<p class="shortdesc">Before importing external key material, you need to get the parameters for importing the key material first. You can upload the key material after encrypting it. </p> <section class="section prereq" id="getmaterial__prereq_ez1_gl5_jlb"><div class="tasklabel"><h2 class="doc-tairway">Before you begin</h2></div> <p class="p">You have created a CMK. For more information, see <a class="xref" href="https://pinganyun.com/ssr/help/manage/kms/Guide.Create" target="_blank">Create Keys</a>. Make sure the origin of the key material is <span class="ph uicontrol">External</span>. </p> <img class="image" id="getmaterial__image_rlh_sk5_jlb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112324-1152b0a79ade.png"> </section> <section class="section context"><div class="tasklabel"><h2 class="doc-tairway">About this task</h2></div> <p class="p">Before importing key material for a CMK in the <span class="ph uicontrol">PENDING_IMPORT </span>status, you need to get the parameters for importing the key material first. The parameters for import contain a public key for key material encryption prior importing and an import token for verification during importing. </p> <ul class="ul" id="getmaterial__ul_usx_zk5_jlb"> <li class="li"><strong class="ph b">Public Key:</strong><p class="p">When importing key material, you cannot directly import the original copy of it. Before uploading the key material, you need to encrypt it with the public key downloaded following this operation guide. When receiving the encrypted key material, KMS decrypts it with the corresponding private key. KMS currently supports only the public key type RSA2048. </p></li> <li class="li"><strong class="ph b">Import Token:</strong><p class="p">When you import key material, you need to upload the import token. The public key and the import token must be used together when importing key material. </p></li> </ul> </section> <section class="section attention" id="getmaterial__ohz_f5h_flb"><div class="tasklabel"><h2 class="doc-tairway">Attention</h2></div> <ul class="ul" id="getmaterial__ul_mhg_hl5_jlb"> <li class="li">If you delete the key material and want to reimport it, this step is also required. </li> <li class="li">The import token generated is valid for 24 hours. You need to re-generate and download the import token if you fail to download or use it within 24 hours upon its generation. </li> </ul> </section> <section id="getmaterial__steps_fht_kl5_jlb"><div class="tasklabel"><h2 class="doc-tairway">Procedure</h2></div><ol class="ol steps" id="getmaterial__steps_fht_kl5_jlb"><li class="li step stepexpand"> <span class="ph cmd">Log in to the <a class="xref" href="https://pinganyun.com/console/kms" target="_blank">Key Management Service Console </a>. </span> </li><li class="li step stepexpand"> <span class="ph cmd">In the left navigation pane, click <span class="ph menucascade"><span class="ph uicontrol">Keys </span><abbr title="and then"> > </abbr><span class="ph uicontrol">Customer managed keys</span></span>. </span> </li><li class="li step stepexpand" id="getmaterial__step_x5b_dr5_jlb"> <span class="ph cmd"> On the <span class="keyword wintitle">Customer management key </span>page, click the ID of the CMK that is PENDING_IMPORT. </span> <div class="itemgroup info"> <div class="note note note_note"><span class="note__title">Note:</span> You can only import key material into a CMK in the <span class="ph uicontrol">Status </span>of <span class="ph uicontrol">PENDING_IMPORT</span>. </div> </div> </li><li class="li step stepexpand"> <span class="ph cmd">On the <span class="keyword wintitle">Key Detail </span>page, click <span class="ph uicontrol">Get Import-key Data parameters </span>at the bottom of the page. </span> <div class="itemgroup info"> <img class="image" id="getmaterial__image_w5d_gm5_jlb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112323-1c9e06819c88.png" width="750"> </div> </li><li class="li step stepexpand"> <span class="ph cmd">In the dialog box that opens, select an <span class="ph uicontrol">Encryption Method</span>. </span> <div class="itemgroup info"> <img class="image" id="getmaterial__image_ydk_jm5_jlb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112323-1f8b7dde98dd.png"> <p class="p">Before generating the parameters for import, you need to select an encryption algorithm for the key material: </p> <ul class="ul" id="getmaterial__ul_pvv_lm5_jlb"> <li class="li"><span class="ph uicontrol">RSAES_OAEP_SHA_1</span>: RSA encryption algorithm with Optimal Asymmetric Encryption Padding (OAEP) with the SHA-1 hash function. </li> <li class="li"><span class="ph uicontrol">RSAES_OAEP_SHA_256</span>: RSA encryption algorithm with Optimal Asymmetric Encryption Padding (OAEP) with the SHA-256 hash function. </li> <li class="li"><span class="ph uicontrol">RSAES_PKCS1_V1_5</span>: PKCS#1 V1.5 RSA encryption algorithm. If the HSM you use does not support OAEP, you need to use this algorithm, which is less secure. Use it with caution. </li> </ul> </div> </li><li class="li step stepexpand"> <span class="ph cmd">Click <span class="ph uicontrol">Next</span>. </span> <div class="itemgroup info"> <p class="p">A public key is generated based on the encryption algorithm you select. Meanwhile, an import token is also generated. You need to download them in time on the page that opens. </p> <img class="image" id="getmaterial__image_y34_rm5_jlb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112323-1fb8be709313.png"> <div class="note important note_important"><span class="note__title">Important:</span> <p class="p">The import token is valid for 24 hours. You can reuse the import token before it expires. Once it expires, you need to get a new import token and public key. The expiration date and time of the import token is displayed in the dialog box. Make sure you use the import token before it expires. </p> </div> </div> </li><li class="li step stepexpand"> <span class="ph cmd">Click <span class="ph uicontrol">Download </span>right after <span class="ph uicontrol">Encryption Public Key </span>and <span class="ph uicontrol">Import Token </span>to download the <span class="ph uicontrol">Encryption Public Key </span>and the <span class="ph uicontrol">Import Token</span>. </span> <div class="itemgroup info"> <ul class="ul" id="getmaterial__ul_jbx_ym5_jlb"> <li class="li"><span class="ph uicontrol">Encryption Public Key</span>: The naming convention is publicKey + customer master key ID, for example, publicKey_ed523b58-6169-487a-a28f-b3886866ec4a。 </li> <li class="li"><span class="ph uicontrol">Import Token</span>: The naming convention is importToken + customer master key ID, for example, importToken_ed523b58-6169-487a-a28f-b3886866ec4a。 </li> </ul> </div> </li><li class="li step stepexpand"> <span class="ph cmd">Click <span class="ph uicontrol">Confirm</span>. </span> </li></ol></section>