Concepts

Symmetric Key Encryption

Symmetric key encryption is also called dedicated key encryption. The sender and receiver use the same key to encrypt and decrypt data.

Advantage: Encryption and decryption are fast.

Disadvantage: Each pair of keys must be unique, making key management difficult when there are a large number of users.

Scenario: Encrypt a large amount of data.

Encryption process: Assume there is a plaintext message "Hello", the sender uses a symmetric key (for example, key123) and a symmetric cryptographic algorithm (for example, AES) to encrypt "Hello" into ciphertext, for example, "# %&*". After receiving the ciphertext, the receiver uses the same key123 and AES algorithm to decrypt "#%&*" back to "Hello".

Asymmetric Key Encryption

Asymmetric key encryption is also called public key encryption. A pair of keys are used for encryption and decryption. One is a public key, and the other is a private key.

Advantage: Different keys are used for encryption and decryption, ensuring high security.

Disadvantage: Encryption and decryption are slow.

Scenario: Encrypt sensitive information.

Encryption process: Assume that the sender needs to send a message "secret plan" to the receiver. The sender obtains the public key of the receiver (for example, public_key_A) and uses the public key to encrypt "secret plan" into ciphertext "@#$ %^&". After receiving the ciphertext, the receiver uses the private key (for example, private_key_A) to decrypt the ciphertext into the plaintext "secret plan". In this way, even if the public key is obtained by others, the ciphertext cannot be decrypted because they do not have the corresponding private key.

HSM

A Hardware Security Module (HSM) is a type of computer hardware that protects and manages the keys used by strong authentication systems and provides related cryptographic operations.

CMK

A customer master key (CMK), the highest level of keys in a cryptographic system, generates and manages other keys, including session keys and data encryption keys, or directly encrypts important data. It is vital to protect its security and confidentiality. Once a master key is leaked, the entire cryptographic system may be severely threatened.

A master key features the following:

• High security: A master key is generally the most sensitive key in a system and needs to be strictly protected. It is usually stored in a secure hardware device, such as an HSM.
• Long-term use: A master key has a long lifecycle and will not be frequently changed to ensure system stability and consistency.
• Multi-usage: A master key can be used for various encryption operations, including subkey generation, data encryption, and signature verification.
• Uniqueness: A master key is unique in a cryptographic system. In a distributed system, each node or region may have its own master key.

Master keys include custom keys and default keys. You can create, view, enable, disable, schedule the deletion of, and cancel the deletion of custom keys.

Default Key

A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default. The default key cannot be disabled and does not support scheduled deletion. For details about cloud services that support KMS encryption, see .

Envelope Encryption

Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.

DEK

A data encryption key (DEK) is used to encrypt data.