检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
You can only use KMS to create new CMKs to encrypt and decrypt data. Parent topic: KMS Related
Creates a new secret version in the specified secret to encrypt and store secret values randomly generated in the background. At the same time, the newly created secret version is marked as SYSCURRENT. Constraints The RotateSecret API does not support rotation of common secrets.
Constraints Default keys cannot be used to encrypt or decrypt such data with the tool. Asymmetric keys cannot be used to encrypt or decrypt such data with the tool. You can call APIs to use a default master key to encrypt or decrypt small-volume data.
This section describes how to call a KMS API and use a CMK to encrypt or decrypt data. Process: Create a CMK in KMS. Call the encrypt-data API of KMS to encrypt plaintext data by using a CMK. Deploy ciphertext certificates on your servers.
Creating a Secret Version Function Creates a new secret version in the specified secret to encrypt and keep the new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state.
You can create a new version of a secret to encrypt and keep a new secret value. By default, The latest secret version in SYSCURRENT state. The previous version is in the SYSPREVIOUS state.
Java Python Go More Encrypt the plaintext hello world using the CMK whose ID is 0d0466b0-e727-4d9c-b35d-f84bb474a37f and add 123aad as the associated data.
For symmetric keys, the same key is used to encrypt and decrypt data, which is fast and efficient, suitable for encrypting a large amount of data. For asymmetric keys, a key pair, that is, a public key and a private key, are used for encryption and decryption.
It can be used to encrypt a small amount of data or DEKs. An asymmetric key is a RSA key or an ECC key pair (including SM2 key pair). It can be used for data encryption and decryption, digital signature, and signature verification.
Advantages Extensive Service Integration By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
You need to call APIs to encrypt and decrypt a large amount of data.
For details about how to encrypt or decrypt a large amount of data, see Encrypting or Decrypting a Large Amount of Data. Parent topic: KMS
Creating a PIN Function This API is used to create a PIN, which is used to create and encrypt a DEK in the level-4 cryptography testing scenario. Calling Method For details, see Calling APIs.
Encrypting a DEK Function This API is used to encrypt a DEK using a specified CMK. Calling Method For details, see Calling APIs.
Billing Examples Billing Scenario A user created a symmetric key at 14:25:00 on May 18, 2023 and used the key to encrypt OBS. During the use of the key, 164,573 API requests were generated. The user stopped using the key and deleted it at 16:14:00 on June 29, 2023.
Ciphertext DEKs are generated when you use a CMK to encrypt the plaintext DEKs. Huawei Cloud services use the plaintext DEK to encrypt a plaintext file, generating a ciphertext file.
Using KMS to Encrypt Secrets Dedicated Distributed Storage Service (DSS) EVS enables you to encrypt data on created disks as required. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient.
Key Management Service Using KMS to Encrypt Offline Data Using KMS to Encrypt and Decrypt Data for Cloud Services Using the Encryption SDK to Encrypt and Decrypt Local Files Encrypting and Decrypting Data Through Cross-region DR Using KMS to Protect File Integrity
Benefits: Advantages over CMK encryption in KMS Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs. A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.
The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK. Use the plaintext DEK to encrypt the file. A ciphertext file is generated. Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.
