Scenarios

Last Updated: Sep 25, 2017

Example

Example Meaning Example Meaning
CMK Ciphertext key
Plaintext certificate Plaintext file
Ciphertext certificate Ciphertext file
Plaintext key

Directly use the KMS for encryption and decryption

You can directly call the KMS API and use the specified CMK to encrypt and decrypt data. This scenario applies to encryption and decryption of a small amount of data (less than 4 KB). Data is transmitted to the KMS server through secure channels, encrypted or decrypted at the server, and returned through secure channels.

Scenario: Protect the HTTPS certificate on the server

scenario1

Procedure:

  1. Create a CMK.
  2. Call the Encrypt interface of the KMS to encrypt the plaintext certificate to a ciphertext certificate.
  3. Deploy the ciphertext certificate on the server.
  4. Call the Decrypt interface of the KMS to decrypt the ciphertext certificate to a plaintext certificate when the server starts and needs to use the certificate.

Use envelop encryption to perform local encryption and decryption

You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption and decryption. This scenario applies to mass data encryption and decryption. You do not need to transmit mass data through the network, realizing mass data encryption and decryption at low cost.

Scenario: Encrypt a local file

scenario2.1

Encryption procedure:

  1. Create a CMK.
  2. Call the KMS GenerateDataKey interface to generate data keys. You can obtain a plaintext data key and a ciphertext data key.
  3. Use the plaintext data key to encrypt the file and generate a ciphertext file.
  4. Save the ciphertext data key and the ciphertext file to a persistent storage device or service.

scenario2.2

Decryption procedure:

  1. Read the ciphertext data key and the ciphertext file from the persistent storage device or service.
  2. Call the KMS Decrypt interface to decrypt the ciphertext data key to obtain the plaintext data key.
  3. Use the plaintext data key to decrypt the file.

Note:

  1. You must authenticate the HTTPS certificate on the Alibaba Cloud server to prevent phishers from stealing your information.
  2. We recommend that you use the sub-account function of RAM service to implement the principle of least privilege.
Thank you! We've received your feedback.