<p class="shortdesc"></p> <section class="section" id="FAQs__section_zlp_2gk_flb"><h2 class="doc-tairway">What is a customer master key (CMK)？ </h2> <p class="p">A CMK is a master key you create with KMS. You can use it to encrypt and decrypt data keys, and generate envelopes. You can also use it to directly encrypt small amounts of data. There are customer managed CMKs and Ping An Cloud managed CMKs. You can use a CMK to encrypt multiple data keys. </p> </section> <section class="section" id="FAQs__section_xfd_ggk_flb"><h2 class="doc-tairway">Why cannot I delete a CMK immediately? </h2> <p class="p">Deleting a CMK requires extreme caution. Because once you delete a CMK, you can no longer decrypt the data encrypted under that CMK. Therefore, Ping An Cloud does not support instant key deletion. Instead, the actual operation of the deletion will be postponed for 7 to 30 days (specified by the user). Besides, if you find that a CMK is still in use before the scheduled deletion time, you can cancel the deletion. In this way, you can reduce the chances of possible damage caused by misoperation. </p> </section> <section class="section" id="FAQs__section_bw1_hgk_flb"><h2 class="doc-tairway">Can I decrypt the encrypted data if the corresponding CMK is completely deleted? </h2> <p class="p">No. Once the CMK is completely removed (not scheduled deletion, which can be canceled so that you can reuse the key), you can no longer decrypt the data encrypted under that CMK. </p> </section> <section class="section" id="FAQs__section_l1y_hgk_flb"><h2 class="doc-tairway">Will I be charged for a CMK in the PENGDING_DELETE status? </h2> <p class="p">No charges for a CMK in the PENGDING_DELETE status. You will not be charged for a key in the PENDING_DELETE status from the moment you schedule its deletion to that it is completely removed. However, if you cancel the deletion after scheduling deletion, you will be charged again. You will also be charged for fees that should have been incurred during the period from scheduling deletion to canceling deletion. </p> </section> <section class="section" id="FAQs__section_ltv_3gk_flb"><h2 class="doc-tairway">Which services of Ping An Cloud use data encryption services provided by KMS? </h2> <p class="p">Products such as Object Based Storage (OBS), Elastic Block Storage(EBS), and Elastic File Service (EFS) use data encryption services provided by KMS. </p> </section> <section class="section" id="FAQs__section_t5l_q3j_mlb"><h2 class="doc-tairway">What is a data key? </h2> <p class="p">A data key, in essence, is a symmetric key. However, a data key generated in KMS is encrypted and protected by a CMK. </p> </section> <section class="section" id="FAQs__section_wsq_s3j_mlb"><h2 class="doc-tairway">Is there a limit to the number of CMKs I can create in KMS? </h2> <p class="p">You can create a maximum of 200 CMKs in a region under a master account. </p> </section> <section class="section" id="FAQs__section_xkr_s3j_mlb"><h2 class="doc-tairway">What is the length of a CMK created in KMS? </h2> <p class="p">The length of a CMK created in Ping An Cloud KMS is 256 bits. If you want to import a CMK, pay attention to the encryption standard selected (international standard: 256 bits, national standard: 128 bits, and 256 bits will be taken as the uniform standard later). </p> </section> <section class="section" id="FAQs__section_bvr_s3j_mlb"><h2 class="doc-tairway">Can I export a CMK from KMS？ </h2> <p class="p">No, you cannot export a CMK from KMS. To ensure the security of a CMK, you can only create and use it in KMS, but not export it. </p> </section> <section class="section" id="FAQs__section_kds_s3j_mlb"><h2 class="doc-tairway">Can I update keys or key pairs managed by KMS? </h2> <p class="p">Currently, you cannot update CMKs. Later, with automatic key rotation, KMS will rotate the key material of CMKs periodically. You can, however, update key pairs. </p> </section>