Log Service allows you to use Key Management Service (KMS) to encrypt data for secure storage. This topic describes the data encryption mechanism of Log Service and how to encrypt data by using KMS.
Prerequisites
Data encryption mechanism
Log Service encrypts data by using KMS. The data encryption mechanism has the following
characteristics:
- Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.
- You can create and manage a customer master key (CMK) in the KMS console to ensure the security of the CMK.
- Log Service supports the following encryption types:
- Service key-based encryption: Log service generates an independent service key for each Logstore. The service key never expires.
- Bring Your Own Key (BYOK) encryption: You can create a CMK in the KMS console and grant the relevant permissions to Log Service. When Log Service calls a KMS API operation, this CMK is used to create a key for data encryption. If the CMK is deleted or disabled, the BYOK key becomes invalid.
Notice
- You can configure data encryption for a Logstore only when you call the CreateLogstore operation to create the Logstore. The algorithm or type of data encryption cannot be changed after the Logstore is created.
- If the BYOK key becomes invalid, all read and write requests on the Logstore fail.
Authorize Log Service to access KMS
If you use the BYOK key for data encryption, you must authorize Log Service to access KMS.
Configure data encryption of a Logstore
When you call the CreateLogstore operation to create a Logstore, add the encrypt_conf node to encrypt data by using the following sample code:
encrypt_conf = {
"enable" : True, # Specifies whether data encryption is enabled.
"encrypt_type" : "default"# The encryption algorithm. The encrypt_type parameter can be set to only default or m4.
"user_cmk_info" : # Optional parameter. If this parameter is specified, the BYOK key is used. Otherwise, the service key is used.
{
"cmk_key_id" : "" # The ID of the CMK to which the BYOK key belongs, for example, f5136b95-2420-ab31-xxxxxxxxx.
"arn" : ""# The ARN of the RAM role. For more information about how to obtain the ARN of a RAM role, see Ship log data from Log Service to OSS.
"region_id" : ""# The ID of the region where the CMK resides.
}
}