Create Key

Prev Next

Available in Classic and VPC

Create a new key.

Request

This section describes the request format. The method and URI are as follows:

Method URI
POST /keys

Request headers

For information about the headers common to all Key Management Service APIs, see the account authentication method in Key Management Service request headers.

Request body

You can include the following data in the body of your request:

Field Type Required Description
keyName String Required Key name
  • 3 to 15 characters, including English letters, numbers, and special characters "-" and "_"
  • The first character must be an English letter, and the name can't be duplicated with other key names in the user's keystore
keyType String Required Key type
  • AES256 | RSA2048 | ECDSA
    • AES256: 256-bit key with symmetric-key AES cipher (AES 256-GCM96)
      • Up to 32 KB of data can be encrypted
    • RSA2048: 2048-bit key using asymmetric-key RSA cipher (RSA 2048)
      • Able to encrypt/decrypt and sign/verify, but slowest to process
      • Can encrypt up to 190 bytes of data or sign up to 8 KB of data
    • ECDSA: 256-bit key with asymmetric-keyed ECDSA cipher (ECDSA-P256)
      • Up to 8 KB of data can be signed
memo String Optional Key notes
  • Additional information and descriptions of the key
  • 0-100 characters
isConvergent Boolean Optional Whether to set convergent encryption
  • true | false (default)
    • true: set
    • false: not set
  • Can be set only if keyType is AES256
isAutoRotation Boolean Required Whether to enable key auto-rotation
  • true | false (default)
    • true: enable
    • false: disable
rotationPeriod Integer Optional Set automatic key rotation cycle (day)
  • 1-730 (default: 90)
  • Can be entered if isAutoRotation is true
protectionType String Required Key storage method
  • BASIC | COMMON_HSM
    • BASIC: Store encrypted on internal storage
    • COMMON_HSM: Store on HSM (Hardware Security Module)

Request example

The request example is as follows:

curl --location --request POST 'https://ocapi.ncloud.com/kms/v1/keys' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--data '{
  "keyName": "{KEY_NAME}",
  "keyType": "AES256",
  "memo": "{KEY_DESCRIPTION}",
  "isConvergent": true,
  "isAutoRotation": true,
  "rotationPeriod": 90,
  "protectionType": "BASIC"
}'

Response

This section describes the response format.

Response body

The response body includes the following data:

Field Type Required Description
code String - Success or Failure
data Object - Response result
data.keyId Integer - Key identifier
data.keyTag String - Key tag
  • Unique identifier for the key derived from the key name
  • Use to request encryption or decryption with REST APIs
  • Key tags are not treated as confidential information
data.keyName String - Key name
  • Key names are not treated as confidential information
data.keyType String - Key type
data.status String - Key status
  • ENABLE | DISABLE | REVOKE
    • ENABLE: available
    • DISABLE: disabled
    • REVOKE: pending deletion
    • See Manage key status for more information on the key status
data.keystoreId Integer - Logical keystore identifier assigned to the user
data.protectionType String - Key storage method
  • BASIC | COMMON_HSM
    • BASIC: Store encrypted on internal storage
    • COMMON_HSM: Store on HSM (Hardware Security Module)
data.memo String - Key notes
  • Additional information and descriptions of the key entered upon creation
data.isConvergent Boolean - Whether to set convergent encryption
  • true | false
    • true: set
    • false: not set
data.isAutoRotation Boolean - Whether to enable key auto-rotation
  • true | false
    • true: enable
    • false: disable
data.rotationPeriod Integer - Automatic key rotation cycle (day)
data.nextRotationDate Long - Next scheduled rotation date and time (millisecond)
  • Unix timestamp format
data.registerDate Long - Key creation date and time (millisecond)
  • Unix timestamp format

Response status codes

For response status codes common to all Key Management Service APIs, see Key Management Service response status codes.

Response example

The response example is as follows:

{
    "code": "SUCCESS",
    "data": {
        "keyId": 12345,
        "keyTag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6"
        "keyName": "{KEY_NAME}",
        "keyType": "AES256",
        "status": "ENABLE",
        "keystoreId": 1234,
        "protectionType": "BASIC",
        "memo": "{KEY_DESCRIPTION}",
        "isConvergent": true,
        "isAutoRotation": true,
        "rotationPeriod": 90,
        "nextRotationDate": 1741156631314,
        "registerDate": 1733380631000
    }
}