edit-icon download-icon

Scenarios

Last Updated: Aug 21, 2018

Common usage of KMS:

  • Use CMK to encrypt and decrypt data
  • Use envelope encryption to encrypt and decrypt data locally

Legend

Symbol Meaning Symbol Meaning
CMK Ciphertext key
Plaintext certificate Plaintext file
Ciphertext certificate Ciphertext file
Plaintext key

Use CMK to encrypt and decrypt data

You can use a CMK to encrypt and decrypt a small amount of data (less than 4 KB). KMS use secure channels for data transmission.

Scenario: protect the HTTPS certificate of a server

scenario1

Procedure:

  1. Create a CMK in the KMS console or by calling CreateKey.
  2. Call Encrypt to encrypt the plaintext certificate.
  3. Deploy the encrypted certificate on the server.
  4. Call Decrypt to decrypt the encrypted certificate for authentication.

Use envelope encryption to encrypt and decrypt data locally

You can use KMS to create a CMK, and use the CMK to generate a data key, which is used as the encryption key to encrypt and decrypt large amounts of data locally. By this way, your cost of transmitting data through the network for encryption and decryption is saved.

Scenario: Encrypt a local file

scenario2.1

Procedure:

  1. Create a CMK in the KMS console or by calling CreateKey.
  2. Call GenerateDataKey to generate a data key. It returns a plaintext data key and an encrypted data key.
  3. Use the plaintext data key to encrypt the file locally, then erase the plaintext data key from memory.
  4. Store the encrypted data key alongside the locally encrypted data.
  5. To decrypt data locally:
    1. Call Decrypt to decrypt the encrypted data key into a plaintext data key.
    2. Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.

scenario2.2

Note:

  • We recommend that you use your RAM account to perform KMS operations for better permission control.
Thank you! We've received your feedback.