Updated on 2022-09-15 GMT+08:00

Overview

KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.

After your cloud services are integrated with KMS, to encrypt data on cloud, you simply need to select a CMK managed by KMS for encryption.

You can select a Default Master Key (DMK) automatically created by a cloud service through KMS, or a key you created or imported to KMS. For details, see .

Encryption Process

HUAWEI CLOUD services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, HUAWEI CLOUD services use a specific CMK of yours to encrypt data.

The encryption process is as follows:
  1. Create a CMK on KMS.
  2. A HUAWEI CLOUD service calls the create-datakey API of the KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.

    Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.

  3. The HUAWEI CLOUD service uses the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
  4. The HUAWEI CLOUD service saves the ciphertext DEK and the ciphertext file together in a permanent storage device or a storage service.

When users download the data from the HUAWEI CLOUD service, the service uses the CMK specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.