Updated on 2023-11-15 GMT+08:00

Encrypting or Decrypting Small Volumes of Data

Scenario

You can use online tools on the Key Management Service (KMS) console or call the necessary KMS APIs to directly encrypt or decrypt small-size data with a CMK, such as passwords, certificates, or phone numbers.

Restrictions

Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.

Encryption and Decryption Using Online Tools

  • Encrypting data
  1. Click the alias of a custom key to view its details, and go to the online tool for data encryption and decryption.
  2. Click Encrypt. In the text box on the left, enter the data to be encrypted. For details, see Figure 1.

    Figure 1 Encrypting data

  3. Click Execute. Ciphertext of the data is displayed in the text box on the right.

    • Use the current CMK to encrypt the data.
    • You can click Clear to clear the entered data.
    • You can click Copy to Clipboard to copy the ciphertext and save it in a local file.

  • Decrypting data
  1. You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
  2. Click Decrypt. In the text box on the left, enter the data to be decrypted. For details, see Figure 2.

    • The tool will identify the original encryption CMK and use it to decrypt the data.
    • However, if the CMK has been deleted, the decryption fails.
    Figure 2 Decrypting data

  3. Click Execute. Plaintext of the data is displayed in the text box on the right.

    You can click Copy to Clipboard to copy the plaintext and save it in a local file.

Calling APIs for Encryption and Decryption

Figure 3 shows an example about how to call KMS APIs to encrypt and decrypt an HTTPS certificate.

Figure 3 Encrypting and decrypting an HTTPS certificate

The procedure is as follows:

  1. Create a CMK on KMS.
  2. Call the encrypt-data interface of KMS and use the CMK to encrypt the plaintext certificate.
  3. Deploy the certificate onto a server.
  4. The server uses the decrypt-data interface of KMS to decrypt the ciphertext certificate.

    If you enter and encrypt text on the console, the text will be encoded to Base64 format before being transferred to the backend for encryption. The decryption result returned via API will be in Base64 format. Text encrypted via API cannot be decrypted on the console, or garbled characters will be returned.