Log Service allows you to use Key Management Service (KMS) to encrypt data for secure storage. This way, data is stored in a secure manner. This topic describes the data encryption mechanism of Log Service and how to encrypt data by using KMS.
Prerequisites
Data encryption mechanism
Log Service supports the following encryption types:
- Encryption by using service keys
Log service generates an independent service key for each Logstore. The service key never expires.
Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.
- Encryption by using Bring Your Own Key (BYOK) keys
You can create a CMK in the KMS console and grant the relevant permissions to Log Service. When Log Service calls a KMS API operation, this CMK is used to create a key that is used to encrypt data. If the CMK is deleted or disabled, the corresponding BYOK key becomes invalid.
Notice If the CMK created in the KMS console becomes invalid, all read and write requests to the Logstore fail.
Step 1: Authorize Log Service to access KMS
Before you can you use a BYOK key to encrypt data, you must authorize Log Service to access KMS.
Step 2: Configure data encryption for a Logstore
encrypt_conf = {
"enable" : True, # Specifies whether data encryption is enabled.
"encrypt_type" : "default"# The encryption algorithm. Valid values: default and m4.
"user_cmk_info" : # Optional parameter. If you configure this parameter, the BYOK key is used. If you do not configure this parameter, the service key is used.
{
"cmk_key_id" : "" # The ID of the CMK to which the BYOK key belongs, for example, f5136b95-2420-ab31-xxxxxxxxx.
"arn" : "" # The ARN of the RAM role. For more information, see How do I obtain the ARN of a RAM role?
"region_id" : "" # The ID of the region where the CMK resides.
}
}