Help Center/ Data Encryption Workshop/ Service Overview/ Basic Concepts
Updated on 2025-06-23 GMT+08:00
View PDF
Share

Basic Concepts

This section describes the basic concepts in DEW, helping you understand and use DEW better.

Symmetric Key Encryption

Symmetric key encryption is also called dedicated key encryption. The sender and receiver use the same key to encrypt and decrypt data.

Advantage: Encryption and decryption are fast.

Disadvantage: Each pair of keys must be unique, making key management difficult when there are a large number of users.

Scenario: Encrypt a large amount of data.

Encryption process: Assume there is a plaintext message "Hello", the sender uses a symmetric key (for example, key123) and a symmetric cryptographic algorithm (for example, AES) to encrypt "Hello" into ciphertext, for example, "# %&*". After receiving the ciphertext, the receiver uses the same key123 and AES algorithm to decrypt "#%&*" back to "Hello".

For details, see Key Types.

Asymmetric Key Encryption

Asymmetric key encryption is also called public key encryption. A pair of keys are used for encryption and decryption. One is a public key, and the other is a private key.

Advantage: Different keys are used for encryption and decryption, ensuring high security.

Disadvantage: Encryption and decryption are slow.

Scenario: Encrypt sensitive information.

Encryption process: Assume that the sender needs to send a message "secret plan" to the receiver. The sender obtains the public key of the receiver (for example, public_key_A) and uses the public key to encrypt "secret plan" into ciphertext "@#$ %^&". After receiving the ciphertext, the receiver uses the private key (for example, private_key_A) to decrypt the ciphertext into the plaintext "secret plan". In this way, even if the public key is obtained by others, the ciphertext cannot be decrypted because they do not have the corresponding private key.

For details, see Key Types.

HMAC Algorithms

Hash-based Message Authentication Code (HMAC) is a key-based message authentication code algorithm. To use HMAC is to combine information with a key, and encrypt the result using a hash function, thereby protecting information integrity and verifying information.

Digital Signature

A digital signature is also known as a public key digital signature, which is used to verify the authenticity and integrity of a message. After the encrypted information is signed and sent to the receiver through a private key, the receiver decrypts the information and verifies the signature using a public key. For security purposes, information is compared thoroughly to protect the electronic files from being tampered or masqueraded.

HSM

A Hardware Security Module (HSM) is a type of computer hardware that protects and manages the keys used by strong authentication systems and provides related cryptographic operations.

CMK

A customer master key (CMK), the highest level of keys in a cryptographic system, generates and manages other keys, including session keys and data encryption keys, or directly encrypts important data. It is vital to protect its security and confidentiality. Once a CMK is leaked, the entire cryptographic system may be severely threatened.

A CMK features the following:

  • High security: A master key is generally the most sensitive key in a system and needs to be strictly protected. It is usually stored in a secure hardware device, such as an HSM.
  • Long-term use: A master key has a long lifecycle and will not be frequently changed to ensure system stability and consistency.
  • Multi-usage: A master key can be used for various encryption operations, including subkey generation, data encryption, and signature verification.
  • Uniqueness: A master key is unique in a cryptographic system. In a distributed system, each node or region may have its own master key.

A master key includes a custom key and a default key. You can create, view, enable, disable, schedule the deletion of, and cancel the deletion of custom keys.

  • Custom keys can be used across regions for data encryption and decryption by creating replica keys, improving service efficiency.
  • Custom keys include symmetric keys and asymmetric keys.
    • Symmetric keys are most commonly used for data encryption protection.
    • Asymmetric keys are used for digital signature verification or sensitive information encryption in systems where the trust relationship is not mutual. An asymmetric key consists of a public key and a private key. The public key can be sent to anyone. The private key must be securely stored and only accessible to trusted users.
    • An asymmetric key can be used to generate and verify a signature. To securely transfer data, a signer sends the public key to a receiver, uses the private key to sign data, and then sends the data and signature to the receiver. The receiver can use the public key to verify the signature.

Replica Key

A replica key is a key generated by replicating the master key in DEW. The replica key and the master key share the same key materials. It can be used for cross-region data encryption and decryption. It ensures flexibility and high availability in DEW, but requires proper management to ensure security and compliance.

A replica key features the following:

  • Cross-region use: A replica key can be used in different regions for key sharing. It is highly applicable in scenarios where cross-region data encryption and decryption are required, for example, in a distributed system or cloud service environment.
  • High availability: You can create replica keys in multiple regions to improve system availability. If one region is faulty, replica keys in other regions can still work properly.
  • Restrictions:
    • You can only enable, disable, and encrypt or decrypt replica keys online. Key rotation is not supported.
    • Replica keys can be created only in CN North-Beijing4, CN South-Guangzhou, CN Southwest-Guiyang1, CN East-Shanghai1, AP-Singapore, and ME-Riyadh.
      For each master key, multiple replica keys can be created in different regions. However, only one replica key can be created for a master key in each region.
      Table 1 Regions of master keys and replica keys

      Master Key Region

      Replica Key Region

      CN North-Beijing4
      • CN East-Shanghai1
      • CN South-Guangzhou
      • CN Southwest-Guiyang1

      CN South-Guangzhou
      • CN North-Beijing4
      • CN East-Shanghai1
      • CN Southwest-Guiyang1

      CN Southwest-Guiyang1
      • CN East-Shanghai1
      • CN South-Guangzhou
      • CN North-Beijing4

      CN East-Shanghai1
      • CN North-Beijing4
      • CN South-Guangzhou
      • CN Southwest-Guiyang1

      AP-Singapore

      ME-Riyadh

      ME-Riyadh

      AP-Singapore

Relationship between the master key and replica key:

  • The master key is the source of the replica key: The replica key is generated from the master key and is used for data encryption across regions or in a distributed environment.
  • Updating the master key affects the replica key: If the master key needs to be updated or rotated, the replica key needs to be regenerated to ensure encryption consistency of the entire system.

Default Key

A default key is automatically created by another cloud service using KMS, such as Object Storage Service (OBS). The alias of a default key ends with /default. The default key cannot be disabled and does not support scheduled deletion. For details about cloud services that support KMS encryption, see Cloud Services with KMS Integrated.

Key Materials

Key materials are important inputs to cryptographic operations. They are used to encrypt and decrypt key data. A CMK consists of key materials, key IDs, and basic metadata. For details about how to import key materials, see Importing Key Materials.

Envelope Encryption

Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.

DEK

A data encryption key (DEK) is used to encrypt data.

SSH Key Pair

An SSH key pair is used for encrypting and verifying SSH network connections. Each SSH key pair consists of a private key and a public key.

  • A private key is an encrypted file which can only be accessed by the owner.
  • A public key is an unencrypted file which can be shared with anyone. If you are connecting to another user's computer, you can use the public key to encrypt messages and the private key to decrypt.

The private key can be accessed only by the owner and the public key can be shared with others. As a result, SSH key pairs are more secure than conventional password verification.

For details about key pairs, see Key Pair Service.

Private Key Pair

A private key pair can be viewed or used only by the current account. For details, see Creating a Key Pair.

Account Key Pair

An account key pair can be viewed or used by all users under the account. A private key pair can be upgraded to an account key pair. For details, see Upgrading a Key Pair.

Secrets

A secret is used to verify identity and authorize access. In the information security and identity authentication fields, a secret is a key mechanism to ensure that only authorized users can access the system, resources, or services. Secrets include usernames and passwords, digital certificates, key pairs (public and private keys), tokens, biometric information, one-time passwords (OTPs), and smart cards.

For details, see Secret Overview.