Sensitive information encryption is the core capability of the KMS, and it is suitable for protecting small-scale sensitive data (less than 6KB), such as passwords, certificates, and configuration files. Through the online encryption API, KMS directly encrypts sensitive data and information by using the customer master key (CMK) instead of storing the plaintext, ensuring the security of sensitive data.
Scenario Diagram
Operation Procedure (taking certificate encryption as an example)
1. Create a CMK in the KMS console or by calling the CreateKey API.
2. Call the Encrypt API of KMS to encrypt the plaintext certificate into the ciphertext certificate.
3. Deploy the ciphertext certificate on a server;
4. Call the Decrypt API of the KMS to decrypt the ciphertext certificate into a plaintext certificate when the server starts and needs to use the certificate.