Key Management Service
- Product Introduction
- Purchase Guide
- Console Guide
- Key Management
- TCCLI Management Guide
- Practical Tutorial
- Symmetrical Encryption and Decryption
- Encrypting/Decrypting Sensitive Data
- Envelope Encryption/Decryption
- Asymmetric Encryption and Decryption
- Asymmetric Signature Verification
- Importing External Key
- API documentation
- Making API Requests
- Key APIs
- Asymmetric Key APIs
DocumentationKey Management ServicePractical TutorialSymmetrical Encryption and DecryptionEncrypting/Decrypting Sensitive DataOverview
Overview
Last updated: 2024-01-11 16:31:21
Sensitive information encryption is a core capability of KMS, which is mainly used to protect small pieces of sensitive data (less than 4 KB) such as keys, certificates, and configuration files. A CMK is used to encrypt sensitive data instead of storing it in plaintext. During decryption, the data ciphertext is decrypted to the memory, so that the plaintext does not get stored in the disk. HTTPS requests are used in the entire interaction and transfer process, ensuring the security of sensitive data.
If you need to use KMS for high-performance encryption/decryption of massive amounts of data, please see Envelope Encryption scenario.
Examples of sensitive information
- | Key/Certificate | Backend Configuration File |
Usage | Encrypts business data, communication channels, and digital signatures. | Stores system architecture and other business information, such as database IP and password. |
Risk of data loss | Confidential information is stolen; encrypted tunnels are monitored; signatures are faked. | Business data is breached and used to attack other systems. |
Schematic diagram
In this scenario, sensitive data is encrypted/decrypted through a CMK, which is protected by a third-party certified hardware security module (HSM). The CMK performs encryption/decryption inside the HSM, and any unauthorized party, including Tencent Cloud, has no access to the CMK in plaintext.
Features
Permission control: Fully integrated with CAM, KMS can control which accounts have access to your CMK through identity and policy management.
Built-in audit: KMS is integrated with CloudAudit to record all API requests for detailed statistics of key management activities and key usage, ensuring that all data operations can be traced and audited.
Integrated key management: KMS enables centralized management of keys from various applications.
Security and compliance: KMS leverages a State Cryptography Administration of China or FIPS-140-2 certified hardware security module (HSM) to generate and protect keys, thereby ensuring their confidentiality, integrity, and availability.
Sensitive data encryption: KMS supports encryption/decryption of small pieces of sensitive data (less than 4 KB), such as keys, certificates, and configuration files.
Precautions
Secure storage of
SecretId and SecretKey:Tencent Cloud API authentication mainly relies on
SecretId and SecretKey, which are your unique credentials. Tencent Cloud's service systems need such credentials to call Tencent Cloud APIs.Permission control over
SecretId and SecretKey:It is recommended to use a sub-account and manage risks by means of API authorization as needed.
Plaintext data storage:
Data has already encrypted through sensitive data encryption. To ensure data security, please make sure that the original plaintext data is deleted.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No