You must encrypt sensitive information in your IT assets that are deployed on Alibaba Cloud. You can call cryptographic operations of Key Management Service (KMS) to encrypt or decrypt data less than 6 KB online.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.

Background information

You can use a KMS CMK to encrypt and decrypt data in but not limited to the following scenarios:
  • Encrypt configuration files.
  • Encrypt private keys of SSL certificates.

This topic describes how to call KMS API operations to encrypt and decrypt private keys of SSL certificates online.

Encryption and decryption procedure

User data is transmitted to the KMS server over an encrypted channel. The KMS server encrypts or decrypts the data and then returns the data to the user over the encrypted channel. The following figure shows the entire procedure. encryptionProcedure:
  1. Create a CMK in the KMS console or by calling the CreateKey operation.
  2. Call the Encrypt operation of KMS to encrypt the private key of an SSL certificate. The ciphertext of the private key is returned.
  3. Install the SSL certificate and ciphertext private key on your cloud server.
  4. When the cloud server needs the certificate to create an encrypted connection, call the Decrypt operation of KMS to decrypt the ciphertext private key.

Related API operations

You can call the following API operations to encrypt and decrypt data.
Operation Description
CreateKey Creates a CMK.
CreateAlias Assigns an alias to a CMK.
Encrypt Encrypts data with a specified CMK.
Decrypt Decrypts data that is encrypted by KMS. You do not need to specify a CMK.

Encrypt and decrypt the private key of an SSL certificate

  1. Call the CreateKey operation to create a CMK.
    $ aliyun kms CreateKey
    {
      "KeyMetadata": {
        "CreationDate": "2019-04-08T07:45:54Z",
        "Description": "",
        "KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
        "KeyState": "Enabled",
        "KeyUsage": "ENCRYPT/DECRYPT",
        "DeleteDate": "",
        "Creator": "111122223333",
        "Arn": "acs:kms:cn-hangzhou:111122223333:key/1234abcd-12ab-34cd-56ef-12345678****",
        "Origin": "Aliyun_KMS",
        "MaterialExpireTime": ""
      },
      "RequestId": "2a37b168-9fa0-4d71-aba4-2077dd9e80df"
    }
  2. Optional:(Recommended) Assign an alias to the CMK.
    Aliases are optional to CMKs. If a CMK does not have an alias, you can use its ID.
    $ aliyun kms CreateAlias --AliasName alias/Apollo/WorkKey --KeyId 1234abcd-12ab-34cd-56ef-12345678****
    Note In this example, Apollo/WorkKey is assigned to the CMK in the Apollo project as the alias. This alias is used in the subsequent sample code. This means that you can specify alias/Apollo/WorkKey to use the CMK to encrypt a private key.
  3. Call the Encrypt operation to encrypt the private key. KMS then encrypts the private key.
    In the following sample code:
    • alias/Apollo/WorkKey is the alias of the CMK.
    • ./certs/key.pem is the plaintext private key.
    • ./certs/key.pem.cipher is the ciphertext private key.
    #! /usr/bin/env python
    #coding=utf-8
    
    import json
    
    from aliyunsdkcore import client
    from aliyunsdkkms.request.v20160120 import EncryptRequest
    from aliyunsdkkms.request.v20160120 import DecryptRequest
    
    def KmsEncrypt(client, plaintext, key_alias):
      request = EncryptRequest.EncryptRequest()
      request.set_accept_format('JSON')
      request.set_KeyId(key_alias)
      request.set_Plaintext(plaintext)
      response = json.loads(clt.do_action(request))
      return response.get("CiphertextBlob")
    
    def ReadTextFile(in_file):
      file = open(in_file, 'r')
      content = file.read()
      file.close()
      return content
    
    def WriteTextFile(out_file, content):
      file = open(out_file, 'w')
      file.write(content)
      file.close()
    
    clt = client.AcsClient('<Access-Key-Id>','Access-Key-Secret','<Region-Id>')
    
    key_alias = 'alias/Apollo/WorkKey'
    
    in_file = './certs/key.pem'
    out_file = './certs/key.pem.cipher'
    
    # Read private key file in text mode
    in_content = ReadTextFile(in_file)
    
    # Encrypt
    ciphertext = KmsEncrypt(clt, in_content, key_alias)
    
    # Write encrypted key file in text mode
    WriteTextFile(out_file, ciphertext)
  4. Call the Decrypt operation to decrypt the ciphertext private key. KMS then decrypts the private key that you have installed on your cloud server.
    In the following sample code:
    • ./certs/key.pem.cipher is the ciphertext private key.
    • ./certs/decrypted_key.pem is the plaintext private key.
    #! /usr/bin/env python
    #coding=utf-8
    
    import json
    
    from aliyunsdkcore import client
    from aliyunsdkkms.request.v20160120 import EncryptRequest
    from aliyunsdkkms.request.v20160120 import DecryptRequest
    
    def KmsDecrypt(client, ciphertext):
      request = DecryptRequest.DecryptRequest()
      request.set_accept_format('JSON')
      request.set_CiphertextBlob(ciphertext)
      response = json.loads(clt.do_action(request))
      return response.get("Plaintext")
    
    def ReadTextFile(in_file):
      file = open(in_file, 'r')
      content = file.read()
      file.close()
      return content
    
    def WriteTextFile(out_file, content):
      file = open(out_file, 'w')
      file.write(content)
      file.close()
    
    clt = client.AcsClient('<Access-Key-Id>','Access-Key-Secret','<Region-Id>')
    
    in_file = './certs/key.pem.cipher'
    out_file = './certs/decrypted_key.pem'
    
    # Read encrypted key file in text mode
    in_content = ReadTextFile(in_file)
    
    # Decrypt
    ciphertext = KmsDecrypt(clt, in_content)
    
    # Write Decrypted key file in text mode
    WriteTextFile(out_file, ciphertext)