Help Center> Data Encryption Workshop> Service Overview> KMS> Using KMS
Updated on 2023-08-02 GMT+08:00
View PDF

Using KMS

Prerequisites

All the custom keys mentioned in this section are symmetric keys. For details about symmetric keys and asymmetric keys, see Keys Types.

Interacting with Huawei Cloud Services

Huawei Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, Huawei Cloud services use a specific custom key of yours to encrypt data.

Figure 1 How Huawei Cloud uses KMS for encryption
The encryption process is as follows:
  1. Create a custom key on KMS.
  2. Huawei Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.

    Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.

  3. Huawei Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
  4. Huawei Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.

When users download the data from a Huawei Cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.

Table 1 List of cloud services that use KMS encryption

Service Name

Description

Object Storage Service (OBS)

You can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption.

For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service Console Operation Guide.

Elastic Volume Service (EVS)

If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.

For details about how to use the encryption function of EVS, see Elastic Volume Service User Guide.

Image Management Service (IMS)

When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.

For details about how to use the private image encryption function of Image Management Service (IMS), see Image Management Service User Guide.

Scalable File Service (SFS)

When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.

For details about how to use the file system encryption function of SFS, see Scalable File Service User Guide.

Relational Database Service (RDS)

When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.

For details about how to use the disk encryption function of RDS, see Relational Database Service User Guide.

Document Database Service (DDS)

When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.

For details about how to use the disk encryption function of DDS, see Document Database Service Getting Started.

Working with User Applications

To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.

Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.

The encryption process is as follows:
  1. The application calls the create-key API of KMS to create a custom key.
  2. The application calls the create-datakey API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.

    Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in 1.

  3. The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
  4. The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.

For details, see the Data Encryption Workshop API Reference.

Parent topic: KMS