检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The ciphertext DEK was generated by using a CMK to encrypt the plaintext DEK. Use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file. Store the ciphertext DEK and the ciphertext file together in a permanent storage device or a storage service.
You can only use KMS to create new CMKs to encrypt and decrypt data. Parent topic: KMS Related
Creates a new secret version in the specified secret to encrypt and store secret values randomly generated in the background. At the same time, the newly created secret version is marked as SYSCURRENT. Constraints The RotateSecret API does not support rotation of common secrets.
Encrypting Data in DDS When a user purchases a database instance from DDS, the user can select Disk encryption and use the key provided by KMS to encrypt the disk of the database instance. For more information, see the Document Database Service User Guide.
This section describes how to call a KMS API and use a CMK to encrypt or decrypt data. Process: Create a CMK in KMS. Call the encrypt-data API of KMS to encrypt plaintext data by using a CMK. Deploy ciphertext certificates on your servers.
You can create a new version of a secret to encrypt and keep a new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state. Constraints A secret can have up to 20 versions.
Creating a Secret Version Function Creates a new secret version in the specified secret to encrypt and keep the new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state.
It can be used to encrypt a small amount of data or DEKs. An asymmetric key is a RSA key or an ECC key pair (including SM2 key pair). It can be used for data encryption and decryption, digital signature, and signature verification.
Only enabled custom keys can be used to encrypt or decrypt data. A new custom key is in the Enabled state by default. Prerequisites The custom key you want to enable is in Disabled status. Procedure Log in to the management console.
Encrypting Data in RDS When a user purchases a database instance from Relational Database Service (RDS), the user can select Disk encryption and use the key provided by KMS to encrypt the disk of the database instance.
Advantages Extensive Service Integration By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
Encrypting Data in OBS When using Object Storage Service (OBS) to upload data with server-side encryption, you can select SEE-KMS encryption and use the key provided by KMS to encrypt the files to be uploaded. For details, see Figure 1.
Encrypting Data in EVS When purchasing a disk, you can choose Advanced Settings > Encryption to encrypt the disk using the key provided by KMS. For details, see Figure 1. For more information about EVS, see the Elastic Volume Service User Guide.
Encrypting Data in SFS When creating a file system using the Scalable File Service (SFS), you can select KMS encryption and use the key provided by the KMS to encrypt the file system.For details, see Figure 1. For more information, see the Scalable File Service User Guide.
Encrypting Data in IMS When uploading an image file to Image Management Service (IMS), you can choose to encrypt the image file using a key provided by KMS to protect the file. Figure 1 describes details. For details, see the Image Management Service User Guide.
Billing Examples Billing Scenario A user created a symmetric key at 14:25:00 on May 18, 2023 and used the key to encrypt OBS. During the use of the key, 164,573 API requests were generated. The user stopped using the key and deleted it at 16:14:00 on June 29, 2023.
Key Management Service Using KMS to Encrypt Offline Data Using KMS to Encrypt and Decrypt Data for Cloud Services Using the Encryption SDK to Encrypt and Decrypt Local Files Encrypting and Decrypting Data Through Cross-region DR Using KMS to Protect File Integrity
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs. Huawei Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
Using the Encryption SDK to Encrypt and Decrypt Local Files Encryption Software Development Kit (SDK) can encrypt and decrypt data and file streams. You can easily encrypt and decrypt massive amounts of data simply by calling APIs.
Benefits: Advantages over CMK encryption in KMS Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs. A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
