Using KMS for Encryption

Prerequisites

All the custom keys mentioned in this section are symmetric keys. For details about symmetric keys and asymmetric keys, see Keys Types.

Interacting with Huawei Cloud Services

Huawei Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, Huawei Cloud services use a specific custom key of yours to encrypt data. For details about cloud services using KMS for encryption, see Cloud Services with KMS Integrated.

Figure 1 How Huawei Cloud uses KMS for encryption
Click to enlarge

The encryption process is as follows:

Create a custom key on KMS.
Huawei Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.

Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.
Huawei Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
Huawei Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.

When users download the data from a Huawei Cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.

Working with User Applications

To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.

Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.

The encryption process is as follows:

The application calls the create-key API of KMS to create a custom key.
The application calls the create-datakey API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.

Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in 1.
The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.

Cloud Services with KMS Integrated

KMS provides CMK management and encryption capabilities for cloud services.

**Table 1** Cloud services supported by KMS
Service Name	How to Use	Reference
Object Storage Service (OBS)	You can upload objects to and download them from OBS in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.	Encrypting Data in OBS
Elastic Volume Service (EVS)	If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted.	Encrypting Data in EVS
Image Management Service (IMS)	When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image.	Encrypting Data in IMS
Scalable File Service (SFS)	When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted.	File System Encryption
Relational Database Service (RDS)	When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security.	Encrypting an RDS DB Instance
Document Database Service (DDS)	When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security.	Encrypting a DDS DB Instance
Elastic Cloud Server (ECS)	ECS uses image encryption or data disk encryption to encrypt ECS resources. When creating an ECS, if you select an encrypted image, the system disk of the created ECS automatically has encryption enabled, with its encryption mode same as the image encryption mode. For details about image encryption, see Encrypting Data in IMS. When creating an ECS, you can encrypt added data disks. For details about data disk encryption, see Encrypting Data in IMS.	Encrypting Data in ECS
Scalable File Service Turbo (SFS Turbo)	When creating an SFS Turbo file system, use the key provided by KMS to encrypt the file system for core data security.	Creating an SFS Turbo File System
Dedicated Host (DeH)	User encryption allows you to use the encryption feature provided on the cloud platform to encrypt ECS resources, improving data security. User encryption includes image encryption and EVS disk encryption.	Data Protection
FunctionGraph	To decrypt sensitive data, such as database passwords and API keys, during function runtime, you can use the KMS SDK to dynamically operate keys. You can host encryption and decryption keys in KMS and create an agency in IAM for FunctionGraph to access KMS.	Asset Identification and Management
Volume Backup Service (VBS)	EVS backup encryption feature relies on KMS. If it is encrypted, its backup data will be stored in encrypted mode.	Creating a VBS Backup
Cloud Container Engine (CCE)	You can use KMS keys to perform envelope encryption on Kubernetes Secret objects stored in CCE to protect sensitive data of applications.	Using KMS to Encrypt Secrets
Dedicated Distributed Storage Service (DSS)	EVS enables you to encrypt data on created disks as required. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.	Disk Encryption
Cloud Container Instance (CCI)	CCI allows you to mount EVS disks to a container and use KMS to encrypt EVS disks.	EVS Volumes
SoftWare Repository for Container (SWR)	SWR Enterprise Edition uses keys created in DEW to sign images, ensuring image consistency during distribution and deployment and preventing man-in-the-middle (MITM) attacks and unauthorized image updates and running.	Image Signature
TaurusDB	Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects the security of databases and data files.	Enabling TDE for a DB Instance
Cloud Operations Center (COC)	COC uses KMS to encrypt your host accounts for better security. Before using KMS, create a key first.	Key Management
GaussDB(DWS)	In GaussDB(DWS), you can enable database encryption for a cluster to protect static data. After you enable encryption, data of the cluster and its snapshots is encrypted.	Creating a GaussDB(DWS) Storage-Compute Coupled Cluster
Cloud Data Migration (CDM)	When migrating files to a file system, CDM can encrypt and decrypt the files using the keys provided by KMS.	Encryption and Decryption During File Migration
Data Security Center (DSC)	You can use the encryption algorithms and encryption master keys to generate an encryption configuration for data masking.	Configuring and Viewing Masking Rules
Workspace	You can use the key provided by KMS to encrypt disks when purchasing a workspace.	Purchasing Yearly/Monthly-billed Desktops
GeminiDB	You can use the key provided by KMS to encrypt static data in the database when purchasing a GeminiDB instance.	Buying and Connecting to a Cluster Instance