Updated on 2023-04-27 GMT+08:00

What Is DEW?

DEW

Data is the core asset of an enterprise. Each enterprise has its core sensitive data, which needs to be encrypted and protected from breach.

Data Encryption Workshop (DEW) is a cloud data encryption service. It consists of the following services: Key Management Service (KMS), Cloud Secret Management Service (CSMS), Key Pair Service (KPS), and Dedicated Hardware Security Module (Dedicated HSM). It helps you secure your data and keys, simplifying key management. DEW uses HSMs to protect the security of your keys, and can be integrated with other Huawei Cloud services to address data security, key security, and key management issues. Additionally, DEW enables you to develop customized encryption applications.

Figure 1 DEW subservices
Table 1 Service overview

Service

Description

Reference

Key Management Service

(KMS)

KMS is a secure, reliable, and easy-to-use service for managing your keys on the cloud. It helps you easily create, manage, and protect keys.

KMS uses Hardware Security Modules (HSMs) to protect keys, helping you create and control customer master keys (CMKs) with ease. All CMKs are protected by root keys in HSMs to avoid key leakage.

Key Types

Cloud Secret Management Service

(CSMS)

CSMS is a secure, reliable, and easy-to-use secret hosting service.

Users or applications can use CSMS to create, retrieve, update, and delete credentials in a unified manner throughout the credential lifecycle. CSMS can help you eliminate risks incurred by hardcoding, plaintext configuration, and permission abuse.

Creating a Secret

Key Pair Service

(KPS)

KPS is a secure, reliable, and easy-to-use cloud service designed to manage and protect your SSH key pairs (key pairs for short).

KPS uses HSMs to generate true random numbers which are then used to produce key pairs. In addition, it adopts a complete and reliable key pair management solution to help users create, import, and manage key pairs with ease. The public key of a generated key pair is stored in KPS while the private key can be downloaded and saved separately, which ensures the privacy and security of the key pair.

Creating a Key Pair

Dedicated Hardware Security Module

(Dedicated HSM)

Dedicated HSM enables data encryption on the cloud, specifically, encrypting and decrypting data, verifying signature, generating keys, and storing keys.

Dedicated HSM provides encryption hardware, guaranteeing data security and integrity on Elastic Cloud Servers (ECSs) and meeting compliance requirements. Dedicated HSM offers you a secure and reliable management for the keys generated by your instances, and uses multiple algorithms for data encryption and decryption.

Dedicated HSM

Concepts

This section describes the basic concepts in DEW.

Table 2 Basic concepts

Item

Definition

Reference

Hardware Security Module

(HSM)

An HSM is a type of computer hardware that protects and manages the keys used by strong authentication systems and provides related cryptographic operations.

-

Customer Master Key

(CMK)

A CMK is a Key Encryption Key (KEK) created by a user or cloud service using KMS. It is used to encrypt and protect Data Encryption Keys (DEKs). One CMK can be used to encrypt one or more DEKs.

CMKs are categorized into custom keys and default keys.

What Is a Customer Master Key?

Default Master Key

(DMK)

A Default Master Key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a Default Master Key ends with /default.

What Is a Default Master Key?

Key material

Key materials are important input for cryptographic operations. A CMK consists of a key ID, metadata, and a key material.

-

Envelope encryption

Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.

What Are the Benefits of Envelope Encryption?

Data Encryption Key

(DEK)

A DEK is used to encrypt data.

What Is a Data Encryption Key?

Symmetric key encryption

Symmetric key encryption is also called dedicated key encryption. The sender and receiver use the same key to encrypt and decrypt data.

Advantage: Encryption and decryption are fast.

Disadvantage: Each pair of keys must be unique. Key management is difficult if there are a large number of users.

Scenario: Encrypt a large amount of data.

Key Types

Asymmetric key encryption

Asymmetric key encryption is also called public key encryption. A key pair is used for encryption and decryption. One is a public key, and the other is a private key.

Advantage: Different keys are used for encryption and decryption, enhancing security.

Disadvantage: Encryption and decryption are slow.

Scenario: Encrypt sensitive information.

Key Types

Key pair

A key pair is a pair of asymmetric public key and private key. By default, RSA-2048 is used for cryptography.

Key Pair Service

Private key pair

A private key pair can be viewed or used only by the current account.

Creating a Key Pair

Account key pair

An account key pair can be viewed or used by all users under the account.

Upgrading a Key Pair