Basic Concepts

Symmetric key encryption

Symmetric key encryption is also called dedicated key encryption. The sender and receiver use the same key to encrypt and decrypt data.

Advantage: Encryption and decryption are fast.

Disadvantage: Each pair of keys must be unique. Key management is difficult if there are a large number of users.

Scenario: Encrypt a large amount of data.

Asymmetric key encryption

Asymmetric key encryption is also called public key encryption. A pair of keys are used for encryption and decryption. One is a public key, and the other is a private key.

Advantage: Different keys are used for encryption and decryption, enhancing security.

Disadvantage: Encryption and decryption are slow.

Scenario: Encrypt sensitive information.

Hardware Security Module

(HSM)

An HSM is a type of computer hardware that protects and manages the keys used by strong authentication systems and provides related cryptographic operations.

Customer Master Key

(CMK)

A CMK is a main encryption key created by a user or cloud service using KMS. It is used to encrypt and protect data encryption keys (DEKs). One CMK can be used to encrypt one or more DEKs.

CMKs are categorized into custom keys and default keys.

Default key

A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default.

Key material

Key materials are important input for cryptographic operations. A CMK consists of a key ID, metadata, and a key material.

Envelope encryption

Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.

Data Encryption Key

(DEK)

A DEK is used to encrypt data.