Exporting DSM keys to Cloud Providers for BYOK - Alibaba


There are several ways to export DSM keys to major cloud providers that support BYOK for server-side encryption. 


Download DSM CLI from here.


  1. Create an external key in Alibaba.
    1. Create a new key by selecting key material source as “External”. Alibaba-1a.png
    2. Newly created key should show up with status as “Pending Import” and key material source as "External".
  2. Download key encryption material.
    Download the key encryption material, you will need it for key wrapping in DSM and key importing into Alibaba.
    • Public key
    • Import Token
  3. Import Alibaba public key into DSM.
    Import the public key from previous step into DSM as RSA key.
  4. Create Customer Master Key in DSM.
    Create a new AES key and make sure to select the “exportable” option.
  5. Wrap customer master key with Alibaba public key.
    1. Use DSM-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.
      $ sdkms-cli wrap-key --kid <customer master key> --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <Alibaba public key> --out alibabawrap.key 
    2. Apply base64 encoding on wrap key.
      $ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
  6. Upload key into Alibaba KMS.
    Import the encoded wrap key into Alibaba. You will also need the import token which we downloaded from Alibaba in Step 2.
  7. Alibaba KMS should have external key enabled now.
    With successful import your external key should be "Enabled" now.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful