Help Center> Data Encryption Workshop> API Reference> Application Examples> Example 2: Encrypting or Decrypting a DEK

View PDF

Example 2: Encrypting or Decrypting a DEK

Scenario

Encrypt or decrypt a large amount of data.

Encryption process:
1. Create a CMK in KMS.
2. Call the create-datakey API of the KMS to create a DEK. A plaintext DEK and a ciphertext DEK will be generated. The ciphertext DEK was generated by using a CMK to encrypt the plaintext DEK.
3. Use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
4. Store the ciphertext DEK and the ciphertext file together in a permanent storage device or a storage service.
Decryption process:
1. Read the ciphertext DEK and the ciphertext file from the permanent storage device or storage service.
2. Call the decrypt-datakey API and use the encryption CMK to decrypt the ciphertext DEK. The plaintext DEK will be generated.
  If the CMK is deleted, the decryption will fail. Properly keep your CMKs.
3. Use the plaintext DEK to decrypt the ciphertext file.

Involved APIs

APIs used for the following operations are involved:

Create a CMK
Create a DEK
Encrypt a DEK
Decrypt a DEK

Procedure

Create a CMK.
- API information
  URI format: POST /v1.0/{project_id}/kms/create-key
  
  For details, see "Creating a Key".
  
  Default Master Keys are created by services integrated with KMS. Names of Default Master Keys end with /default. Do not end your CMK names with /default.
- Example request
  POST: https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/create-key
  
  Obtain {endpoint} from Regions and Endpoints.
  
  Body:
```
{
    "key_alias": "test"
}
```
- Example response
```
{
    "key_info": {
        "key_id": "bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e",
        "domain_id": "b168fe00ff56492495a7d22974df2d0b"
    }
}
```

Create a DEK.

API information
URI format: POST /v1.0/{project_id}/kms/create-datakey

For details, see "Creating a DEK".
Example request
POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/create-datakey

Obtain {endpoint} from Regions and Endpoints.

Body:
```
{
    "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
    "datakey_length": "512"
}
```

Example response

{
    "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
    "plain_text": "8151014275E426C72EE7D44267EF11590DCE0089E19863BA8CC832187B156A72A5A17F17B5EF0D525872C59ECEB72948AF85E18427F8BE0D46545C979306C08D",
    "cipher_text": "020098009EEAFCE122CAA5927D2E020086F9548BA1675FDB022E4ECC01B96F2189CF4B85E78357E73E1CEB518DAF7A4960E7C7DE8885ED3FB2F1471ABF400119CC1B20BD3C4A9B80AF590EFD0AEDABFDBB0E2B689DA7B6C9E7D3C5645FCD9274802586BE63779471F9156F2CDF07CD8412FFBE9230643034363662302D653732372D346439632D623335642D6638346262343734613337660000000045B05321483BD9F9561865EE7DFE9BE267A42EB104E98C16589CE46940B18E52"
}

Encrypt the DEK.

API information
URI format: POST /v1.0/{project_id}/kms/encrypt-datakey

For details, see "Encrypting a DEK".

Example request

POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/encrypt-datakey

Obtain {endpoint} from Regions and Endpoints.

Body:

{
    "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
    "plain_text": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B",
    "datakey_plain_length": "64"
}

Example response

{
    "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
    "cipher_text": "020098005273E14E6E8E95F5463BECDC27E80AF820B9FC086CB47861899149F67CF07DAFF2810B7D27BDF19AB7632488E0926A48DB2FC85BEA905119411B46244C5E6B8036C60A0B0B4842FFE6994518E89C19B1C1D688D9043BCD6053EA7BA0652642CE59F2543C80669139F4F71ABB9BD9A24330643034363662302D653732372D346439632D623335642D66383462623437346133376600000000D34457984F9730D57F228C210FD22CA6017913964B21D4ECE45D81092BB9112E",
    "datakey_length": "64"
}

Decrypt the DEK.

API information
URI format: POST /v1.0/{project_id}/kms/decrypt-datakey

For details, see "Decrypting a DEK".

Example request

POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/decrypt-datakey

Obtain {endpoint} from Regions and Endpoints.

Body:

{
    "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
    "datakey_cipher_length": "64",
    "cipher_text": "020098005273E14E6E8E95F5463BECDC27E80AF820B9FC086CB47861899149F67CF07DAFF2810B7D27BDF19AB7632488E0926A48DB2FC85BEA905119411B46244C5E6B8036C60A0B0B4842FFE6994518E89C19B1C1D688D9043BCD6053EA7BA0652642CE59F2543C80669139F4F71ABB9BD9A24330643034363662302D653732372D346439632D623335642D66383462623437346133376600000000D34457984F9730D57F228C210FD22CA6017913964B21D4ECE45D81092BB9112E"
}

Example response

{
    "data_key": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
    "datakey_length": "64",
    "datakey_dgst": "F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B"
}

Parent topic: Application Examples

Last Article: Example 1: Encrypting or Decrypting Data

Next Article: Example 3: Querying Information About Keys

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English

Help Center

Example 2: Encrypting or Decrypting a DEK

Scenario

Involved APIs

Procedure