doc-exports/docs/kms/umn/dew_01_0053.html

<a name="dew_01_0053"></a><a name="dew_01_0053"></a>

<h1 class="topictitle1">How Do Cloud Services Use KMS to Encrypt Data?</h1>
<div id="body1508302911825"><p id="dew_01_0053__p1563974216204">Services (such as OBS, IMS, EVS, SFS, DDS, and RDS) use the envelope encryption method provided by KMS to protect data.</p>
<div class="note" id="dew_01_0053__note1632913553230"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0053__p1432985522310">Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.</p>
</div></div>
<div class="section" id="dew_01_0053__section124407010813"><h4 class="sectiontitle">Envelope Encryption and Decryption Principles</h4><ul id="dew_01_0053__ul14474192915915"><li id="dew_01_0053__dew_01_0006_li1543123412361"><a href="#dew_01_0053__dew_01_0006_fig1265115271176">Figure 1</a> illustrates the process for encrypting a local file.<div class="fignone" id="dew_01_0053__dew_01_0006_fig1265115271176"><a name="dew_01_0053__dew_01_0006_fig1265115271176"></a><a name="dew_01_0006_fig1265115271176"></a><span class="figcap"><b>Figure 1 </b>Encrypting a local file</span><br><span><img id="dew_01_0053__dew_01_0006_image3652527476" src="en-us_image_0232858228.png"></span></div>
<div class="p" id="dew_01_0053__dew_01_0006_p1733533725610">The procedure is as follows:<ol id="dew_01_0053__dew_01_0006_ol183351137175613"><li id="dew_01_0053__dew_01_0006_li1914417517112">Create a CMK on KMS.</li><li id="dew_01_0053__dew_01_0006_li19144251151115">Call the <span class="parmvalue" id="dew_01_0053__dew_01_0006_parmvalue19444152575212"><b>create-datakey</b></span> API of KMS to create a DEK. Then you get a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated when you use a CMK to encrypt the plaintext DEK.</li><li id="dew_01_0053__dew_01_0006_li1614465171118">Use the plaintext DEK to encrypt the file. A ciphertext file is generated.</li><li id="dew_01_0053__dew_01_0006_li17337203795613">Save the ciphertext DEK and the ciphertext file together in a persistent storage device or a storage service.</li></ol>
</div>
</li><li id="dew_01_0053__dew_01_0006_li35556366373"><a href="#dew_01_0053__dew_01_0006_fig133981165810">Figure 2</a> illustrates the process for decrypting a local file.<div class="fignone" id="dew_01_0053__dew_01_0006_fig133981165810"><a name="dew_01_0053__dew_01_0006_fig133981165810"></a><a name="dew_01_0006_fig133981165810"></a><span class="figcap"><b>Figure 2 </b>Decrypting a local file</span><br><span><img id="dew_01_0053__dew_01_0006_image173981416786" src="en-us_image_0232858842.png"></span></div>
<div class="p" id="dew_01_0053__dew_01_0006_p466631785715">The procedure is as follows:<ol id="dew_01_0053__dew_01_0006_ol17666171735711"><li id="dew_01_0053__dew_01_0006_li1145951121111">Obtain the ciphertext DEK and file from the persistent storage device or the storage service.</li><li id="dew_01_0053__dew_01_0006_li17145205111112">Call the <span class="parmvalue" id="dew_01_0053__dew_01_0006_parmvalue1051755216529"><b>decrypt-datakey</b></span> API of KMS and use the corresponding CMK (the one used for encrypting the DEK) to decrypt the ciphertext DEK. Then you get the plaintext DEK.<p id="dew_01_0053__dew_01_0006_p1145115112118">If the CMK is deleted, the decryption fails. Therefore, properly keep your CMKs.</p>
</li><li id="dew_01_0053__dew_01_0006_li3669191785714">Use the plaintext DEK to decrypt the ciphertext file.</li></ol>
</div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>