检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The ciphertext DEK was generated by using a custom key to encrypt the plaintext DEK. Use the plaintext DEK to encrypt the file. A ciphertext file is generated. Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
The key is used to encrypt and protect DEKs. A custom key can be used to encrypt multiple DEKs. It can be disabled and scheduled for deletion. It is billed per use after the being created or imported.
Scenarios Encrypt data in OBS Encrypt data in EVS Encrypt data in IMS Encrypt an RDS DB instance Use custom keys to directly encrypt and decrypt small volumes of data.
You need to call APIs to encrypt and decrypt a large amount of data.
Image Management Service (IMS) When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.
After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled CMK to encrypt or decrypt data, you must enable it by following instructions in Enabling One or More CMKs. Prerequisites The CMK you want to disable is in Enabled status.
How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data? Can I Update CMKs Created by KMS-Generated Key Materials? When Should I Use a CMK Created with Imported Key Materials? What Should I Do When I Accidentally Delete Key Materials?
Use the online tool to encrypt and decrypt small-size data. Add, search for, edit, and delete tags. Create, cancel, and query grants. You can use the APIs to: Create, encrypt, or decrypt DEKs. Retire grants. Sign or verify the signature of messages or message digests.
Small-Size Data Encryption and Decryption Encrypt data Decrypt data Parent Topic: Key Management APIs
DEK Management Generate a random number Create a DEK Create a plaintext-free DEK Encrypt a DEK Decrypt a DEK Parent Topic: Key Management APIs
KMS Application Scenarios KPS Application Scenarios Dedicated HSM Application Scenarios 03 Start Learn how to use a key to encrypt your data on HUAWEI CLOUD and use a key pair to log in to your Linux ECS.
Key Management Service Key Types Creating a Key Creating CMKs Using Imported Key Materials Managing CMKs Searching for a Key Using the Online Tool to Encrypt and Decrypt Small-Size Data Managing Tags Rotating CMKs Managing a Grant
You can use Dedicated HSM to encrypt your service systems (including encryption of sensitive data, payment, and electronic tickets).
Use the wrapping key to encrypt the key material.
KMS uses the latest version of the custom key to encrypt data. When decrypting data, KMS uses the custom key version that was used to encrypt the data. Rotation Modes Table 1 Key rotation modes Key Type Rotation Mode Default key Cannot be rotated.
Encrypt the AK/SK in the configuration file or environment variables for storage. In this example, the AK/SK stored in the environment variables are used for identity authentication.
Table 1 KMS operations recorded by CTS Operation Resource Type Trace Name Create a key cmk createKey Create a DEK cmk createDataKey Create a plaintext-free DEK cmk createDataKeyWithoutPlaintext Enable a key cmk enableKey Disable a key cmk disableKey Encrypt a DEK cmk encryptDatakey
Uniqueness If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.
Encrypt a DEK Use a specified CMK to encrypt a DEK. Decrypt a DEK Use a specified CMK to decrypt a DEK.
Constraints You can specify a symmetric CMK to encrypt secrets. If the kms_key_id parameter is not specified, the default master key csms/default will be used to encrypt the secrets created under your account in a project.
