tencent cloud

Key Management Service

Product Introduction
Product Overview
Product Strengths
Use Cases
Concepts
Purchase Guide
Billing Overview
Purchase Method
Renewal Instructions
Payment Overdue
Console Guide
Getting Started
Key Management
Access Control
Audit
TCCLI Management Guide
Operation Overview
Creating Key
Viewing Key
Editing Key
Enabling/Disabling Key
Key Rotation
Encryption and Decryption
Asymmetric key decryption
Deleting Key
Practical Tutorial
Symmetrical Encryption and Decryption
Asymmetric Encryption and Decryption
Post-Quantum Cryptography Practice In KMS
Importing External Key
Implementing Exponential Backoff to Deal with Service Frequency
Cloud Product Integration with KMS for Transparent Encryption
API documentation
History
Introduction
API Category
Key APIs
Making API Requests
Asymmetric Key APIs
Data Types
Error Codes
Service Level Agreement
FAQS
FAQs
General
KMS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationKey Management Service TCCLI Management Guide Encryption and Decryption

Encryption and Decryption

PDF
Focus Mode
Font Size
Last updated: 2024-01-11 16:28:54

Overview

The online encryption and decryption operations involve two APIs:
API Name
Description
Note
Encrypt
Used for encryption
The KeyId and Plaintext parameters are required for this API. For more information, please see the Encrypt API document.
Decrypt
Used for decryption
The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.

Encryption

The Encrypt API is used to encrypt up to 4 KB of data, such as database passwords, RSA keys, or other sensitive data. For application data, the DEK generated by the GenerateDataKey API can be used to perform encryption and decryption for the local data.
The examples below are called with TCCLI, which can also be called with any supported programming languages.

Examples

Encryption

If the Encrypt API is called with TCCLI, the plaintext data needs to be Base64-encoded. The This example is used for testing text is used in the following example.

Input

tccli kms Encrypt --KeyId 6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5 --Plaintext 'VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc='

Output

If the execution is successful, the ciphertext and the CMK ID used to encrypt the plaintext will be returned, of which the ciphertext will be used for subsequent decryption operations.
{
    "KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
    "RequestId": "23781471-c213-44c5-92a4-731b882e25b5",
    "CiphertextBlob": "Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg="
}

Decryption

This example shows you how to decrypt the encrypted data, where the CMK is the one used in the above example.

Input

tccli kms Decrypt --CiphertextBlob 'Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg='

Output

If the execution is successful, the Base64-encoded plaintext and the CMK ID used to encrypt the plaintext will be returned. An additional decryption operation in Base64 is needed to obtain the plaintext.
{
    "Plaintext": "VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc=",
    "KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
    "RequestId": "bcce3fae-1794-4136-a486-d42780c10702"
}

Previous Topic: Key RotationNext Topic: Asymmetric key decryption

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback