Help Center>
Data Encryption Workshop>
FAQs>
KMS Related>
How Do Huawei Cloud Services Use KMS to Encrypt Data?
Updated on 2023-01-13 GMT+08:00
How Do Huawei Cloud Services Use KMS to Encrypt Data?
Huawei Cloud services (including OBS, IMS, EVS, and RDS) use the envelope encryption provided by KMS to protect data.
Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes" of CMKs. As a result, CMKs do not directly encrypt and decrypt data.
- When you use a Huawei Cloud service to encrypt data, you need to specify a CMK on KMS. The Huawei Cloud service generates a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated by encrypting the plaintext DEK using the specified CMK. The Huawei Cloud service uses the plaintext DEK to encrypt data and stores the encrypted ciphertext data and ciphertext DEK in the Huawei Cloud service. See the following figure.
Figure 1 How Huawei Cloud uses KMS for encryption
- When users download the data from Huawei Cloud, the service uses the CMK specified by KMS to decrypt the ciphertext DEK, use the decrypted DEK to decrypt data, and then provide the decrypted data for users to download.
Parent topic: KMS Related
KMS Related FAQs
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key algorithms supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore
