Using KMS for Encryption

Interacting with Cloud Services

Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, cloud services use a specific custom key of yours to encrypt data.

The encryption process is as follows:

Create a custom key on KMS.
Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.

Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.
Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.

When users download the data from a cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.

**Table 1** Cloud services supported by KMS
Service	How to Use	Reference
Object Storage Service (OBS)	You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.	Object Storage Service Console Operation Guide
Elastic Volume Service (EVS)	If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.	Elastic Volume Service User Guide
Image Management Service (IMS)	When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.	Image Management Service User Guide
Scalable File Service (SFS)	When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.	Scalable File Service User Guide
Relational Database Service (RDS)	When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.	Relational Database Service User Guide
Document Database Service (DDS)	When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.	Document Database Service User Guide

Working with User Applications

To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.

Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.

The encryption process is as follows:

The application calls the create-key API of KMS to create a custom key.
The application calls the create-datakey API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.

Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in 1.
The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.