|Plaintext certificate||Plaintext file|
|Ciphertext certificate||Ciphertext file|
You can directly call the KMS API and use the specified CMK to encrypt and decrypt data. This scenario applies to encryption and decryption of a small amount of data (less than 4 KB). Data is transmitted to the KMS server through secure channels, encrypted or decrypted at the server, and returned through secure channels.
- Create a CMK.
- Call the Encrypt interface of the KMS to encrypt the plaintext certificate to a ciphertext certificate.
- Deploy the ciphertext certificate on the server.
- Call the Decrypt interface of the KMS to decrypt the ciphertext certificate to a plaintext certificate when the server starts and needs to use the certificate.
You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption and decryption. This scenario applies to mass data encryption and decryption. You do not need to transmit mass data through the network, realizing mass data encryption and decryption at low cost.
- Create a CMK.
- Call the KMS GenerateDataKey interface to generate data keys. You can obtain a plaintext data key and a ciphertext data key.
- Use the plaintext data key to encrypt the file and generate a ciphertext file.
- Save the ciphertext data key and the ciphertext file to a persistent storage device or service.
- Read the ciphertext data key and the ciphertext file from the persistent storage device or service.
- Call the KMS Decrypt interface to decrypt the ciphertext data key to obtain the plaintext data key.
- Use the plaintext data key to decrypt the file.
- You must authenticate the HTTPS certificate on the Alibaba Cloud server to prevent phishers from stealing your information.
- We recommend that you use the sub-account function of
RAM serviceto implement the principle of least privilege.