Cette page n'est pas encore disponible dans votre langue. Nous nous efforçons d'ajouter d'autres langues. Nous vous remercions de votre compréhension.
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Auditing Logs
- Permission Control
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
- API Overview
- APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
- General
- Change History
-
KMS Related
- Videos
Application Scenarios
Prerequisites
All the CMKs mentioned in this section are symmetric keys. For details about symmetric keys and asymmetric keys, see Keys Types.
Small Data Encryption and Decryption
You can use the online tool on the KMS console or call KMS APIs to directly encrypt or decrypt a small amount of data, such as passwords, certificates, or phone numbers. Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.
Figure 1 shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.
- Create a CMK on KMS.
- Call the encrypt-data API of KMS and use the CMK to encrypt the plaintext certificate.
- Deploy the certificate onto a server.
- The server calls the decrypt-data API of KMS to decrypt the ciphertext certificate.
Large Data Encryption and Decryption
If you want to encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use the envelope encryption method, where the data does not need to be transferred over the network.
- Figure 2 illustrates the process for encrypting a local file.
The procedure is as follows:
- Create a CMK on KMS.
- Call the create-datakey API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.
- Use the plaintext DEK to encrypt the file. A ciphertext file is generated.
- Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
- Figure 3 illustrates the process for decrypting a local file.
The procedure is as follows:
- Obtain the ciphertext DEK and file from the persistent storage device or the storage service.
- Call the decrypt-datakey API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.
If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.
- Use the plaintext DEK to decrypt the ciphertext file.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.