Using KMS
Interacting with Cloud Services
Cloud services use the envelope encryption technology and call KMS APIs to encrypt service resources. Your CMKs are under your own management. With your grant, cloud services use a specific custom key of yours to encrypt data.
- Create a custom key on KMS.
- Cloud services call the create-datakey API of the KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs.
- Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
- Cloud services store the ciphertext DEK and ciphertext file in a persistent storage device or a storage service.
When users download the data from a cloud service, the service uses the custom key specified by KMS to decrypt the ciphertext DEK, uses the decrypted DEK to decrypt data, and then provides the decrypted data for users to download.
Service Name |
Description |
---|---|
Object Storage Service (OBS) |
You can upload objects to and download them from Object Storage Service (OBS) in common mode or server-side encryption mode. When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext. OBS supports the server-side encryption with KMS-managed keys (SSE-KMS) mode. In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. For details about how to upload objects to OBS in SSE-KMS mode, see the Object Storage Service Console Operation Guide. |
Elastic Volume Service (EVS) |
If you enable the encryption function when creating an EVS disk, the disk will be encrypted with the DEK generated by using your CMK. Data stored in the EVS disk will be automatically encrypted. For details about how to use the encryption function of EVS, see Elastic Volume Service User Guide. |
Image Management Service (IMS) |
When creating a private image using an external image file, you can enable the private image encryption function and select a CMK provided by KMS to encrypt the image. For details about how to use the private image encryption function of Image Management Service (IMS), see Image Management Service User Guide. |
Scalable File Service (SFS) |
When creating a file system on SFS, the CMK provided by KMS can be selected to encrypt the file system, so that files stored in the file system are automatically encrypted. For details about how to use the file system encryption function of SFS, see Scalable File Service User Guide. |
Relational Database Service (RDS) |
When purchasing a database instance, you can enable the disk encryption function of the database instance and select a CMK created on KMS to encrypt the disk of the database instance. Enabling the disk encryption function will enhance data security. For details about how to use the disk encryption function of RDS, see Relational Database Service User Guide. |
Document Database Service (DDS) |
When purchasing a DDS instance, you can enable the disk encryption function of the instance and select a CMK created on KMS to encrypt the disk of the instance. Enabling the disk encryption function will enhance data security. For details about how to use the disk encryption function of DDS, see Document Database Service User Guide. |
Working with User Applications
To encrypt plaintext data, a user application can call the necessary KMS API to create a DEK. The DEK can then be used to encrypt the plaintext data. Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.
Envelope encryption is implemented, with CMKs stored in KMS and ciphertext DEKs in user applications. KMS is called to decrypt a ciphertext DEK only when necessary.
- The application calls the create-key API of KMS to create a custom key.
- The application calls the create-datakey API of KMS to create a DEK. A plaintext DEK and a ciphertext DEK are generated.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs in 1.
- The application uses the plaintext DEK to encrypt a plaintext file. A ciphertext file is generated.
- The application saves the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
For details, see the Data Encryption Workshop API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot