tencent cloud

Key Management Service

Product Introduction
Product Overview
Product Strengths
Use Cases
Concepts
Purchase Guide
Billing Overview
Purchase Method
Renewal Instructions
Payment Overdue
Console Guide
Getting Started
Key Management
Access Control
Audit
TCCLI Management Guide
Operation Overview
Creating Key
Viewing Key
Editing Key
Enabling/Disabling Key
Key Rotation
Encryption and Decryption
Asymmetric key decryption
Deleting Key
Practical Tutorial
Symmetrical Encryption and Decryption
Asymmetric Encryption and Decryption
Post-Quantum Cryptography Practice In KMS
Importing External Key
Implementing Exponential Backoff to Deal with Service Frequency
Cloud Product Integration with KMS for Transparent Encryption
API documentation
History
Introduction
API Category
Key APIs
Making API Requests
Asymmetric Key APIs
Data Types
Error Codes
Service Level Agreement
FAQS
FAQs
General
KMS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
ドキュメントKey Management ServicePractical TutorialSymmetrical Encryption and Decryption Envelope Encryption/DecryptionOperation Guide

Operation Guide

PDF
フォーカスモード
フォントサイズ
最終更新日: 2024-01-11 16:31:21
This operation guide takes Python as an example. Operations in other programming languages can be performed in a similar way.

Preparations

Dependent environment of the sample code: Python 2.7.
Activate KMS: you can do so in the Tencent Cloud Console.
Activate TencentCloud API key service: get the SecretID, SecretKey, and endpoint. The endpoint of KMS is kms.tencentcloudapi.com. For more information, please see the documentation of the specified product.
Install the SDK: run the following command. For more information, please see the open-source tencentcloud-sdk-python project on GitHub.
pip install tencentcloud-sdk-python

Process

You can follow the three steps below to complete envelope encryption.
1. Create a CMK.
2. Encrypt data through envelope encryption. Your application calls the KMS GenerateDataKey API to generate a DEK, and the system encrypts data with the plaintext key and stores the ciphertext key and ciphertext in the disk.
3. Decrypt data. The system reads the ciphertext key and ciphertext, decrypts the ciphertext key through the Decrypt API of KMS, returns the plaintext key, and finally decrypts the ciphertext data with the plaintext key.

Steps

Step 1. Create a CMK

For more information on how to create a CMK, please see Creating a Key.

Step 2. Encrypt data through envelope encryption

If a new DEK is needed (e.g., data needs to be encrypted for new users or the reuse of a DEK exceeds the specified period of time), you can call a KMS API to create a new DEK, then encrypt data with the plaintext key in the memory, and store the ciphertext and ciphertext key in the disk.

Generating a DEK and encrypting your data

The GenerateDataKey API is used to generate a DEK, which is a second-level key generated based on a CMK and used for encrypting and decrypting local data. KMS does not store or manage DEKs, which need to be stored by yourself instead.
The examples below are implemented in the Tencent Cloud SDK for Python, which can also be implemented in other supported programming languages.
The KeyId parameter is required for this API. For more information, please see the GenerateDataKey API document.

Example in the SDK for Python

# -*- coding: utf-8 -*-
import base64
from Crypto.Cipher import AES
from tencentcloud.common import credential
from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
from tencentcloud.common.profile.client_profile import ClientProfile
from tencentcloud.common.profile.http_profile import HttpProfile
from tencentcloud.kms.v20190118 import kms_client, models

def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
    try:
        credProfile = credential.Credential(secretId, secretKey)
        client = kms_client.KmsClient(credProfile, region)
        return client
    except TencentCloudSDKException as err:
        print(err)
        return None

def GenerateDatakey(client, keyId, keyspec='AES_128'):
    try:
        req = models.GenerateDataKeyRequest()
        req.KeyId = keyId
        req.KeySpec = keyspec
        # Call the `GenerateDataKey` API
        generatedatakeyResp = client.GenerateDataKey(req)
        # The plaintext key needs to be used in the memory, while the ciphertext key is used for persistent storage
        print "DEK cipher=", generatedatakeyResp.CiphertextBlob
        return generatedatakeyResp
    except TencentCloudSDKException as err:
        print(err)

def AddTo16(value):
    while len(value) % 16 != 0:
        value += '\\0'
    return str.encode(value)

# User-defined logic. The example here is for reference only
def LocalEncrypt(dataKey="", plaintext=""):
    aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
    encryptedData = aes.encrypt(AddTo16(plaintext))
    ciphertext = base64.b64encode(encryptedData)
    print "plaintext=", plaintext, ", cipher=", ciphertext

if __name__ == '__main__':
    # User-defined parameters
    secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    region = "ap-guangzhou"
    keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    keySpec = "AES_256"
    plaintext = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

    client = KmsInit(region, secretId, secretKey)
    rsp = GenerateDatakey(client, keyId, keySpec)

    LocalEncrypt(rsp.Plaintext, plaintext)

Step 3. Decrypt data

Read the ciphertext key stored in the disk, call the Decrypt API to decrypt the ciphertext key, and then decrypt data through the decrypted plaintext key.

Decrypting (in KMS SDK for Python)

The Decrypt API is used to decrypt data.
The examples below are called with the Tencent Cloud SDK for Python, which can also be called with any supported programming languages.
The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.

Example in the SDK for Python

Decrypt the DEK ciphertext key by calling the KMS Decrypt API, and then use the obtained DEK plaintext to decrypt the ciphertext data.
# -*- coding: utf-8 -*-
import base64
from Crypto.Cipher import AES
from tencentcloud.common import credential
from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
from tencentcloud.common.profile.client_profile import ClientProfile
from tencentcloud.common.profile.http_profile import HttpProfile
from tencentcloud.kms.v20190118 import kms_client, models

def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
    try:
        credProfile = credential.Credential(secretId, secretKey)
        client = kms_client.KmsClient(credProfile, region)
        return client
    except TencentCloudSDKException as err:
        print(err)
        return None

def DecryptDataKey(client, ciphertextBlob):
    try:
        req = models.DecryptRequest()
        req.CiphertextBlob = ciphertextBlob
        rsp = client.Decrypt(req) # Call the `Decrypt` API to decrypt the DEK
        return rsp
    except TencentCloudSDKException as err:
        print(err)

# User-defined logic. The example here is for reference only
def LocalDecrypt(dataKey="", ciphertext=""):
    aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
    decryptedData = aes.decrypt(base64.b64decode(ciphertext))
    plaintext = str(decryptedData)
    print "plaintext=", plaintext, ", cipher=", ciphertext

if __name__ == '__main__':
    # User-defined parameters
    secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    region = "ap-guangzhou"
    dekCipherBlob="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    ciphertext="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

    client = KmsInit(region, secretId, secretKey)
    rsp = DecryptDataKey(client, dekCipherBlob)

    LocalDecrypt(rsp.Plaintext, ciphertext)
前の記事へ: Overview次の記事へ: Overview

ヘルプとサポート

この記事はお役に立ちましたか?

フィードバック