检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Then the application can store the encrypted data. In addition, the user application can call the KMS API to create CMKs. DEKs can be stored in ciphertext after being encrypted with the CMKs.
You can create a DEK in either of the following ways: If you call the create-datakey API, it returns the plaintext DEK and the ciphertext DEK encrypted using the specified CMK.
When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext.
Secret Management Secret import Key materials imported to KMS can be encrypted using the RSAES_OAEP_SHA_256 or SM2_ENCRYPT algorithms. Importing Key Materials Parent topic: Security
The purposes of key rotation are: To reduce the amount of data encrypted by each key. A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
Data is encrypted within the SDK by using the DEK generated by KMS. Segmented encryption of files in the memory ensures the security and correctness of file encryption, because it does not require file transfer over the network.
mode and verifying signature Random data generation in encrypted mode Parent topic: DHSM
Use the import token to import the encrypted key materials. For details, see Step 4: Importing Key Materials. Parent Topic: Creating a Key
Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested. Parent topic: KMS Related
A private key is encrypted and decrypted using the same encryption key. If the encryption key is deleted, the private key will fail to be exported.
This practice has proved useful when users migrate local encrypted data onto cloud. Parent topic: KMS Related
For example, check whether the digest of the source file is the same as that of the encrypted and decrypted file.
Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server. Advantages over encryption by using cloud services Security Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
Table 9 ImportPrivateKeyProtection Parameter Type Description private_key String Private key of the imported SSH key pair. encryption Encryption object How a private key is encrypted and stored.
Dedicated HSM provides integrity check and encrypted storage for sensitive data, which effectively prevents sensitive data from being stolen or tampered with, and prevents unauthorized access.
Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way. Figure 1 shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.
The managed private keys are encrypted by the keys provided by KMS, ensuring security for storage, import, and export of the private keys. You can download the private keys from the console whenever you need.
The value is encrypted and stored in the initial version of the secret. Type: Base64-encoded binary data object Constraint: Either secret_binary or secret_string must be configured. The maximum size is 32 KB. secret_string No String Value of a new secret.
AK/SK authentication: Requests are encrypted using AK/SK pairs. This method is recommended because it provides higher security than token-based authentication. Token-based Authentication The validity period of a token is 24 hours.
After the encrypted information is signed and sent to the receiver through a private key, the receiver decrypts the information and verifies the signature using a public key.
