Product Overview

<p>The Key Management Service (KMS) is a security-related management service provided by Ping An Cloud. It not only provides secure and convenient management services for your sensitive data information, but also offers you an efficient encryption protection solution for your massive local business data or files. Ping An Cloud will provide you with comprehensive, secure and reliable protection.</p> <p>At present, Ping An Cloud KMS provides you with reliable, secure and low-cost CMKs that are suitable for a variety of occasions with encryption needs.</p> <p>Primary needs to be met by KMS:</p> <table border="1" cellpadding="0" cellspacing="1" style="width:0px"> <thead> <tr> <td> <p><strong>Role</strong><strong>s</strong></p> </td> <td> <p><strong>Issues</strong></p> </td> <td> <p><strong>Data </strong><strong>R</strong><strong>equiring </strong><strong>P</strong><strong>rotection</strong></p> </td> <td> <p><strong>KMS Solutions</strong></p> </td> </tr> </thead> <tbody> <tr> <td> <p><strong>Program </strong><strong>D</strong><strong>eveloper</strong><strong>s</strong></p> </td> <td> <p>Websites/applications need to be signed or encrypted with certificates, keys, etc., but because of the high sensitivity of certificates and keys, the developers are not willing to deploy the plaintext. At this point, they may want an independent and secure function to manage the keys so that they can securely access them no matter where the application is deployed</p> </td> <td> <p>Sensitive information such as certificates and keys</p> </td> <td> <p>You can store and manage your CMKs in KMS by using the envelope encryption technology provided by KMS. At the same time, you just need to deploy locally the ciphertext DKs and call KMS to decrypt them only when you use them.</p> </td> </tr> <tr> <td> <p><strong>Back Office Service Developer</strong><strong>s</strong></p> </td> <td> <p>Because the security of customers&rsquo; keys and data storage is very important, the developers want the users to manage their own keys. When the developers are authorized, they can focus on the development of the service function by using the user-specified keys.</p> </td> <td> <p>Passwords, login keys, configuration, etc.</p> </td> <td> <p>KMS files encryption.</p> </td> </tr> <tr> <td> <p><strong>Government and Financial Institutions</strong></p> </td> <td> <p>Any communication and stored data of the government and financial institutions is highly valued and highly confidential. So the compliance and security are required to be considered when building the business system.</p> </td> <td> <p>Protocol communication content, important documents and materials</p> </td> <td> <p>KMS files encryption.</p> </td> </tr> </tbody> </table>

Function Overview

<p>Before using KMS, it is recommended that you read the relevant terms and instructions first. The key types and related terms such as Encrypt/Decrypt Data, Envelope Encryption, and Key Management are explained in detail, which can help you better understand the following introduction and description of the functions.</p> <p>Functions:</p> <p>☞Create Key: Ping An Cloud KMS provides two types of keys: Customer Master Key (CMK) and Data Key (DK).</p> <p>&nbsp; &nbsp;CMK: Users can use the console or call APIs to create CMKs, which are mainly used to encrypt and protect DKs and produce envelopes, or directly encrypt/decrypt a small volume of data (&lt;4KB).</p> <p>&nbsp; &nbsp;DK: Users can call APIs to create DKs, which are used to encrypt massive local business data.</p> <p>☞Encrypt/Decrypt Data: Encrypt/Decrypt Data is the core business of KMS. In practical use, it is mainly used to secure sensitive data stored in server hard disks.</p> <p>☞Envelope Encryption: Envelope Encryption is a security solution for massive business data. KMS can guarantee the security of DKs in the solution so as to improve the security of business data.</p> <p>☞Key Management: Besides Create Key and Encrypt/Decrypt Data, KMS provides users with many other management functions, for instance, Disable/Enable Key, Schedule Key Deletion, Cancel Key Deletion and Describe Key.</p> <p>☞Import Key: Users can create an external key and then import their own qualified local key material to use the key.</p> <p>☞Password Safe: Users can import their passwords into a password safe for custody and use them by calling the interface as needed, which ensures the security of their passwords and the reliability of using them.</p>

Product Advantages

<p><strong>Low </strong><strong>cost: low price, no prepayment, real-time payment</strong></p> <p>The service fees are low, and users do not need to pay a deposit in any form in advance. They only need to pay for real consumption without bearing high cost of password server hardware and maintenance.</p> <p><strong>Secure and </strong><strong>reliable: highly available, highly secure, highly reliable</strong></p> <p>The service is based on highly available password server hardware devices and provides professional development, operation and maintenance personnel to ensure highly available services. It uses highly secure protocol communication to ensure highly secure services. It also adopts distributed cluster architecture to ensure high reliability.</p> <p><strong>Easy to </strong><strong>use:</strong><strong> uniform interface</strong><strong>s, standard protocol</strong></p> <p>The service unifies the cipher machine interfaces into the easy-to-use HTTPS interface of Ping An Cloud, which is convenient for users to call. It also provides users with SDK to meet their needs.</p>

Application Scenarios

<p><strong>Use</strong><strong> CMKs to encrypt/decrypt data</strong></p> <p>It is suitable for a CMK to encrypt/decrypt a small volume of data (less than 4KB). User data is transmitted to the KMS server through secure channels and encrypted/decrypted at the server, after which the operation results will be returned to the user through secure channels.</p> <p style="text-align:justify"><img src="https://obs-cn-shanghai.yun.pingan.com/pacloud/20181510105849-18846ad390e7.png" style="height:386px; width:1129px" /></p> <p>Operation process:</p> <p>Encryption</p> <p>&nbsp; &nbsp;E1. Users create CMKs by calling the CreateKey interface or through the console;</p> <p>&nbsp; &nbsp;E2. Users encrypt the sensitive information plaintext by calling the Encrypt interface;</p> <p>&nbsp; &nbsp;E3. Return the ciphertext after the sensitive information is encrypted;</p> <p>Decryption:&nbsp;</p> <p>&nbsp; &nbsp;D1. When sensitive information is needed, users can call the Decrypt interface to decrypt the ciphertext;</p> <p>&nbsp; &nbsp;D2. Return sensitive information plaintext.</p> <p><strong>Use </strong><strong>Envelope </strong><strong>Encryption to encrypt</strong><strong>/decrypt data locally</strong></p> <p>Users create a CMK through KMS, use the CMK to generate a DK, and then use the DK to encrypt/decrypt data locally. This scenario is suitable for the encryption/decryption of massive data, during which data can be encrypted/decrypted without network transmission, thus reducing costs while ensuring security.</p> <p style="text-align:justify"><img src="https://obs-cn-shanghai.yun.pingan.com/pacloud/20181510105835-114e9d999128.png" style="height:386px; width:1129px" /></p> <p>Data envelope encryption:</p> <p>&nbsp; &nbsp;1. Use the DK ciphertext to call the KMS Decrypt interface to decrypt the DK ciphertext;</p> <p>&nbsp; &nbsp;2. Return the DK plaintext;</p> <p>&nbsp; &nbsp;3. Encrypt the local business data by using the DK plaintext to obtain the business data ciphertext;</p> <p>&nbsp; &nbsp;4. Local persistent storage of the business data ciphertext;</p> <p>Data envelope decryption:</p> <p>&nbsp; &nbsp;1. Use the DK ciphertext to call the KMS Decrypt interface to decrypt the DK ciphertext;</p> <p>&nbsp; &nbsp;2. Return the DK plaintext;</p> <p>&nbsp; &nbsp;3. Obtain local business data ciphertext;</p> <p>&nbsp; &nbsp;4. Decrypt the local business data ciphertext by using the DK plaintext to obtain the business data plaintext.</p> <p><strong>Use a password safe to safely store your passwords:</strong></p> <p>&nbsp; &nbsp;1. Import relevant sensitive information into Ping An Cloud for custody by calling the ImportKeychain interface or the password safe page in the KMS console.</p> <p>&nbsp;&nbsp;&nbsp;2. Obtain the passwords under custody through the interface and then use them locally.</p>

Terms

<p>There are many proper nouns involved in KMS, so we provide explanations of related terms for your convenience in reading and understanding.</p> <table border="1" cellpadding="0" cellspacing="1" style="width:0px"> <tbody> <tr> <td style="width:146px"> <p><strong>Term</strong></p> </td> <td style="width:196px"> <p><strong>Full Name</strong></p> </td> <td style="width:154px"> <p><strong>Chinese </strong><strong>N</strong><strong>ame</strong></p> </td> <td style="width:973px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:146px"> <p>KMS</p> </td> <td style="width:196px"> <p>Key Management Service</p> </td> <td style="width:154px"> <p>密钥管理服务</p> </td> <td style="width:973px"> <p>Key Management Service provided by Ping An Cloud</p> </td> </tr> <tr> <td style="width:146px"> <p>CMK</p> </td> <td style="width:196px"> <p>Customer Master Key</p> </td> <td style="width:154px"> <p>用户主密钥</p> </td> <td style="width:973px"> <p>Customer Master Key (CMK) is created in Ping An Cloud by users to encrypt and protect DKs and generate envelopes. It can also directly encrypt/decrypt a small amount of data.</p> </td> </tr> <tr> <td style="width:146px"> <p>EDK/DK</p> </td> <td style="width:196px"> <p>EnvelopedDataKey/DataKey</p> </td> <td style="width:154px"> <p>信封数据密钥/数据密钥</p> </td> <td style="width:973px"> <p>EDK ciphertext</p> <p>DK plaintext</p> </td> </tr> <tr> <td style="width:146px"> <p>Envelope encryption</p> </td> <td style="width:196px"> <p>Envelope encryption</p> </td> <td style="width:154px"> <p>信封加密</p> </td> <td style="width:973px"> <p>The one-time symmetric keys are generated for the data to be encrypted, users can use the CMK to encrypt the symmetric keys and make them in a state of &quot;sealed envelope protection&quot;. The symmetric keys are protected in the process of communication and storage. Only when users need to use the symmetric keys, they can use the CMK to open the envelope to retrieve the key plaintext.</p> </td> </tr> </tbody> </table>
Did the above content solve your problem? Yes No
Please complete information!

Call us

400-151-8800

Email us

cloud@pingan.com

Online customer service

Instant reply

Technical Support

cloud products