KMS useone key Management and encryption/decryption
KMS useone key Management and encryption/decryption
Overview
KMS(Key Management Service) is a Managed Service that enables customers to securely create, store, and manage encryption keys, providing a reliable centralized encryption key management solution.
Data security is a critical factor in cloud environments. You can encrypt data within a service or application using encryption keys via an API.
Additionally, the encryption keys generated by KMS are created through a hardware security module validated according to FIPS 140-2.
Architecture Diagram
- The Master Key generated by the KMS administrator is created in a secure HSM configured on a separate network and delivered to the KMS.
- The Master Key generated in the HSM and delivered is stored in the KMS.
- The application requests a data key from KMS via API.
- KMS issues a Data Key, a subordinate key, using the Master Key.
- Encrypt plaintext data using the Data Key.
- Store or retain encrypted data.
- The Data Key is encrypted via KMS and stored or retained.
Use Cases
Encryption for personal data storage
Sensitive user information (name, resident registration number, mobile phone number, etc.) must be stored in an encrypted form rather than in plain text.
When storing data, encrypting it with an encryption key issued through KMS before saving can reduce the risk of personal information leakage and allow it to be stored securely.
Digital Signature and Verification
KMS supports asymmetric keys.
Using public-key encryption, you can easily obtain signature/verification values for authentication. The client encrypts the document content with its private key to sign it, and the receiving server verifies it by decrypting with the public key previously provided by the client.
Compared to using symmetric keys, confidentiality is higher and problems caused by theft can also be resolved.
Prerequisites
To use KMS encryption keys, the Key administrator must create the Master Key beforehand.
Constraints
To perform encryption using a Data Key within the application, you must use the API provided by KMS, and the encryption logic required to use the API must be developed within the application.
Considerations
Only the Key administrator has authority over the creation, deletion, and rotation of the Master Key.
The Master Key rotation period is up to 2 years and rotates automatically.
The Data Key, which the customer obtains directly and uses for encryption, is generated via the Master Key and is managed directly by the customer.
Related service
This is a list of Samsung Cloud Platform services that are associated with the features or configurations described in this guide. Refer to it when selecting and designing services.
| service group | service | Detailed description |
|---|---|---|
| Compute | Cloud Functions | A service that runs application code in a serverless computing environment |