Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.
- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Tag Management
- Auditing Logs
- Activating a Dedicated HSM Instance Using a Shared VPC
- Updating a Resource Share
- Leaving a Resource Share
- Permission Control
-
Best Practices
- Key Management Service
- Cloud Secret Management Service
- General
-
API Reference
- Before You Start
- Calling APIs
- API Overview
-
APIs
-
Key Management APIs
- Key Lifecycle Management
- DEK Management
- Small-Size Data Encryption and Decryption
- Signature and Verification
- Key Tag Management
- Key API Version Query
- Querying Key API Versions
- Key Import Management
- Querying Keys
- Key Grant Management
- Key Rotation Management
- Dedicated Keystore Management
- Signature Verification
- Key Pair Management APIs
- Secret Management APIs
-
Key Management APIs
- Historical APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
- What Can I Do If an Error Is Reported When an Account Key Is Created or Upgraded for the First Time?
- Will the Account Key Pair Quota Be Occupied After a Private Key Pair Is Upgraded to an Account Key Pair?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
- General
- Change History
-
KMS Related
- Videos
-
More Documents
- User Guide (ME-Abu Dhabi Region)
- User Guide (Paris and Amsterdam Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Auditing Logs
- Permission Control
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Types of Keys Can I Import?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- Credential Related
-
KMS Related
- Change History
-
API Reference (ME-Abu Dhabi Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Querying CMK Instances
- Querying CMK Tags
- Querying Project Tags
- Adding or Deleting CMK Tags in Batches
- Adding a CMK Tag
- Deleting a CMK Tag
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
API Reference (Paris and Amsterdam Regions)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
- General Reference
Show all
Copied.
Getting Started with Common Practices
After completing basic operations such as creating keys, key pairs, and secrets, you can get started with common Data Encryption Workshop (DEW) practices as needed.
Practice |
Description |
|
---|---|---|
Data protection |
You can use online tools on the Key Management Service (KMS) console or call the necessary KMS APIs to directly encrypt or decrypt small-size data with a Customer Master Key (CMK), such as passwords, certificates, or phone numbers. |
|
If you want to encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use envelope encryption, which allows you to encrypt and decrypt files without having to transfer a large amount of data over the network. |
||
Encryption Software Development Kit (SDK) can encrypt and decrypt data and file streams. You can easily encrypt and decrypt massive amounts of data simply by calling APIs. If large files and images are sent to KMS through HTTPS for encryption, a large number of network resources will be consumed and the encryption will be slow. You can use the encryption SDK to encrypt and decrypt local files. |
||
If a fault occurs during encryption or decryption in a region, you can use KMS to implement cross-region DR encryption and decryption, ensuring service continuity. |
||
When a large amount of files (such as images, electronic insurance policies, and important files) need to be transmitted or stored securely, you can use KMS to sign the file digest. When the files are used again, you can recalculate the digest for signature verification. Ensure that files are not tampered with during transmission or storage. |
||
Cloud services use KMS for encryption |
KMS supports one-click encryption for Elastic Cloud Server (ECS). The images and data disks of ECS can be encrypted.
|
|
When you enable server-side encryption in Object Storage Service (OBS):
Server-side encryption with KMS-managed keys (SSE-KMS) can be implemented for the objects to be uploaded. |
||
In case your services require encryption for the data stored on disks, KMS is integrated with Elastic Volume Service (EVS). You can use the key provided by KMS to encrypt the disk. |
||
When creating a private image, you can select KMS encryption and use the key provided by KMS to encrypt the image, ensuring image data security. |
||
After encryption is enabled, disk data will be encrypted and stored on the server when you create a Relational Database Service (RDS) database instance or expand disk capacity. When you download encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext. |
||
After encryption is enabled, disk data will be encrypted and stored on the server when you create a Document Database Service (DDS) database instance or expand disk capacity. When you download encrypted objects, the encrypted data will be decrypted on the server first. |
||
Secret encryption |
Generally, the secrets used for access are embedded in applications. To update a secret, you need to create a secret and spend time updating your applications. CSMS is required to manage credentials more conveniently, efficiently, and securely. |
|
You can use Identity and Access Management (IAM) to obtain temporary access keys for ECS to protect AKs and SKs. |
||
Use FunctionGraph and CSMS to generate, host, and rotate strong secure passwords periodically. |
||
You can update the information of a user in a secret. This is the most commonly used secret rotation policy. |
||
You can update the information of two users in a secret. To prevent access failures when changing the user password and updating the secret content, use the multi-user secret rotation policy to ensure high availability of applications. |
||
Use the function workflow template and CSMS to rotate IAM secrets. |
||
API calling |
If you receive an error message when calling an API, you can use exponential backoff to retry the request. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot