Updated on 2022-11-04 GMT+08:00

Overview

KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.

After your cloud services are integrated with KMS, to encrypt data on cloud, you simply need to select a CMK managed by KMS for encryption.

You can select a Default Master Key (DMK) automatically created by a cloud service through KMS, or a key you created or imported to KMS. For details, see Differences Between a CMK and a Default Master Key.

Table 1 Cloud services that use KMS encryption

Category

Service

Encryption Mode

Computing

Elastic Cloud Server (ECS)

You can encrypt an image or EVS disk in ECS.

  • When creating an ECS, if you select an encrypted image, the system disk of the created ECS automatically has encryption enabled, with its encryption mode same as the image encryption mode.
  • When creating an ECS, you can encrypt added data disks.

Image Management Service (IMS)

Encrypting Data in IMS

Storage

Object Storage Service (OBS)

Encrypting Data in OBS

Elastic Volume Service (EVS)

Encrypting Data in EVS

Volume Backup Service (VBS)

VBS generally creates online backups for a single EVS disk (system or data disk) of the server. If it is encrypted, its backup data will be stored in encrypted mode.

Cloud Server Backup Service (CSBS)

CSBS mainly creates consistency backups online for all EVS disks of the server. CSBS backups will also be displayed on the VBS page. If it is encrypted, its backup data will be stored in encrypted mode.

Database

RDS for MySQL

Encrypting an RDS DB Instance

RDS for PostgreSQL

RDS for SQL Server

Document Database Service (DDS)

Encrypting a DDS DB Instance

Encryption Process

HUAWEI CLOUD services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, HUAWEI CLOUD services use a specific CMK of yours to encrypt data.

Figure 1 How Huawei Cloud uses KMS for encryption
The encryption process is as follows:
  1. Create a CMK on KMS.
  2. A HUAWEI CLOUD service calls the create-datakey API of the KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.

    Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.

  3. The HUAWEI CLOUD service uses the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
  4. The HUAWEI CLOUD service saves the ciphertext DEK and the ciphertext file together in a permanent storage device or a storage service.

When users download the data from the HUAWEI CLOUD service, the service uses the CMK specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.