself is automatically deactivated.
`Destroyed`	The version is permanently deleted and cannot be recovered. - If all versions of a key are destroyed, the key itself can be permanently deleted.

Access control

You can strengthen key security by using access control.
As the owner, the key creator has access and management permissions for the keys they created while their IAM role is maintained.

Enabled: You can configure allowed subjects. Configurable subjects include users, groups, service accounts, and service agent accounts in the same project. Actual permissions follow their IAM roles.
Disabled: Subjects with the IAM role required to use the key can access the key.

Roles

KMS uses a role-based access control (RBAC) model to securely and systematically manage access permissions to key resources. Roles are assigned through the IAM service to ensure that users can only perform permitted operations.

KMS Viewer

Has permission to view resources in a project, including key lists, states, and version information.
However, this role cannot perform cryptographic operations using keys, such as encryption, decryption, signing, and verification, or management tasks such as creating, deleting, or changing key states.

KMS User

Includes key view permissions and can perform cryptographic operations using keys.
However, this role cannot perform management tasks such as creating, deleting, or changing key states.

KMS Manager

Includes key view permissions and cryptographic operation permissions, and can perform all KMS management tasks such as creating, deleting, rotating, and changing key states.

KMS keys​

User keys​

Service keys​

Key versions​

Data keys​

Key rotation​

Automatic rotation​

Manual rotation​

Key states​

Access control​

Roles​

KMS Viewer​

KMS User​

KMS Manager​