Key Management Service
The Key Management Service (KMS) is a secure and easy-to-use hosting service of encryption keys on the cloud. KMS uses hardware security modules (HSMs) to protect your keys and can be integrated with other services on HUAWEI CLOUD to protect your data in these services. You can also use KMS to develop your own encryption applications to do the complex key management so you can focus on your core businesses.
Solution: You don't need to buy expensive HSMs, neither do you need to allocate separate security zones for them. KMS is available in any time of need and charges by the actual amount of usage. Log in to the console and simply click Create, the secure and reliable KMS is instantly at your service.
Major Issue： HSMs are costly to purchase and deploy, and key management regulations require a lot of human resources to formulate and implement.
Solution: KMS uses industry-leading HSMs to ensure key security and a distributed architecture to enhance availability.
Major Issue： Enterprises tend to use earlier HSM models to save costs. These models rely on offline backup that has data reliability risks.
Solution: Once keys are created by one click, encryption services are immediately available. Key deletion is scheduled to ensure secure deletion and avoid misdeletion-caused decryption issues. Keys are also disabled by one click to avoid data leakage in emergencies.
Major Issue： HSM management calls for professionals who must learn varying standards of different vendors, costing a lot of human resources, time, and capital. Moreover, securely deploying HSMs also requires capital and human resources.
Solution: KMS is integrated with the Cloud Trace Service (CTS), which makes all key-related operations traceable.
Major Issue： Encrypt data stored in other services on HUAWEI CLOUD and control the keys used.
Solution: KMS works with CTS to make all key-related operations traceable.
Major Issue： Audit operations on keys in KMS.
Protected by HSMs and cannot be obtained by anyone directly or indirectly. Root Keys are used to encrypt and protect CMKs.
Encrypted by Root Keys and saved in HSMs. No one can obtain the plaintext of CMKs directly or indirectly. CMKs are used to encrypt and protect DEKs.
Encrypted by CMKs and saved by users. Only those having permissions on the CMKs can obtain the plaintext of DEKs. DEKs are used to encrypt and protect users’ data.
- KMS allows users to manage their keys conveniently and use DEKs to encrypt data at any time to ensure the security of their data.
- Data is encrypted using DEKs, DEKs are encrypted using CMKs, and CMKs are encrypted using root keys on HSMs. As root of the chain of trust, HSMs ensure that root keys are unobtainable by external users.
- In addition, TLS1.2 encrypted channels are used for communication between HSMs and KMS as well as between KMS and users' businesses, ensuring the reliable extension of the chain of trust.
Online games, personal cloud services, location-based services, and mobile applications
- Data leaks can occur if an enterprise uses general-purpose storage services to store private data of users, such as account configuration, photos, audio and video files, location information, and browse records. KMS offers a simple, easy-to-use encryption and decryption solution that safeguards users' personal data on HUAWEI CLOUD, keeping enterprises far away from drag risks.
TV stations, new media services, publishing houses, and print media
- Media enterprises' core competitiveness lies in massive original texts, pictures, and audio and video materials. KMS protects core service data of enterprises against leaks. It also provides a trustworthy encryption and decryption solution to help enterprises move businesses to cloud.
Knowledge-intensive institutions and governments' public sectors
- These institutions have important information assets, such as education, science and technology, culture, and healthcare information. With a high-security, low-cost encryption and decryption solution, KMS safeguards the key information assets.
Proactive Key Management
To ensure security of users' encrypted data, KMS does not save DEKs, plaintext or ciphertext. Instead, users manage their own CMKs to ensure secure obtainment and use of DEKs.
HSMs As Root of Trust
Key encryption and decryption are performed by HSMs. As the root of trust, HSMs ensure CMK security in KMS. Security of DEKs is ensured via CMKs. The whole process is a complete chain of trust.
Lightning Fast, On-demand, Pay-As-You-Go
Not needing to buy expensive HSMs, users are not worried about extra management costs caused by device idling. KMS is available immediately upon enabling and charged by actual amount of usage, thereby saving a lot of human resources and costs.