Operation Guide

This operation guide takes Python as an example. Operations in other programming languages can be performed in a similar way.
Preparations
Dependent environment of the sample code: Python 2.7.
Activate KMS: you can do so in the Tencent Cloud Console.
Activate TencentCloud API key service: get the SecretID, SecretKey, and endpoint. The endpoint of KMS is kms.tencentcloudapi.com. For more information, please see the documentation of the specified product.
Install the SDK: run the following command. For more information, please see the open-source tencentcloud-sdk-python project on GitHub.
pip install tencentcloud-sdk-python
Process
You can follow the three steps below to complete envelope encryption.
1. Create a CMK.
2. Encrypt data through envelope encryption. Your application calls the KMS GenerateDataKey API to generate a DEK, and the system encrypts data with the plaintext key and stores the ciphertext key and ciphertext in the disk.
3. Decrypt data. The system reads the ciphertext key and ciphertext, decrypts the ciphertext key through the Decrypt API of KMS, returns the plaintext key, and finally decrypts the ciphertext data with the plaintext key.
Steps
Step 1. Create a CMK
For more information on how to create a CMK, please see Creating a Key.
Step 2. Encrypt data through envelope encryption
If a new DEK is needed (e.g., data needs to be encrypted for new users or the reuse of a DEK exceeds the specified period of time), you can call a KMS API to create a new DEK, then encrypt data with the plaintext key in the memory, and store the ciphertext and ciphertext key in the disk.
Generating a DEK and encrypting your data
The GenerateDataKey API is used to generate a DEK, which is a second-level key generated based on a CMK and used for encrypting and decrypting local data. KMS does not store or manage DEKs, which need to be stored by yourself instead.
The examples below are implemented in the Tencent Cloud SDK for Python, which can also be implemented in other supported programming languages.
The KeyId parameter is required for this API. For more information, please see the GenerateDataKey API document.
Example in the SDK for Python
# -*- coding: utf-8 -*-
import base64
from Crypto.Cipher import AES
from tencentcloud.common import credential
from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
from tencentcloud.common.profile.client_profile import ClientProfile
from tencentcloud.common.profile.http_profile import HttpProfile
from tencentcloud.kms.v20190118 import kms_client, models
﻿
def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
    try:
        credProfile = credential.Credential(secretId, secretKey)
        client = kms_client.KmsClient(credProfile, region)
        return client
    except TencentCloudSDKException as err:
        print(err)
        return None
﻿
def GenerateDatakey(client, keyId, keyspec='AES_128'):
    try:
        req = models.GenerateDataKeyRequest()
        req.KeyId = keyId
        req.KeySpec = keyspec
        # Call the `GenerateDataKey` API
        generatedatakeyResp = client.GenerateDataKey(req)
        # The plaintext key needs to be used in the memory, while the ciphertext key is used for persistent storage
        print "DEK cipher=", generatedatakeyResp.CiphertextBlob
        return generatedatakeyResp
    except TencentCloudSDKException as err:
        print(err)
﻿
def AddTo16(value):
    while len(value) % 16 != 0:
        value += '\\0'
    return str.encode(value)
﻿
# User-defined logic. The example here is for reference only
def LocalEncrypt(dataKey="", plaintext=""):
    aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
    encryptedData = aes.encrypt(AddTo16(plaintext))
    ciphertext = base64.b64encode(encryptedData)
    print "plaintext=", plaintext, ", cipher=", ciphertext
﻿
if __name__ == '__main__':
    # User-defined parameters
    secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    region = "ap-guangzhou"
    keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    keySpec = "AES_256"
    plaintext = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
﻿
    client = KmsInit(region, secretId, secretKey)
    rsp = GenerateDatakey(client, keyId, keySpec)
﻿
    LocalEncrypt(rsp.Plaintext, plaintext)
Step 3. Decrypt data
Read the ciphertext key stored in the disk, call the Decrypt API to decrypt the ciphertext key, and then decrypt data through the decrypted plaintext key.
Decrypting (in KMS SDK for Python)
The Decrypt API is used to decrypt data.
The examples below are called with the Tencent Cloud SDK for Python, which can also be called with any supported programming languages.
The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.
Example in the SDK for Python
Decrypt the DEK ciphertext key by calling the KMS Decrypt API, and then use the obtained DEK plaintext to decrypt the ciphertext data.
# -*- coding: utf-8 -*-
import base64
from Crypto.Cipher import AES
from tencentcloud.common import credential
from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
from tencentcloud.common.profile.client_profile import ClientProfile
from tencentcloud.common.profile.http_profile import HttpProfile
from tencentcloud.kms.v20190118 import kms_client, models
﻿
def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
    try:
        credProfile = credential.Credential(secretId, secretKey)
        client = kms_client.KmsClient(credProfile, region)
        return client
    except TencentCloudSDKException as err:
        print(err)
        return None
﻿
def DecryptDataKey(client, ciphertextBlob):
    try:
        req = models.DecryptRequest()
        req.CiphertextBlob = ciphertextBlob
        rsp = client.Decrypt(req) # Call the `Decrypt` API to decrypt the DEK
        return rsp
    except TencentCloudSDKException as err:
        print(err)
﻿
# User-defined logic. The example here is for reference only
def LocalDecrypt(dataKey="", ciphertext=""):
    aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
    decryptedData = aes.decrypt(base64.b64decode(ciphertext))
    plaintext = str(decryptedData)
    print "plaintext=", plaintext, ", cipher=", ciphertext
﻿
if __name__ == '__main__':
    # User-defined parameters
    secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    region = "ap-guangzhou"
    dekCipherBlob="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    ciphertext="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
﻿
    client = KmsInit(region, secretId, secretKey)
    rsp = DecryptDataKey(client, dekCipherBlob)
﻿
    LocalDecrypt(rsp.Plaintext, ciphertext)

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

Sign Up

Log in

Compute

Microservice

Data Migration

Database SaaS Tool

Data Security

Application Security

Big Data

Voice Technology

Internet of Things

Stream Services

Cloud Real-time Rendering

Cloud Resource Management

More

Edge Computing

Serverless

Relational Database

Networking

Business Security

Domains & Websites

Face Recognition

AI Platform Service

Middleware

Media On-Demand

Game Services

Management and Audit Tools

Container

Essential Storage Service

Enterprise Distributed DBMS

CDN and Acceleration

Security Services

Enterprise Applications

Image Creation

Natural Language Processing

Communication

Media Process Services

Education Sevices

Developer Tools

Distributed cloud

Data Process and Analysis

NoSQL Database

Network Security

Cloud Security

Office Collaboration

Tencent Big Model

Optical Character Recognition

Interactive Video Services

Media SDK

Medical Services

Monitor and Operation

Preparations

Process

Steps

Step 1. Create a CMK

Step 2. Encrypt data through envelope encryption

Generating a DEK and encrypting your data

Example in the SDK for Python

Step 3. Decrypt data

Decrypting (in KMS SDK for Python)

Example in the SDK for Python