Stay organized with collectionsSave and categorize content based on your preferences.
The Key Management System (KMS) service centrally manages cryptographic keys
and runs in the Management API server. The Application Operator (AO) creates, uses,
and destroys the keys in the KMS.
Supported keys
KMS supports the following keys:
Key primitive
Key primitive (API)
Description
Default algorithm
AEAD
aeadkey
The authenticated encryption with associated data (AEAD)
key that performs authenticated encryption usingAES-256.
The key's components represent the following:
AES-256: the 256-bit Advanced Encryption Standard (AES)
symmetric key algorithm. This algorithm is the default algorithm.
AES_256_GCM
Signing
signingkey
The signing key that provides asymmetric signing using elliptic curve
support.
The key's components represent the following:
EC: the elliptic curve key.
P384: the size of the EC curve.
SHA384: the digest algorithm used in signing. This algorithm
is the default algorithm.
EC_SIGN_P384_SHA384
Key features
The AO centrally manages symmetric and asymmetric cryptographic keys with the
AEAD and Signing keys. Through the KMS Creator role, the AO has the
ability tocreatekeys.
Through the KMS Admin role, the AO
canuse,destroy,import, andexportaeadkey and signingkey cryptographic keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Key Management System (KMS) centrally manages cryptographic keys within the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThe Application Operator (AO) can create, use, and destroy keys within the KMS.\u003c/p\u003e\n"],["\u003cp\u003eKMS supports two key types: \u003ccode\u003eaeadkey\u003c/code\u003e for authenticated encryption using \u003ccode\u003eAES-256\u003c/code\u003e, and \u003ccode\u003esigningkey\u003c/code\u003e for asymmetric signing using elliptic curve \u003ccode\u003eP384\u003c/code\u003e with \u003ccode\u003eSHA384\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe AO, with KMS Admin role, can use, destroy, import, and export \u003ccode\u003eaeadkey\u003c/code\u003e and \u003ccode\u003esigningkey\u003c/code\u003e cryptographic keys.\u003c/p\u003e\n"]]],[],null,["# Key management system\n\nThe Key Management System (KMS) service centrally manages cryptographic keys\nand runs in the Management API server. The Application Operator (AO) creates, uses,\nand destroys the keys in the KMS.\n\nSupported keys\n--------------\n\nKMS supports the following keys:\n\nKey features\n------------\n\nThe AO centrally manages symmetric and asymmetric cryptographic keys with the\nAEAD and Signing keys. Through the KMS Creator role, the AO has the\nability to\n[create](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/create-delete-keys#create) keys.\n\nThrough the KMS Admin role, the AO\ncan [use](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/create-delete-keys#create),\n[destroy](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/create-delete-keys#delete),\n[import](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/import-key), and\n[export](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/import-key)\naeadkey and signingkey cryptographic keys."]]
