Esta página aún no está disponible en su idioma local. Estamos trabajando arduamente para agregar más versiones de idiomas. Gracias por tu apoyo.

On this page

Show all

Help Center/ Data Encryption Workshop/ FAQs/ KMS Related/ How Do Huawei Cloud Services Use KMS to Encrypt Data?

How Do Huawei Cloud Services Use KMS to Encrypt Data?

Updated on 2023-01-31 GMT+08:00

Huawei Cloud services (including OBS, IMS, EVS, and RDS) use the envelope encryption provided by KMS to protect data.


Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes" of CMKs. As a result, CMKs do not directly encrypt and decrypt data.

  • When you use a Huawei Cloud service to encrypt data, you need to specify a CMK on KMS. The Huawei Cloud service generates a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated by encrypting the plaintext DEK using the specified CMK. The Huawei Cloud service uses the plaintext DEK to encrypt data and stores the encrypted ciphertext data and ciphertext DEK in the Huawei Cloud service. See the following figure.
    Figure 1 How Huawei Cloud uses KMS for encryption
  • When users download the data from Huawei Cloud, the service uses the CMK specified by KMS to decrypt the ciphertext DEK, use the decrypted DEK to decrypt data, and then provide the decrypted data for users to download.




Selected Content

Submit selected content with the feedback