检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
When you upload objects in encryption mode, data is encrypted at the server side and then securely stored on OBS in ciphertext. When you download encrypted objects, the data in ciphertext is decrypted at the server side and then provided to you in plaintext.
Secret Management Secret import Key materials imported to KMS can be encrypted using the RSAES_OAEP_SHA_256 or SM2_ENCRYPT algorithms. Importing Key Materials Parent topic: Security
mode and verifying signature Random data generation in encrypted mode Supported Cryptography Algorithms You can use international common cryptographic algorithms to meet various user requirements.
The purposes of key rotation are: To reduce the amount of data encrypted by each key. A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
Data is encrypted within the SDK by using the DEK generated by KMS. Segmented encryption of files in the memory ensures the security and correctness of file encryption, because it does not require file transfer over the network.
Use the import token to import the encrypted key materials. For details, see Step 4: Importing Key Materials. Parent Topic: Creating a Key
Plaintext KMS keys are always encrypted by HSMs and are never stored on any disk. These keys are only utilized within the volatile memory of the HSMs for as long as necessary to perform the cryptographic operation you have requested. Parent topic: KMS Related
A private key is encrypted and decrypted using the same encryption key. If the encryption key is deleted, the private key will fail to be exported.
This practice has proved useful when users migrate local encrypted data onto cloud. Parent topic: KMS Related
Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server. Advantages over encryption by using cloud services Security Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.
Dedicated HSM provides integrity check and encrypted storage for sensitive data, which effectively prevents sensitive data from being stolen or tampered with, and prevents unauthorized access.
Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way. Figure 1 shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.
Encrypt the file and store the encrypted file. doFileFinal(Cipher.ENCRYPT_MODE, inFile, outEncryptFile, plainKey, iv); } /** * Encrypting and decrypting a file * * @param cipherMode: Encryption mode.
AK/SK authentication: Requests are encrypted using AK/SK pairs. This method is recommended because it provides higher security than token-based authentication. Token-based Authentication The validity period of a token is 24 hours.
After the encrypted information is signed and sent to the receiver through a private key, the receiver decrypts the information and verifies the signature using a public key.
The managed private keys are encrypted by the keys provided by KMS, ensuring security for storage, import, and export of the private keys. Scenarios: Manage both local and cloud keys on the KPS console.
The managed private keys are encrypted by the keys provided by KMS, ensuring security for storage, import, and export of the private keys. Scenarios: Manage both local and cloud keys on the KPS console.
Each pair of CMK and replica key share the same key materials, so that data encrypted in a region can be decrypted in another. You can manage keys of multiple regions, edit replica key alias, enable, disable, tag, and authorize replica keys.
final String REGION_1 = "<region1>"; private static final String KEYID_1 = "<keyId1>"; public static final String PROJECT_ID_2 = "<projectId2>"; public static final String REGION_2 = "<region2>"; public static final String KEYID_2 = "<keyId2>"; // Data to be encrypted
These keys are used for digital signature verification and encrypted transmission of sensitive information. Procedure This section uses the AES-256 symmetric key and RSA-2048 asymmetric key as examples to describe how to create a key and bind it to a cloud service.
