yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/kms/umn/dew_01_0006.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

27 lines
4.6 KiB
HTML
Raw Blame History

<a name="dew_01_0006"></a><a name="dew_01_0006"></a>
<h1 class="topictitle1">Application Scenarios</h1>
<div id="body1556591517287"><div class="section" id="dew_01_0006__section1467212190348"><h4 class="sectiontitle">Small Data Encryption and Decryption</h4><p id="dew_01_0006__p6668104818103">You can use the online tool on the KMS console or call KMS APIs to directly encrypt or decrypt a small amount of data, such as passwords, certificates, or phone numbers. Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.</p>
<p id="dew_01_0006__p126681748131013"><a href="#dew_01_0006__fig392517461568">Figure 1</a> shows an example about how to call the APIs to encrypt and decrypt an HTTPS certificate.</p>
<div class="fignone" id="dew_01_0006__fig392517461568"><a name="dew_01_0006__fig392517461568"></a><a name="fig392517461568"></a><span class="figcap"><b>Figure 1 </b>Encrypting and decrypting an HTTPS certificate</span><br><span><img id="dew_01_0006__image5926154614620" src="en-us_image_0232856156.png"></span></div>
<div class="p" id="dew_01_0006__p13651172210545">The procedure is as follows:<ol id="dew_01_0006__ol13350843171120"><li id="dew_01_0006__li466854815108">Create a CMK on KMS.</li><li id="dew_01_0006__li96687482103">Call the <span class="parmvalue" id="dew_01_0006__parmvalue8668154817107"><b>encrypt-data</b></span> API of KMS and use the CMK to encrypt the plaintext certificate.</li><li id="dew_01_0006__li186684482106">Deploy the certificate onto a server.</li><li id="dew_01_0006__li10355843131113">The server calls the <span class="parmvalue" id="dew_01_0006__parmvalue1435617431119"><b>decrypt-data</b></span> API of KMS to decrypt the ciphertext certificate.</li></ol>
</div>
</div>
<div class="section" id="dew_01_0006__section179202519344"><h4 class="sectiontitle">Large Data Encryption and Decryption</h4><p id="dew_01_0006__p8143185161117">If you want to encrypt or decrypt large volumes of data, such as pictures, videos, and database files, you can use the envelope encryption method, where the data does not need to be transferred over the network.</p>
<ul id="dew_01_0006__ul1143183433611"><li id="dew_01_0006__li1543123412361"><a href="#dew_01_0006__fig1265115271176">Figure 2</a> illustrates the process for encrypting a local file.<div class="fignone" id="dew_01_0006__fig1265115271176"><a name="dew_01_0006__fig1265115271176"></a><a name="fig1265115271176"></a><span class="figcap"><b>Figure 2 </b>Encrypting a local file</span><br><span><img id="dew_01_0006__image3652527476" src="en-us_image_0232858228.png"></span></div>
<div class="p" id="dew_01_0006__p1733533725610">The procedure is as follows:<ol id="dew_01_0006__ol183351137175613"><li id="dew_01_0006__li1914417517112">Create a CMK on KMS.</li><li id="dew_01_0006__li19144251151115">Call the <span class="parmvalue" id="dew_01_0006__parmvalue19444152575212"><b>create-datakey</b></span> API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.</li><li id="dew_01_0006__li1614465171118">Use the plaintext DEK to encrypt the file. A ciphertext file is generated.</li><li id="dew_01_0006__li17337203795613">Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.</li></ol>
</div>
</li><li id="dew_01_0006__li35556366373"><a href="#dew_01_0006__fig133981165810">Figure 3</a> illustrates the process for decrypting a local file.<div class="fignone" id="dew_01_0006__fig133981165810"><a name="dew_01_0006__fig133981165810"></a><a name="fig133981165810"></a><span class="figcap"><b>Figure 3 </b>Decrypting a local file</span><br><span><img id="dew_01_0006__image173981416786" src="en-us_image_0232858842.png"></span></div>
<div class="p" id="dew_01_0006__p466631785715">The procedure is as follows:<ol id="dew_01_0006__ol17666171735711"><li id="dew_01_0006__li1145951121111">Obtain the ciphertext DEK and file from the persistent storage device or the storage service.</li><li id="dew_01_0006__li17145205111112">Call the <span class="parmvalue" id="dew_01_0006__parmvalue1051755216529"><b>decrypt-datakey</b></span> API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.<p id="dew_01_0006__p1145115112118">If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.</p>
</li><li id="dew_01_0006__li3669191785714">Use the plaintext DEK to decrypt the ciphertext file.</li></ol>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0121.html">KMS</a></div>
</div>
</div>
View Git Blame Copy Permalink