Help Center/ Data Encryption Workshop/ FAQs/ KMS Related/ How Do Huawei Cloud Services Use KMS to Encrypt Data?
Updated on 2025-05-26 GMT+08:00

How Do Huawei Cloud Services Use KMS to Encrypt Data?

Generally, Huawei Cloud services use KMS envelope encryption to protect user data.

Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.

Envelope Encryption and Decryption Principles

  • Figure 1 illustrates the process for encrypting a local file.
    Figure 1 Encrypting a local file
    The procedure is as follows:
    1. Create a CMK on KMS.
    2. Call the create-datakey API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.
    3. Use the plaintext DEK to encrypt the file. A ciphertext file is generated.
    4. Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
  • Figure 2 illustrates the process for decrypting a local file.
    Figure 2 Decrypting a local file
    The procedure is as follows:
    1. Obtain the ciphertext DEK and file from the persistent storage device or the storage service.
    2. Call the decrypt-datakey API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.

      If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.

    3. Use the plaintext DEK to decrypt the ciphertext file.

For details about how to use KMS to encrypt and decrypt data, see Using KMS to Encrypt and Decrypt Data for Cloud Services.