Related Services
Related Services
KMS provides CMK management and encryption capabilities for cloud services. The following table lists the cloud services that can use KMS for encryption.
Service |
How to Use |
Reference |
---|---|---|
Object Storage Service (OBS) |
You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption. |
|
Elastic Volume Service (EVS) |
If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted. |
|
Image Management Service (IMS) |
When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image. |
|
Scalable File Service (SFS) |
When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted. |
|
Relational Database Service (RDS) |
When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security. |
|
Document Database Service (DDS) |
When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security. |
|
Elastic Cloud Server (ECS) |
ECS uses image encryption or data disk encryption to encrypt ECS resources.
|
|
Scalable File Service Turbo (SFS Turbo) |
When creating an SFS Turbo file system, use the key provided by KMS to encrypt the file system for core data security. |
|
Dedicated Host (DeH) |
User encryption allows you to use the encryption feature provided on the cloud platform to encrypt ECS resources, improving data security. User encryption includes image encryption and EVS disk encryption. |
|
FunctionGraph |
To decrypt sensitive data, such as database passwords and API keys, during function runtime, you can use the KMS SDK to dynamically operate keys. You can host encryption and decryption keys in KMS and create an agency in IAM for FunctionGraph to access KMS. |
|
Volume Backup Service (VBS) |
EVS backup encryption feature relies on KMS. If it is encrypted, its backup data will be stored in encrypted mode. |
|
Cloud Container Engine (CCE) |
You can use KMS keys to perform envelope encryption on Kubernetes Secret objects stored in CCE to protect sensitive data of applications. |
|
Dedicated Distributed Storage Service (DSS) |
EVS enables you to encrypt data on created disks as required. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure. |
|
Cloud Container Instance (CCI) |
CCI allows you to mount EVS disks to a container and use KMS to encrypt EVS disks. |
|
SoftWare Repository for Container (SWR) |
SWR Enterprise Edition uses keys created in Data Encryption Workshop (DEW) to sign images, ensuring image consistency during distribution and deployment and preventing man-in-the-middle (MITM) attacks and unauthorized image updates and running. |
|
TaurusDB |
Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects the security of databases and data files. |
|
Cloud Operations Center (COC) |
COC uses KMS to encrypt your host accounts for better security. Before using KMS, create a key first. |
|
GaussDB(DWS) |
In GaussDB(DWS), you can enable database encryption for a cluster to protect static data. After you enable encryption, data of the cluster and its snapshots is encrypted. |
|
Cloud Data Migration (CDM) |
When migrating files to a file system, CDM can encrypt and decrypt the files using the keys provided by KMS. |
|
Data Security Center (DSC) |
You can use the encryption algorithms and encryption master keys to generate an encryption configuration for data masking. |
CTS
CTS provides you with a history of DEW operations. After the CTS service is enabled, you can view all generated traces to review and audit performed KMS operations. For details, see the Cloud Trace Service User Guide.
IAM
IAM provides permission management for DEW.
Only users who have KMS Administrator permissions can use DEW.
Only users who have the KMS Administrator and Server Administrator permissions can use the key pair function.
To apply for permissions, contact a user with Security Administrator permissions. For details, see the Identity and Access Management User Guide.
Enterprise Management
You can manage multiple projects in an enterprise, separately settle their costs, and assign them to different personnel. A project can be started or stopped independently without affecting others. With enterprise management, you can easily manage your projects after creating an enterprise project for each of them.
DEW supports enterprise management. You can manage DEW resources by enterprise project and grant different permissions to users.
TMS
Tag Management Service (TMS) is a quick and convenient visualized service for centralized tag management. You can add tags to custom keys to classify and trace custom keys and collect the usage of custom keys by tag.
RAM
Resource Access Manager (RAM) helps you securely share resources across accounts. You can create resources once in an account and use RAM to share the resources with specified principals, including organizations, organizational units, and accounts.
SMN
Simple Message Notification (SMN) provides the notification function. When a selected event is triggered for the target secret, CSMS sends a notification through SMN.
EG
EventGrid (EG) is a serverless event bus service provided by Huawei Cloud. When a selected event is triggered for the target secret, CSMS sends a notification through EG. When creating an event subscription, set Event Source to HC.DEW.CSMS. For details, see Creating an Event Subscription.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot