Stay organized with collectionsSave and categorize content based on your preferences.
The Key Management System (KMS) service centrally manages cryptographic keys
and runs in the Management API server.
Supported keys
KMS supports the following keys for its data-plane operations:
Key primitive
Key primitive (API)
Description
Default algorithm
AEAD
aeadkey
The authenticated encryption with associated data (AEAD)
key that performs authenticated encryption usingAES-256.
The key's components represent the following:
AES-256: the 256-bit Advanced Encryption Standard (AES)
symmetric key algorithm. This algorithm is the default algorithm.
AES_256_GCM
Signing
signingkey
The signing key that provides asymmetric signing using elliptic curve
support.
The key's components represent the following:
EC: the elliptic curve key.
P384: the size of the EC curve.
SHA384: the digest algorithm used in signing. This algorithm
is the default algorithm.
EC_SIGN_P384_SHA384
Root key types
The KMS uses root keys internally to encrypt key material before writing
the material to the disk, and decrypts the material when reading from the disk.
The KMS retrieves the root key for each operation.
The KMS supports a single root key per organization. The root key wraps all
non-root keys. Use theRootKeyIDfield on each key to
identify the root key.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Key Management System (KMS) centrally manages cryptographic keys within the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eKMS supports \u003ccode\u003eAEAD\u003c/code\u003e keys for authenticated encryption using \u003ccode\u003eAES-256\u003c/code\u003e and \u003ccode\u003eSigning\u003c/code\u003e keys for asymmetric signing with elliptic curve support.\u003c/p\u003e\n"],["\u003cp\u003eKMS uses root keys to encrypt and decrypt key material written to and read from the disk.\u003c/p\u003e\n"],["\u003cp\u003eEach organization using KMS has a single root key that wraps all other non-root keys.\u003c/p\u003e\n"],["\u003cp\u003eThe default root key type is \u003ccode\u003eLocal Root\u003c/code\u003e, which stores the root key material as a Kubernetes Secret in the Management API server.\u003c/p\u003e\n"]]],[],null,["# Key management system\n\nThe Key Management System (KMS) service centrally manages cryptographic keys\nand runs in the Management API server.\n\nSupported keys\n--------------\n\nKMS supports the following keys for its data-plane operations:\n\nRoot key types\n--------------\n\nThe KMS uses root keys internally to encrypt key material before writing\nthe material to the disk, and decrypts the material when reading from the disk.\nThe KMS retrieves the root key for each operation.\n\nThe KMS supports a single root key per organization. The root key wraps all\nnon-root keys. Use the `RootKeyID` field on each key to\nidentify the root key.\n\nSee [rotate a root key](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/kms/rotate-root-key)\nfor more information about rotating root keys."]]
