Overview
-
KMS
-
Key Management Service (KMS) is a secure, reliable, and easy-to-use cloud service that helps you create, manage, and protect keys in a centralized manner.
It uses Hardware Security Modules (HSMs) to protect keys. All user keys are protected by root keys in HSMs to avoid key leakage.
It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.
-
Creating a Key
-
A customer master key (CMK) contains metadata, including key ID, key alias, description, key status, and creation date, as well as key materials used to encrypt and decrypt data.
On the KMS console, you can create a key, which will automatically generate key materials.
You can also import key materials to KMS for unified management as needed.
Region: All
-
-
Key Lifecycle Management
-
You can manage the entire lifecycle of the CMK on the KMS console.
Region: All
-
-
Data Encryption and Decryption
-
To encrypt or decrypt small-volume data, such as passwords, certificates, and phone numbers, you can use the online tools on the KMS console or call the required KMS APIs to directly encrypt or decrypt data with a specified CMK.
To encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use the envelope encryption method, where the data does not need to be transferred over the network.
-
-
Key Rotation
-
Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
Periodic key rotation can reduce the amount of data encrypted by each key, enhance security incident handling, and strengthen data isolation, thereby improving the security of encryption keys.
After key rotation is enabled, you will be charged for storing the key. Each rotated version is calculated as an independent master key resource.
Region: All
-
-
title
-
Signature Verification
-
Signature verification is an encryption mechanism that ensures data transmission security and integrity, preventing information from being tampered or forged during transmission.
Region: All
-
-
Key Grants
-
You can create a grant for other IAM users or accounts to perform operations on your custom keys. The grants can be created via API calls.
You can revoke a grant on the KMS console in either of the following scenarios:- The grantee no longer uses the granted custom key. The grantee can either tell you to revoke the grant or call required APIs to retire the grant directly.
- You do not want the grantee to have the grant.
Region: All
-
-
Hardware True Random Numbers
-
A device that generates random numbers through physical processes instead of computer programs. Random numbers ranging from 8 bits to 8,192 bits can be generated by calling APIs.
Region: All
-
-
-
CSMS
-
Cloud Secret Management Service (CSMS) is a secure, reliable, and easy-to-use secret hosting service. Users and applications can use CSMS to create, retrieve, update, and delete secrets in a unified manner throughout the secret lifecycle. CSMS can help you reduce risks incurred by hardcoding, plaintext configuration, and permission abuse.
-
Creating a Secret
-
Currently, you can create shared secrets and RDS secrets on the CSMS console.
Full lifecycle management is supported for customized secrets in different scenarios. You can use CSMS to centrally manage, retrieve, and securely store various types of secrets, such as database account passwords, server passwords, SSH keys, and access keys. Multiple versions can be managed, so you can rotate secrets.
Database secret leakage is the main cause of data leakage. CSMS supports RDS secrets host and automatic and manual rotation, meeting various database secret management scenarios and reducing security risks faced by service data.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
Secret Rotation
-
Secrets need to be periodically updated to enhance security. To rotate a secret, you need to update the secret in all the applications and configurations using it, which is time-consuming, error-prone, and may cause service interruption.
With CSMS, you can conveniently manage multiple secret versions. Applications can call CSMS APIs or SDKs to securely update secrets without making mistakes.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
Secret Event Notification
-
After you subscribe to an associated event for a secret object, if the event is enabled and a basic event is triggered on the secret object, an event notification is sent to the notification topic specified by the event through Simple Message Notification (SMN).
Basic event types include new secret version creation, secret version expiration, secret deletion, and secret rotation. After configuring event notification, you can use event-driven managed functions in FunctionGraph to automatically rotate secrets.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
-
KPS
-
Key Pair Service (KPS) is a secure, reliable, and easy-to-use cloud service designed to manage and protect your SSH key pairs.
KPS uses HSMs to generate true random numbers which are then used to produce key pairs. In addition, it adopts a comprehensive, reliable key pair management solution to help you create, import, and manage key pairs with ease. The public key of a generated SSH key pair is stored in KPS while the private key can be downloaded and saved locally, which ensures the privacy and security of the key pair.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
Creating a Key Pair
-
For system security purposes, it is recommended that you use the key pair authentication mode to authenticate the user who attempts to log in to an ECS. You can create a key pair and use it for authentication when logging in to your ECS.
If you need to use your own key pair, for example, a key pair created using PuTTYgen, you can import the public key to the management console and use the private key to remotely log in to the ECS. You can also manage the private key in Huawei Cloud for unified management.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
Using a Key Pair
-
You can use a key pair to log in to Linux ECSs password-free. This prevents password interception and cracking, improving ECS security.
When purchasing an ECS, you can choose to authenticate users trying to log in to your ECS with the SSH key pair provided by KPS, or use the key pair to obtain the password for logging in to a Windows ECS.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
Using a Private Key
-
You can import local private keys to the KPS console for easy and unified management. The import private keys are encrypted by the keys provided by KMS, ensuring security for storage, import, and export of the private keys. You can download the private keys from the management console whenever you need. To ensure the security of the private keys, keep the downloaded private keys properly.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and LA-Santiago
-
-
-
Dedicated HSM
-
Dedicated Hardware Security Module (Dedicated HSM) is a cloud service used for encryption, decryption, signature, signature verification, key generation, and the secure storage of keys.
Dedicated HSM provides encryption hardware certified by China State Cryptography Administration (CSCA), guaranteeing data security and integrity on ECSs and meeting compliance requirements. Dedicated HSM allows you to securely and reliably manage keys generated by instances. It uses multiple encryption algorithms for data encryption and decryption.
Region: CN-Hong Kong, AP-Bangkok, AP-Singapore, LA-Mexico City1, LA-Sao Paulo1, and LA-Santiago
-
title
-
-
Audit Logs
-
Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
Once CTS is enabled, the system starts recording operations on DEW. You can check the records generated over the last seven days on the CTS console.
-
-
title
-
Permission Management
-
You can use Identity and Access Management (IAM) for refined permission management on DEW. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Delegate a trusted Huawei Cloud account or cloud service to perform professional, efficient O&M on your DEW resources.
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
-
-
APIs
-
DEW provides Representational State Transfer (REST) APIs. You can make HTTP or HTTPS requests to call the APIs to create, query, modify, and delete keys.
Region: All
-
-
SDKs
-
DEW SDKs help you perform secondary development. The SDKs are available in Java, Python, C language, Go, and .NET.
Region: All
-
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
