Key Management Service (KMS) is integrated with EVS, ZOS, elastic file, and relational database MYSQL version. When using these cloud services, you can use KMS to encrypt and decrypt data, and manage keys.
Key Types Supporting Server-side Encryption
For server-side encryption, you can select the default key and the created CMK. The following table shows the key types that you can choose.
Key Creator | Key Type | Key Algorithm |
Cloud Product | l Default Key | l AES_256 (default) |
Created by user | CMK-software | AES_256 |
CMK-hardware | AES_256 |
Note: At present, you can choose the CMK for server-side encryption only for database products, and you can only choose the default key for encryption of other storage products. |
Default Key
ü This is the default key automatically created by the system for cloud products and used for server-side encryption. The default key corresponds to cloud products. By default, you can create one key for each cloud product under each eSurfing Cloud account.
ü The alias of the default key is defined as alias_< Cloud Product Code>. For example: alias_ecs.
ü The key material of the default key is generated by the KMS and does not support imported external key materials or operations such as automatic rotation, enabling/disabling, scheduled deletion, and custom aliases.
User Master Key
ü When encrypting cloud products, you can select the self-created CMK in KMS. The key is a symmetric key, the AES_256 algorithm is supported, and you can select software protection and hardware protection for the protection level.
ü CMK is charged based on the standard rates of KMS. Please ensure that you have sufficient account balance. If the account balance is insufficient, the cloud product will fail to use the frozen KMS service for encryption and decryption, and an error may occur.
ü You can delete the CMK. Before deleting it, please make sure that the CMK is not used for cloud product encryption to avoid the abnormality of cloud products caused by the abnormal encryption and decryption after deletion. To avoid accidental deletion, you can enable the deletion protection function.
Cloud Product Server-side Encryption
Cloud products use the envelope encryption mechanism to encrypt data. Specifically, KMS generates a data encryption key (DEK), which is used for encryption and decryption operations on the cloud product server, and the DEK ciphertext and data ciphertext are stored on the disk. The following shows the implementation process:
1. Create a CMK in KMS, or create a default key by the cloud product.
2. The cloud product can call the KMS GenerateDataKey API to request a DEK.
3. KMS returns the DEK, which contains the plaintext and ciphertext. The ciphertext is generated by encrypting the plaintext by using the specified key.
4. A cloud service product uses the DEK plaintext to encrypt data plaintext, and writes the DEK ciphertext encrypted by KMS using a key and the data ciphertext encrypted by the cloud products using DEK in persistent storage.