检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Creates a new secret version in the specified secret to encrypt and store secret values randomly generated in the background. At the same time, the newly created secret version is marked as SYSCURRENT. Constraints The RotateSecret API does not support rotation of common secrets.
Constraints Default keys cannot be used to encrypt or decrypt such data with the tool. Asymmetric keys cannot be used to encrypt or decrypt such data with the tool. You can call an API to use a default key to encrypt or decrypt small volumes of data.
This section describes how to call a KMS API and use a CMK to encrypt or decrypt data. Process: Create a CMK in KMS. Call the encrypt-data API of KMS to encrypt plaintext data by using a CMK. Deploy ciphertext certificates on your servers.
Creating a Secret Version Function Creates a new secret version in the specified secret to encrypt and keep the new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state.
You can create a new version of a secret to encrypt and keep a new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state.
For symmetric keys, the same key is used to encrypt and decrypt data, which is fast and efficient, suitable for encrypting a large amount of data. For asymmetric keys, a key pair, that is, a public key and a private key, are used for encryption and decryption.
Advantages Extensive Service Integration By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
You need to call APIs to encrypt and decrypt a large amount of data.
For details about how to encrypt or decrypt a large amount of data, see Encrypting or Decrypting a Large Amount of Data. Parent topic: KMS
Billing Examples Billing Scenario A user created a symmetric key at 14:25:00 on May 18, 2023 and used the key to encrypt OBS. During the use of the key, 164,573 API requests were generated. The user stopped using the key and deleted it at 16:14:00 on June 29, 2023.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs. Huawei Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
Key Management Service Using KMS to Encrypt Offline Data Using KMS to Encrypt and Decrypt Data for Cloud Services Using the Encryption SDK to Encrypt and Decrypt Local Files Encrypting and Decrypting Data Through Cross-region DR Using KMS to Protect File Integrity
Using KMS to Encrypt Secrets Dedicated Distributed Storage Service (DSS) EVS enables you to encrypt data on created disks as required. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient.
Benefits: Advantages over CMK encryption in KMS Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs. A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK. Use the plaintext DEK to encrypt the file. A ciphertext file is generated. Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
Using the Encryption SDK to Encrypt and Decrypt Local Files Encryption Software Development Kit (SDK) can encrypt and decrypt data and file streams. You can easily encrypt and decrypt massive amounts of data simply by calling APIs.
Using KMS to Encrypt Secrets Dedicated Distributed Storage Service (DSS) EVS enables you to encrypt data on created disks as required. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient.
In this case, A can use B's public key to encrypt the messages, and B can use its private key to decrypt the messages. If you use a private key to encrypt data, the public key can be used to decrypt data.
The key is used to encrypt and protect DEKs. A custom key can be used to encrypt multiple DEKs. It can be disabled and scheduled for deletion. It is billed per use after the being created or imported.
Using wrapping key to encrypt key material: Use HSM or OpenSSL to encrypt wrapping key into key material. Importing key material (existing key material): Import key material and token to the created empty key.
