Getting started with Key Management Service: Sign a hash with asymmetric keys

​

Prerequisites

1. Make sure that OpenSSL is installed on your local machine. In this guide, you use it to generate a local hash of a file and verify a returned signature with a public key locally.
2. Install and configure the Nebius AI Cloud CLI.
3. Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. You can check this in the Administration → IAM section of the web console.

​

Steps

​

Create an asymmetric key

• Web console
• CLI

1. In the web console, go to Cryptography → KMS.
2. Click Create key.
3. On the key creation page:
   • In the Name field, enter my-asymmetric-key.
   • In the Type field, select Asymmetric key.
   • In the Algorithm field, select ECC (P-256) to create a key that you can use for digital signature workflows.
4. Click Create key.

You need the key ID to get the public key and sign a hash. In the list of asymmetric keys, click next to the key ID of the key you created, then save the copied value to the KEY_ID environment variable:

export KEY_ID=<key_ID>

Create an asymmetric key:

export KEY_ID=$(nebius kms asymmetric-key create \
   --name my-asymmetric-key \
   --algorithm ecdsa_nist_p256_sha_256 \
   --format jsonpath='{.metadata.id}')

This command includes the following parameters:

• --name: Name of the asymmetric key.
• --algorithm: Algorithm that the key uses. For creating a key that you can use for digital signature workflows, set to ecdsa_nist_p256_sha_256.
• --format jsonpath='{.metadata.id}': Returns only the key ID from the command output.

This command creates a public-private key pair and saves the key ID to the KEY_ID environment variable.

​

Get the public key

nebius kms asymmetric-crypto get-public-key \
  --key-id "$KEY_ID" \
  --format jsonpath='{.public_key}' > public_key.pem

​

Sign a hash

1. Create the hello.txt file:
   echo 'Hello world' > hello.txt
   
2. Generate a SHA-256 hash of the file and encode it in Base64:
   HASH_B64="$(openssl dgst -sha256 -binary hello.txt | openssl base64 -A)"
   printf '%s\n' "$HASH_B64"
   
   The command returns a Base64-encoded hash value that you need to provide for signing and saves it to the HASH_B64 environment variable.
3. Send the hash value to KMS to sign it with your asymmetric key:
   nebius kms asymmetric-crypto sign-hash \
     --key-id "$KEY_ID" \
     --hash "$HASH_B64" \
     --format jsonpath='{.signature}' > signature.b64
   
   This command includes the following parameters:
   • --key-id: ID of the asymmetric key that you created.
   • --hash: Base64-encoded hash value generated in the previous step.
   • --format jsonpath='{.signature}': Returns only the signature value.
   This command returns the signature as a Base64-encoded string and writes it to the signature.b64 file.

​

Verify the signature

1. Decode the saved signature in the signature.b64 file, convert it to binary form and save it to the signature.bin file:
   openssl base64 -d -A -in signature.b64 -out signature.bin
   
   OpenSSL uses the binary form of the signature for verification. Therefore, you need the signature.bin file in the next step.
2. Verify the signature with the public key:
   openssl dgst \
     -sha256 \
     -verify public_key.pem \
     -signature signature.bin \
     hello.txt
   
   This command includes the following parameters:
   • -sha256: Hash function that matches ecdsa_nist_p256_sha_256.
   • -verify: Uses the public key file to check whether the signature was created with the matching private key.
   • -signature: Specifies the signature file to use for verifying the signature.
   • hello.txt: File that OpenSSL checks against the signature.
   If the signature is valid, OpenSSL returns:
   Verified OK
   

​

What’s next

• Learn how to use asymmetric keys for encryption and decryption