tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Key Management Service
    Documentation
    Download PDF

    Operation Guide

    Last updated: 2024-01-11 16:31:21
    Download PDF
      This operation guide takes Python as an example. Operations in other programming languages can be performed in a similar way.

      Preparations

      Dependent environment of the sample code: Python 2.7.
      Activate KMS: you can do so in the Tencent Cloud Console.
      Activate TencentCloud API key service: get the SecretID, SecretKey, and endpoint. The endpoint of KMS is kms.tencentcloudapi.com. For more information, please see the documentation of the specified product.
      Install the SDK: run the following command. For more information, please see the open-source tencentcloud-sdk-python project on GitHub.
      pip install tencentcloud-sdk-python

      Process

      You can follow the three steps below to complete envelope encryption.
      1. Create a CMK.
      2. Encrypt data through envelope encryption. Your application calls the KMS GenerateDataKey API to generate a DEK, and the system encrypts data with the plaintext key and stores the ciphertext key and ciphertext in the disk.
      3. Decrypt data. The system reads the ciphertext key and ciphertext, decrypts the ciphertext key through the Decrypt API of KMS, returns the plaintext key, and finally decrypts the ciphertext data with the plaintext key.

      Steps

      Step 1. Create a CMK

      For more information on how to create a CMK, please see Creating a Key.

      Step 2. Encrypt data through envelope encryption

      If a new DEK is needed (e.g., data needs to be encrypted for new users or the reuse of a DEK exceeds the specified period of time), you can call a KMS API to create a new DEK, then encrypt data with the plaintext key in the memory, and store the ciphertext and ciphertext key in the disk.

      Generating a DEK and encrypting your data

      The GenerateDataKey API is used to generate a DEK, which is a second-level key generated based on a CMK and used for encrypting and decrypting local data. KMS does not store or manage DEKs, which need to be stored by yourself instead.
      The examples below are implemented in the Tencent Cloud SDK for Python, which can also be implemented in other supported programming languages.
      The KeyId parameter is required for this API. For more information, please see the GenerateDataKey API document.

      Example in the SDK for Python

      # -*- coding: utf-8 -*-
      import base64
      from Crypto.Cipher import AES
      from tencentcloud.common import credential
      from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
      from tencentcloud.common.profile.client_profile import ClientProfile
      from tencentcloud.common.profile.http_profile import HttpProfile
      from tencentcloud.kms.v20190118 import kms_client, models
      
      def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
          try:
              credProfile = credential.Credential(secretId, secretKey)
              client = kms_client.KmsClient(credProfile, region)
              return client
          except TencentCloudSDKException as err:
              print(err)
              return None
      
      def GenerateDatakey(client, keyId, keyspec='AES_128'):
          try:
              req = models.GenerateDataKeyRequest()
              req.KeyId = keyId
              req.KeySpec = keyspec
              # Call the `GenerateDataKey` API
              generatedatakeyResp = client.GenerateDataKey(req)
              # The plaintext key needs to be used in the memory, while the ciphertext key is used for persistent storage
              print "DEK cipher=", generatedatakeyResp.CiphertextBlob
              return generatedatakeyResp
          except TencentCloudSDKException as err:
              print(err)
      
      def AddTo16(value):
          while len(value) % 16 != 0:
              value += '\\0'
          return str.encode(value)
      
      # User-defined logic. The example here is for reference only
      def LocalEncrypt(dataKey="", plaintext=""):
          aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
          encryptedData = aes.encrypt(AddTo16(plaintext))
          ciphertext = base64.b64encode(encryptedData)
          print "plaintext=", plaintext, ", cipher=", ciphertext
      
      if __name__ == '__main__':
          # User-defined parameters
          secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          region = "ap-guangzhou"
          keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          keySpec = "AES_256"
          plaintext = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      
          client = KmsInit(region, secretId, secretKey)
          rsp = GenerateDatakey(client, keyId, keySpec)
      
          LocalEncrypt(rsp.Plaintext, plaintext)

      Step 3. Decrypt data

      Read the ciphertext key stored in the disk, call the Decrypt API to decrypt the ciphertext key, and then decrypt data through the decrypted plaintext key.

      Decrypting (in KMS SDK for Python)

      The Decrypt API is used to decrypt data.
      The examples below are called with the Tencent Cloud SDK for Python, which can also be called with any supported programming languages.
      The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.

      Example in the SDK for Python

      Decrypt the DEK ciphertext key by calling the KMS Decrypt API, and then use the obtained DEK plaintext to decrypt the ciphertext data.
      # -*- coding: utf-8 -*-
      import base64
      from Crypto.Cipher import AES
      from tencentcloud.common import credential
      from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
      from tencentcloud.common.profile.client_profile import ClientProfile
      from tencentcloud.common.profile.http_profile import HttpProfile
      from tencentcloud.kms.v20190118 import kms_client, models
      
      def KmsInit(region="ap-guangzhou", secretId="", secretKey=""):
          try:
              credProfile = credential.Credential(secretId, secretKey)
              client = kms_client.KmsClient(credProfile, region)
              return client
          except TencentCloudSDKException as err:
              print(err)
              return None
      
      def DecryptDataKey(client, ciphertextBlob):
          try:
              req = models.DecryptRequest()
              req.CiphertextBlob = ciphertextBlob
              rsp = client.Decrypt(req) # Call the `Decrypt` API to decrypt the DEK
              return rsp
          except TencentCloudSDKException as err:
              print(err)
      
      # User-defined logic. The example here is for reference only
      def LocalDecrypt(dataKey="", ciphertext=""):
          aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)
          decryptedData = aes.decrypt(base64.b64decode(ciphertext))
          plaintext = str(decryptedData)
          print "plaintext=", plaintext, ", cipher=", ciphertext
      
      if __name__ == '__main__':
          # User-defined parameters
          secretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          region = "ap-guangzhou"
          dekCipherBlob="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          ciphertext="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      
          client = KmsInit(region, secretId, secretKey)
          rsp = DecryptDataKey(client, dekCipherBlob)
      
          LocalDecrypt(rsp.Plaintext, ciphertext)
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy