Help Center/ Data Encryption Workshop/ FAQs/ KMS Related/ Does KMS Support Offline Data Encryption and Decryption?
Updated on 2025-01-23 GMT+08:00
View PDF
Share

Does KMS Support Offline Data Encryption and Decryption?

Generally, KMS provides open APIs encrypt-data and decrypt-data for encrypting and decrypting a small volume of data. The calculation of the APIs is based on KMS, which wraps the ciphertext. So offline data encryption and decryption are not supported.

However, for asymmetric keys, KMS does not wrap the ciphertext. So public keys can be encrypted offline while private keys are decrypted online.

The following shows an example:

RSA_3072 is used for ENCRYPT_DECRYPT. After a public key is used to encrypt "hello world!" offline, decrypt-data is called to decrypt the message using a private key. The RSA/ECB/OAEPWithSHA-256AndMGF1Padding algorithm is used.

public class RsaEncryptDataExample {
    /**
     * Basic authentication information:
     * - ACCESS_KEY: Access key of the Huawei Cloud account. For details, see How Do I Obtain an Access Key (AK/SK)?.
     * - SECRET_ACCESS_KEY: Secret access key of the Huawei Cloud account. This is sensitive information. Store it in ciphertext. For details, see How Do I Obtain an Access Key (AK/SK)?.
     * - IAM_ENDPOINT: Endpoint for accessing IAM. For details, see Regions and Endpoints.
     * - KMS_REGION_ID: Regions supported by KMS. For details, see Regions and Endpoints.
     * - KMS_ENDPOINT: Endpoint for accessing KMS. For details, see Regions and Endpoints.
     * - There will be security risks if the AK/SK used for authentication is directly written into code. Encrypt the AK/SK in the configuration file or environment variables for storage.
     * - In this example, the AK/SK stored in the environment variables are used for identity authentication. Configure the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment first.
     */
    private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK");
    private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK");
    private static final String IAM_ENDPOINT = "https://<IamEndpoint>";
    private static final String KMS_REGION_ID = "<RegionId>";
    private static final String KMS_ENDPOINT = "https://<KmsEndpoint>";

    private static final String RSA_PUBLIC_KEY_BEGIN = "-----BEGIN PUBLIC KEY-----\n";
    private static final String RSA_PUBLIC_KEY_END = "-----END PUBLIC KEY-----";

    private static final String RSAES_OAEP_SHA_256 = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";

    private static final String SHA_256 = "SHA-256";

    private static final String MGF1 = "MGF1";

    private static final String HELLO_WORLD = "hello world!";

    public static void main(String[] args) throws Exception {

        final String keyId = args[0];

        publicKeyEncrypt(keyId);
    }

    private static void publicKeyEncrypt(String keyId) throws NoSuchAlgorithmException, InvalidKeySpecException,
            NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException,
            IllegalBlockSizeException, BadPaddingException {

        // 1. Prepare the authentication information for accessing Huawei Cloud.
        final BasicCredentials auth = new BasicCredentials()
                .withIamEndpoint(IAM_ENDPOINT).withAk(ACCESS_KEY).withSk(SECRET_ACCESS_KEY);

        // 2. Initialize the SDK and transfer the authentication information and the address for the KMS to access the client.
        final KmsClient kmsClient = KmsClient.newBuilder()
                .withRegion(new Region(KMS_REGION_ID, KMS_ENDPOINT)).withHttpConfig(new HttpConfig()
                        .withIgnoreSSLVerification(true)).withCredential(auth).build();

        // 3. Obtain the public key information. The returned information is in PKCS8 format.
        final ShowPublicKeyRequest showPublicKeyRequest = new ShowPublicKeyRequest()
                .withBody(new OperateKeyRequestBody().withKeyId(keyId));
        final ShowPublicKeyResponse showPublicKeyResponse = kmsClient.showPublicKey(showPublicKeyRequest);

        // 4. Obtain the public key string.
        final String publicKeyStr = showPublicKeyResponse.getPublicKey().replace(RSA_PUBLIC_KEY_BEGIN, "")
                .replaceAll("\n", "").replace(RSA_PUBLIC_KEY_END, "");

        // 5. Obtain the binary public key.
        final X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKeyStr));
        final KeyFactory keyFactory = KeyFactory.getInstance("RSA", new BouncyCastleProvider());
        final PublicKey publicKey = keyFactory.generatePublic(keySpec);

        // 6. Encrypt the string "hello world!" offline using a public key.
        final Cipher cipher = Cipher.getInstance(RSAES_OAEP_SHA_256);
        final OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec(SHA_256, MGF1,
                new MGF1ParameterSpec(SHA_256), PSource.PSpecified.DEFAULT);
        cipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParameterSpec);
        final byte[] cipherData = cipher.doFinal(HELLO_WORLD.getBytes(StandardCharsets.UTF_8));

        // 7. Decrypt the ciphertext online using a private key.
        final DecryptDataRequest decryptDataRequest = new DecryptDataRequest()
                .withBody(new DecryptDataRequestBody().withKeyId(keyId)
                        .withEncryptionAlgorithm(DecryptDataRequestBody.EncryptionAlgorithmEnum.RSAES_OAEP_SHA_256)
                        .withCipherText(Base64.getEncoder().encodeToString(cipherData)));

        final DecryptDataResponse decryptDataResponse = kmsClient.decryptData(decryptDataRequest);

        assert HELLO_WORLD.equals(decryptDataResponse.getPlainText());
    }

}
Parent topic: KMS Related