Application Scenarios
Last Updated:2020-07-20
Two common methods to use KMS are:
- Use the master key for encryption and decryption
- Use envelope encryption and other technical program to encrypt and decrypt the local data
The common scenarios are as follows:
| Classification | Scenarios | KMS solution |
|---|---|---|
| Website application | It is very dangerous to store the user's account, password and other key data of the website in plaintext, which may lead to huge losses in case of leakage or being theft; therefore, they shall be stored in an encrypted manner with keys, and be decrypted when they are used. The key must be managed safely and properly, and the access must be authorized. | The account, password and other sensitive data shall be encrypted with the keys stored in KMS at first, and then stored; when they are to be used, they shall be decrypted with the key stored in KMS at first, and then use the data. The key is not stored outside KMS to ensure security. The call of key must have rigorous authentication mechanism. |
| Data transmission | The website often uses the HTTPS protocol to secure the data transfer, and SSL certificates, i.e. keys, are required when a website provides HTTPS services. The SSL certificates can be easily obtained by an attacker if they are kept locally in plaintext. | The SSL certificates is encrypted through KMS service, and the ciphertext files of the key is saved locally, which are decrypted through the interface when used, and an attacker is hard to obtain if they are not saved in plaintext. |
| Compliance | The policies and regulations provide that, the key management must comply with relevant regulations to ensure that the key calls must be properly authorized, and that key-related operations can be audited and traced. | Each call to KMS API is fully checked for privilege, and all operations must be fully logged. |