Help Center> Data Encryption Workshop> API Reference> Application Examples> Example 2: Encrypting or Decrypting Large Volumes of Data
Updated on 2022-10-27 GMT+08:00

Example 2: Encrypting or Decrypting Large Volumes of Data

Scenario

Encrypt or decrypt a large amount of data.

  • Encryption process:
    1. Create a CMK in KMS.
    2. Call the create-datakey API of the KMS to create a DEK. A plaintext DEK and a ciphertext DEK will be generated. The ciphertext DEK was generated by using a CMK to encrypt the plaintext DEK.
    3. Use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
    4. Store the ciphertext DEK and the ciphertext file together in a permanent storage device or a storage service.
  • Decryption process:
    1. Read the ciphertext DEK and the ciphertext file from the permanent storage device or storage service.
    2. Call the decrypt-datakey API and use the encryption CMK to decrypt the ciphertext DEK. The plaintext DEK will be generated.

      If the CMK is deleted, the decryption will fail. Properly keep your CMKs.

    3. Use the plaintext DEK to decrypt the ciphertext file.

Involved APIs

APIs used for the following operations are involved:

Procedure

  1. Create a CMK.

    • API information

      URI format: POST /v1.0/{project_id}/kms/create-key

      For details, see Creating a CMK.

      Default Master Keys are created by services integrated with KMS. Names of Default Master Keys end with /default. Do not end your CMK names with /default.

    • Example request

      POST: https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/create-key

      Obtain {endpoint} from Regions and Endpoints.

      Body:

      {
          "key_alias": "test"
      }
    • Example response
      {
          "key_info": {
              "key_id": "bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e",
              "domain_id": "b168fe00ff56492495a7d22974df2d0b"
          }
      }

  2. Create a DEK.

    • API information

      URI format: POST /v1.0/{project_id}/kms/create-datakey

      For details, see Creating a DEK.

    • Example request

      POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/create-datakey

      Obtain {endpoint} from Regions and Endpoints.

      You can use the API for Querying the List of CMKs to check key information, including key_id.

      Body:

      {
          "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
          "datakey_length": "512"
      }
    • Example response
      {
          "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
          "plain_text": "8151014275E426C72EE7D44267EF11590DCE0089E19863BA8CC832187B156A72A5A17F17B5EF0D525872C59ECEB72948AF85E18427F8BE0D46545C979306C08D",
          "cipher_text": "020098009EEAFCE122CAA5927D2E020086F9548BA1675FDB022E4ECC01B96F2189CF4B85E78357E73E1CEB518DAF7A4960E7C7DE8885ED3FB2F1471ABF400119CC1B20BD3C4A9B80AF590EFD0AEDABFDBB0E2B689DA7B6C9E7D3C5645FCD9274802586BE63779471F9156F2CDF07CD8412FFBE9230643034363662302D653732372D346439632D623335642D6638346262343734613337660000000045B05321483BD9F9561865EE7DFE9BE267A42EB104E98C16589CE46940B18E52"
      }

  3. Encrypt the DEK.

    • API information

      URI format: POST /v1.0/{project_id}/kms/encrypt-datakey

      For details, see Encrypting a DEK.

    • Example request

      POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/encrypt-datakey

      Obtain {endpoint} from Regions and Endpoints.

      You can use the API for Querying the List of CMKs to check key information, including key_id.

      Body:

      {
          "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
          "plain_text": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B",
          "datakey_plain_length": "64"
      }
    • Example response
      {
          "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
          "cipher_text": "020098005273E14E6E8E95F5463BECDC27E80AF820B9FC086CB47861899149F67CF07DAFF2810B7D27BDF19AB7632488E0926A48DB2FC85BEA905119411B46244C5E6B8036C60A0B0B4842FFE6994518E89C19B1C1D688D9043BCD6053EA7BA0652642CE59F2543C80669139F4F71ABB9BD9A24330643034363662302D653732372D346439632D623335642D66383462623437346133376600000000D34457984F9730D57F228C210FD22CA6017913964B21D4ECE45D81092BB9112E",
          "datakey_length": "64"
      }

  4. Decrypt the DEK.

    • API information

      URI format: POST /v1.0/{project_id}/kms/decrypt-datakey

      For details, see Decrypting a DEK.

    • Example request

      POST https://{endpoint}/v1.0/53d1aefc533f4ce9a59c26b01667cbcf/kms/decrypt-datakey

      Obtain {endpoint} from Regions and Endpoints.

      You can use the API for Querying the List of CMKs to check key information, including key_id.

      Body:

      {
          "key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
          "datakey_cipher_length": "64",
          "cipher_text": "020098005273E14E6E8E95F5463BECDC27E80AF820B9FC086CB47861899149F67CF07DAFF2810B7D27BDF19AB7632488E0926A48DB2FC85BEA905119411B46244C5E6B8036C60A0B0B4842FFE6994518E89C19B1C1D688D9043BCD6053EA7BA0652642CE59F2543C80669139F4F71ABB9BD9A24330643034363662302D653732372D346439632D623335642D66383462623437346133376600000000D34457984F9730D57F228C210FD22CA6017913964B21D4ECE45D81092BB9112E"
      }
    • Example response
      {
          "data_key": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
          "datakey_length": "64",
          "datakey_dgst": "F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B"
      }