How Do Cloud Services Use KMS to Encrypt Data?

Services (such as OBS, IMS, EVS, SFS, DDS, and RDS) use the envelope encryption method provided by KMS to protect data.

Note

Envelope encryption is an encryption method that enables DEKs to be stored, transmitted, and used in "envelopes" of CMKs. As a result, CMKs do not directly encrypt and decrypt data.

  • When you use a cloud service to encrypt data, you need to specify a CMK on KMS. The cloud service generates a plaintext DEK and a ciphertext DEK. The ciphertext DEK is generated by encrypting the plaintext DEK using the specified CMK. The cloud service uses the plaintext DEK to encrypt data and stores the encrypted ciphertext data and ciphertext DEK in the cloud service.

  • When users download the data from the cloud, the cloud service uses the CMK specified by KMS to decrypt the ciphertext DEK, use the decrypted DEK to decrypt data, and then provide the decrypted data for users to download.