检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Figure 7 Entering the key ID Use the key to encrypt a piece of plaintext, for example, "hello world!". For details, see Encrypting and Decrypting Small-size Data Online Using a Custom Key.
If the image you selected is not encrypted, you can select Encryption to encrypt the system disk. Disk encryption provides strong security protection for your data.
Defense against local physical attacks Based on data encryption, block storage encryption and Virtual Private Cloud (VPC) traffic encryption are supported to encrypt the I/O data related to tenant VMs after the data leaves QingTian compute nodes.
Preparations Prepare the username and password and encrypt the password.
DEW uses a data encryption key (DEK) to encrypt data and uses a customer master key (CMK) to encrypt the DEK. Figure 1 Data encryption process Table 1 describes the keys involved in the data encryption process.
Default Keys: The default encryption key kps/default provided by KMS is used to encrypt private keys. Custom Keys: Select a custom key created on KMS to encrypt the private key. For details, see Creating a Custom Key.
Working Rules Encryption and decryption When you use a public key to encrypt data, only the corresponding private key can be used to decrypt the data.
(Optional) Select the Encrypted option to encrypt the system disk during OS reinstallation. To enable encryption, click Create Xrole to grant KMS access permissions to EVS. If you have the granting permission, grant KMS access permissions to EVS.
VPC encryption module: To encrypt VPC traffic, QingTian hardware finds the encryption key dedicated to the VPC based on the packets' VPC attributes, and adds an encrypted packet header to the VXLAN tunnel to encrypt all packets, including the MAC address, IP address, and other forwarding
For specific ECSs, dedicated offloading cards for VPC can be used to encrypt in-transit traffic between instances. By default, the CAE protocol uses the AES-256-GCM algorithm to automatically and transparently encrypt the in-transit traffic between instances.
Server-side encryption: Encrypt data during storage and processing to ensure data security. Customers are responsible for the security (confidentiality, integrity, and availability) of encryption keys.
Default Keys: The default encryption key kps/default provided by KMS is used to encrypt private keys. Custom Keys: Select a custom key created on KMS to encrypt the private key. For details, see Creating a Custom Key.
data keys. kms:cmk:encryptData: Encrypt data. kms:RecipientAttestation/PCR0 and kms:RecipientAttestation/PCR8 are condition keys determined during QingTian Enclave image creation.
