Sensitive information encryption is a core capability of KMS, which is mainly used to protect small pieces of sensitive data (less than 4 KB) such as keys, certificates, and configuration files. A CMK is used to encrypt sensitive data instead of storing it in plaintext. During decryption, the data ciphertext is decrypted to the memory, so that the plaintext does not get stored in the disk. HTTPS requests are used in the entire interaction and transfer process, ensuring the security of sensitive data.
If you need to use KMS for high-performance encryption/decryption of massive amounts of data, please see Envelope Encryption scenario.
|-||Key/Certificate||Backend Configuration File|
|Usage||Encrypts business data, communication channels, and digital signatures.||Stores system architecture and other business information, such as database IP and password.|
|Risk of data loss||Confidential information is stolen; encrypted tunnels are monitored; signatures are faked.||Business data is breached and used to attack other systems.|
In this scenario, sensitive data is encrypted/decrypted through a CMK, which is protected by a third-party certified hardware security module (HSM). The CMK performs encryption/decryption inside the HSM, and any unauthorized party, including Tencent Cloud, has no access to the CMK in plaintext.
SecretKey, which are your unique credentials. Tencent Cloud's service systems need such credentials to call Tencent Cloud APIs.