How Do I Use a DEK?
A data encryption key (DEK) is used to encrypt data.
Using KMS, you can create, encrypt, and decrypt DEKs. The KMS system does not save, manage, or track your DEKs, neither does it use the DEKs to encrypt or decrypt data.
Creating a DEK
KMS supports the creation, encryption, and decryption of DEKs only by calling APIs. You can create a DEK in either of the following ways:
- If you call the create-datakey API, it returns the plaintext DEK and the ciphertext DEK encrypted using the specified CMK.
- If you call the create-datakey-without-plaintext API, it returns the ciphertext DEK encrypted using the specified CMK. You can call the decrypt-datakey API to decrypt the ciphertext DEK, if you need the plaintext DEK afterwards.
Encrypting Data with a DEK
KMS does not support data encryption with DEKs. You can use other encryption libraries (for example, OpenSSL) to encrypt data with DEKs.
- Obtain a plaintext DEK by referring to Creating a DEK.
- Use the plaintext DEK to encrypt data.
- Delete the plaintext DEK and safely store the ciphertext DEK with the encrypted.
Decrypting Data with a DEK
KMS does not support data decryption with DEKs. You can use other encryption libraries (for example, OpenSSL) to decrypt data with DEKs.
- Make sure the encrypted data and the ciphertext DEK are available and ready.
- Call the decrypt-datakey API to decrypt the ciphertext DEK, and then it returns the plaintext DEK that you have used to encrypt the data.
- Use the plaintext DEK to decrypt the data.
- Delete the plaintext DEK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot