MENU
      Key Management Service overview
        • PDF

        Key Management Service overview

        • PDF

        Article summary

        Available in Classic and VPC

        Key Management Service is a NAVER Cloud Platform service that provides encryption key management functions essential for encryption operations and implementation. Key Management Service provides APIs for various key management features, including encryption and decryption, in the form of RESTful.

        Note

        On October 17, 2024, the Key Management Service API 2.0 was released. Key Management Service API 1.0 will continue to be provided.

        Key Management Service API 1.0Key Management Service API 2.0
        Base URL (domain)https://kms.apigw.ntruss.comhttps://ocapi.ncloud.com
        API typeOnly 6 encryption and decryption APIs are provided
        • Encrypt, Decrypt, Create Custom Key, Re-encrypt, Sign, Verify
        • 6 encryption and decryption APIs are provided
          • Encrypt, Decrypt, Create Custom Key, Re-encrypt, Sign, Verify
        • All console-based key management features provided
        Authentication methodUser authentication using NAVER Cloud Platform account information
        • Account authentication API: user authentication using NAVER Cloud Platform account information
        • token authentication API: key authentication token
        Request handling performanceBased on Encrypt API (AES), up to 200 TPS
        • All keys share the 200 TPS processing performance
        Based on Encrypt API (AES), up to 300 TPS per key
        • Each key is individually guaranteed up to 300 TPS processing performance
        Availability guaranteeRegion-specific high availability (HA)
        • In the event of a failure in the NAVER Cloud Platform region, APIs such as Encrypt, Decrypt, Sign, and Verify are affected
        Cross-Region high availability (HA)
        • Uninterrupted operation of APIs such as Encrypt, Decrypt, Sign, and Verify is guaranteed without being affected by a failure in the NAVER Cloud Platform Region
        Request access controlUse the IP ACL feature of the sub account unit provided by the Sub Account service
        • IP ACL feature of the sub account unit provided by the Sub Account service
        • IP ACL that can be set by token unit

        Common Key Management Service API 1.0 settings

        The following describes commonly used request and response formats in Key Management Service API 1.0.

        Request

        The following describes the common request format.

        API URL

        The request API URL is as follows.

        API Gateway request signature v1: https://kms.apigw.ntruss.com/keys/v1
        API Gateway request signature v2: https://kms.apigw.ntruss.com/keys/v2
        HTTP

        Request headers

        The following describes the request headers.

        • API Gateway request signature v1 method request

          FieldRequiredDescription
          x-ncp-apigw-timestampRequired
          x-ncp-apigw-api-keyRequired
          x-ncp-iam-access-keyRequired
          x-ncp-apigw-signature-v1Required
        • API Gateway request signature v2 method request

          FieldRequiredDescription
          x-ncp-apigw-timestampRequired
          x-ncp-iam-access-keyRequired
          x-ncp-apigw-signature-v2Required

        Response

        The following describes the common response format.

        Response status codes

        The following describes the response status codes.

        HTTP status codeCodeMessageDescription
        200-successSucceeded
        Note

        For response status codes common to NAVER Cloud Platform, see Ncloud API response status codes.

        Error syntax

        The following describes the error syntax that results from processing the request.

        FieldTypeRequiredDescription
        errorObject-Error information
        error.errorCodeString-Errors
        error.messageString-Error message
        error.detailsString-Error details
        {
            "error": {
                "errorCode": "300",
                "message": "Not Found Exception",
                "details": "URL not found."
            }
        }
        JSON

        The following describes the error syntax that has failed even though the status code is 200 OK.

        FieldTypeRequiredDescription
        codeString-Errors
        msgString-Error message
        dataObject-Response result
        • Displayed as null value
        • <e.g.> Invalid request data input
        {
            "code": "NOT_VALID_INPUT",
            "msg": "Fail: not valid input",
            "data": null
        }
        JSON

        Common Key Management Service API 2.0 settings

        The following describes commonly used request and response formats in Key Management Service API 2.0.

        Request

        The following describes the common request format.

        API URL

        The request API URL is as follows.

        https://ocapi.ncloud.com/kms/v1
        HTTP

        Request headers

        The following describes the request headers.

        • Account authentication (Account Auth) method request

          FieldRequiredDescription
          x-ncp-apigw-timestampRequired
          x-ncp-iam-access-keyRequired
          x-ncp-apigw-signature-v2Required
        • Token authentication (Token Auth) method request

          FieldRequiredDescription
          x-ncp-ocapi-tokenRequired

        Response

        The following describes the common response format.

        Response status codes

        The following describes the response status codes.

        HTTP status codeCodeMessageDescription
        200--Success
        400100Bad RequestRequest error
        401-Authentication FailedAuthentication error
        401-Permission DeniedPermission error
        403-ForbiddenKey resource not accessible
        404300Not FoundKey resource not found
        429-Rate LimitedQuota, request volume exceeded
        500-Unexpected Error
        • FAIL_SERVER_INTERNAL: KMS system error
        • FAIL_IAM_REQUEST: Account or permission system error
        • FAIL_CLA_REQUEST: CLA system error
        • FAIL_BLOC_REQUEST: Member or contract inquiry system error

        Error syntax

        The following describes the error syntax that results from processing the request.

        FieldTypeRequiredDescription
        errorObject-Error information
        error.errorCodeString-Errors
        error.messageString-Error message
        error.detailsString-Error details
        {
            "error": {
                "errorCode": "300",
                "message": "Not Found",
                "details": "null"
            }
        }
        JSON

        Key Management Service API

        The following describes the APIs provided by the Key Management Service API service.

        Key Management Service API 1.0

        The following describes the APIs related to Key Management Service API 1.0.

        APIDescription
        EncryptEncrypt data with the current version of the key
        DecryptDecrypt ciphertext with a key
        Create Custom KeyCreate a random raw key to be used as a encryption key
        Re-encryptRe-encrypt the ciphertext with the most recent version of the specified master key
        SignCreate signature value of data
        VerifyCompare data and signature value and return verification result

        Key Management Service API 2.0

        The following describes the APIs related to Key Management Service API 2.0.

        Account Auth API

        The following describes the APIs related to the Account Auth API.

        APIDescription
        Create KeyCreate key
        Get Key InfoGet key details
        Get Key ListGet key list
        Get Public KeyGet public key
        Delete KeyDelete key
        Enable KeyActivate key
        Disable KeyDeactivate key
        Enable Key VersionEnable key version
        Disable Key VersionDisable key version
        Rotate KeyRotate a key to create a new version
        Request Key DeletionRequest key deletion
        Cancel Key DeletionCancel key deletion request
        Enable IP ACLEnable the IP ACL feature to control the IP addresses that are allowed to request tokens
        Disable IP ACLDisable the IP ACL feature to control the IP addresses that are allowed to request tokens
        Get ACL Rule ListGet IP ACL configuration information for a key
        Add ACL RuleAdd an IP address to the ACL to allow token requests
        Delete ACL RuleDelete an IP address allowed to request tokens from the ACL
        Create Token GeneratorActivate token generator
        Get Token GeneratorGet token generator
        Update Token GeneratorReplace token generator
        Delete Token GeneratorDelete token generator (disable)
        Create Token SetCreate a token set (refresh token and access token)
        Get Key Activity LogsGet key usage history list
        Get Latest Use InfoGet the latest key usage history
        Get Key Version ListGet key version list
        Update MemoEdit notes for a key
        Update Rotation PeriodEdit the automatic rotation cycle of a key
        Enable Auto RotationEnable automatic rotation of a key
        Disable Auto RotationDisable automatic rotation of a key
        EncryptEncrypt data with the current version of the key
        DecryptDecrypt ciphertext with a key
        Create Custom KeyCreate a random raw key to be used as a encryption key
        Re-encryptRe-encrypt the ciphertext with the most recent version of the specified master key
        SignCreate signature value of data
        VerifyCompare data and signature value and return verification result

        Token Auth API

        The following describes the APIs related to the Token Auth API.

        APIDescription
        EncryptEncrypt data with the current version of the key
        DecryptDecrypt ciphertext with a key
        Create Custom KeyCreate a random raw key to be used as a encryption key
        Re-encryptRe-encrypt the ciphertext with the most recent version of the specified master key
        SignCreate signature value of data
        VerifyCompare data and signature value and return verification result
        Get Public KeyGet public key
        Create Access TokenCreate access token
        Renew Token SetRecreate the token set (access token and refresh token)

        NAVER Cloud Platform provides a variety of related resources to help users better understand Key Management Service APIs.


        Was this article helpful?

        What's Next
        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.