Log Service allows you to use Key Management Service (KMS) to encrypt data that is stored. This way, data is stored in a secure manner. Log Service provides encrypted transmission based on the SSL or TLS protocol to protect data from potential security risks on the cloud.

Server-side encryption

Log Service supports the following encryption types:

  • Encryption by using service keys

    Log service generates an independent service key for each Logstore. The service key never expires.

    Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.

  • Encryption by using Bring Your Own Key (BYOK) keys

    You can create a CMK in the KMS console and grant the relevant permissions to Log Service. When Log Service calls a KMS API operation, this CMK is used to create a key that is used to encrypt data. If the CMK is deleted or disabled, the corresponding BYOK key becomes invalid.

    Notice If the CMK created in the KMS console becomes invalid, all read and write requests to the Logstore fail.

For more information, see Encrypt data.

Encrypted transmission based on SSL or TLS

Log Service can be accessed over HTTP or HTTPS. SSL or TLS is a Layer 4 protocol that helps ensure data privacy and data integrity between two applications.

  • Encrypted transmission based on Logtail

    Logtail is an agent that is used by Log Service to collect logs. To prevent your data from being tampered with during transmission, Logtail uses the HTTPS method to obtain private tokens from the server and signs all data packets that are used to send logs.

  • Encrypted transmission based on SDKs

    Log Service provides SDKs in multiple programming languages, such as Java, Python, .NET, PHP, and C. This helps you use Log Service in an efficient manner. Log Service SDKs allow you to use the HTTPS method to read data from and write data to Log Service.