Community Blog Key Management Service in Action: A Hands-On Guide for Data Encryption

Key Management Service in Action: A Hands-On Guide for Data Encryption

Key Management Service (KMS) is an end-to-end service platform for key management and data encryption.

By Jessie Angelica, Solution Architect Intern


Key Management Service (KMS) is an end-to-end service platform for key management and data encryption. KMS allows you to use keys securely and conveniently and focus on developing encryption and decryption functions, without having to spend a great deal in protecting the confidentiality, integrity, and availability of keys. KMS is integrated with a wide range of Alibaba Cloud services such as ECS, RDS, OSS, NAS, and MaxCompute. You can easily use customer master keys (CMKs) in KMS to generate data key and call API operations to manage the lifecycle of keys and use keys service to perform operations such as data encryption, data decryption, and signing and verification.


The example of KMS scenario : At the request of IT security departments, an IT system builder needs to encrypt and protect sensitive business data and operational data in applications. KMS significantly reduces costs compared with self-built key management facilities and encryption and decryption facilities. Then, Alibaba Cloud could help by providing KMS as solutions to ensure the security of sensitive data in applications.

This blog describes two methods to use KMS using Alibaba Cloud command-line interface (CLI) to demonstrate the encryption and decryption functions of KMS, and SDK Flask to simulate data encryption between client and server.

PART 1 Configure Aliyun CLI

1). Download Alibaba Cloud CLI tool and decompress the installation package. Move the decompressed "aliyun" executable file to the "/usr/local/bin" directory.


2). Configure your access key ID and access key secret in AccessKey Management of Alibaba Cloud Console, required to call Open API.

3). Go back to the terminal to enter the following commands and adjust according your needs.

4). Go to Key Management Service and enable your default key used for subsequent data encryption


5). Return to the ECS terminal and enter the following command to check all the keys under the current account and show the key details.


6). Use the plaintext data key to encrypt the file and generate a ciphertext file, and call the KMS Decrypt interface to decrypt the ciphertext data key to obtain the plaintext data key.



7). Generate a data key using the key ID:

PART 2 Use the Python SDK

1). Install this following dependency packages


2). Enter this following command, and replace the "clock" method with "perf_counter" in the file.



3). Turn off the automatic indentation function of the vim editor, which is convenient for copying code into the file in the background by enter this following command


4). Enter the "vim server.py" command and replace YOUR-KEY-ACCESS-ID, YOUR-KEY-ACCESS-SECRET, and YOUR-KEY-ID with yours.


5). Enter the "vim client.py" and replace YOUR-KEY-ACCESS-ID, YOUR-KEY-ACCESS-SECRET, and YOUR-ECS-IP with yours.


6). Start the server


Enter the IP address of your ECS instance in a web browser


7). Obtain data key ciphertext from the server:


8). Enter the following command to encrypt "password:aliyun-test" and send it to the server.


9). Go back to the first remote connection terminal. The ciphertext has been received and parsed into plaintext by the server.


0 1 0
Share on

Alibaba Cloud Indonesia

91 posts | 12 followers

You may also like