What Is DEW?
DEW
Data is the core asset of an enterprise. Each enterprise has its core sensitive data, which needs to be encrypted and protected from breach.
Data Encryption Workshop (DEW) is a cloud data encryption service. It consists of the following services: Key Management Service (KMS), Cloud Secret Management Service (CSMS), Key Pair Service (KPS), and Dedicated Hardware Security Module (Dedicated HSM). It helps you secure your data and keys, simplifying key management. DEW uses HSMs to protect the security of your keys, and can be integrated with other Huawei Cloud services to address data security, key security, and key management issues. Additionally, DEW enables you to develop customized encryption applications.
Service |
Description |
Reference |
---|---|---|
Key Management Service (KMS) |
KMS is a secure, reliable, and easy-to-use service for managing your keys on the cloud. It helps you easily create, manage, and protect keys. KMS uses Hardware Security Modules (HSMs) to protect keys, helping you create and control customer master keys (CMKs) with ease. All CMKs are protected by root keys in HSMs to avoid key leakage. |
|
Cloud Secret Management Service (CSMS) |
CSMS is a secure, reliable, and easy-to-use secret hosting service. Users or applications can use CSMS to create, retrieve, update, and delete credentials in a unified manner throughout the credential lifecycle. CSMS can help you eliminate risks incurred by hardcoding, plaintext configuration, and permission abuse. |
|
Key Pair Service (KPS) |
KPS is a secure, reliable, and easy-to-use cloud service designed to manage and protect your SSH key pairs (key pairs for short). KPS uses HSMs to generate true random numbers which are then used to produce key pairs. In addition, it adopts a complete and reliable key pair management solution to help users create, import, and manage key pairs with ease. The public key of a generated key pair is stored in KPS while the private key can be downloaded and saved separately, which ensures the privacy and security of the key pair. |
|
Dedicated Hardware Security Module (Dedicated HSM) |
Dedicated HSM enables data encryption on the cloud, specifically, encrypting and decrypting data, verifying signature, generating keys, and storing keys. Dedicated HSM provides encryption hardware, guaranteeing data security and integrity on Elastic Cloud Servers (ECSs) and meeting compliance requirements. Dedicated HSM offers you a secure and reliable management for the keys generated by your instances, and uses multiple algorithms for data encryption and decryption. |
Concepts
This section describes the basic concepts in DEW.
Item |
Definition |
Reference |
---|---|---|
Hardware Security Module (HSM) |
An HSM is a type of computer hardware that protects and manages the keys used by strong authentication systems and provides related cryptographic operations. |
- |
Customer Master Key (CMK) |
A CMK is a Key Encryption Key (KEK) created by a user or cloud service using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or more DEKs. CMKs are categorized into custom keys and default keys. |
|
Default Master Key (DMK) |
A Default Master Key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a Default Master Key ends with /default. |
|
Key material |
Key materials are important input for cryptographic operations. A CMK consists of a key ID, metadata, and a key material. |
- |
Envelope encryption |
Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption. |
|
Data Encryption Key (DEK) |
A DEK is used to encrypt data. |
|
Symmetric key encryption |
Symmetric key encryption is also called dedicated key encryption. The sender and receiver use the same key to encrypt and decrypt data. Advantage: Encryption and decryption are fast. Disadvantage: Each pair of keys must be unique. Key management is difficult if there are a large number of users. Scenario: Encrypt a large amount of data. |
|
Asymmetric key encryption |
Asymmetric key encryption is also called public key encryption. A key pair is used for encryption and decryption. One is a public key, and the other is a private key. Advantage: Different keys are used for encryption and decryption, enhancing security. Disadvantage: Encryption and decryption are slow. Scenario: Encrypt sensitive information. |
|
Key pair |
A key pair is a pair of asymmetric public key and private key. By default, RSA-2048 is used for cryptography. |
|
Private key pair |
A private key pair can be viewed or used only by the current account. |
|
Account key pair |
An account key pair can be viewed or used by all users under the account. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.