Encryption and Decryption

Last updated: 2020-02-20 18:26:18

    Overview

    The online encryption and decryption operations involve two APIs:

    API Name Description Note
    Encrypt Used for encryption The KeyId and Plaintext parameters are required for this API. For more information, please see the Encrypt API document.
    Decrypt Used for decryption The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.

    Encryption

    The Encrypt API is used to encrypt up to 4 KB of data, such as database passwords, RSA keys, or other sensitive data. For application data, the DEK generated by the GenerateDataKey API can be used to perform encryption and decryption for the local data.

    The examples below are called with TCCLI, which can also be called with any supported programming languages.

    Examples

    Encryption

    If the Encrypt API is called with TCCLI, the plaintext data needs to be Base64-encoded. The This example is used for testing text is used in the following example.

    Input

    tccli kms Encrypt --KeyId 6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5 --Plaintext 'VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc='

    Output

    If the execution is successful, the ciphertext and the CMK ID used to encrypt the plaintext will be returned, of which the ciphertext will be used for subsequent decryption operations.

    {
        "KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
        "RequestId": "23781471-c213-44c5-92a4-731b882e25b5",
        "CiphertextBlob": "Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg="
    }

    Decryption

    This example shows you how to decrypt the encrypted data, where the CMK is the one used in the above example.

    Input

    tccli kms Decrypt --CiphertextBlob 'Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg='

    Output

    If the execution is successful, the Base64-encoded plaintext and the CMK ID used to encrypt the plaintext will be returned. An additional decryption operation in Base64 is needed to obtain the plaintext.

    {
        "Plaintext": "VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc=",
        "KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
        "RequestId": "bcce3fae-1794-4136-a486-d42780c10702"
    }

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help