<p class="shortdesc"></p> <section class="section" id="Usage__section_sfl_shd_flb"><h2 class="doc-tairway"><strong class="ph b">Scenario One: Encrypt and DecryptData with a CMK</strong></h2> <p class="p">A CMK is suitable for encrypting and decrypting small amounts of data (less than 4 KB). Your data is transmitted to the server-side KMS through secure communication channels. The server-side KMS encrypts or decrypts the data, and then returns the result to you through secure channels. </p> <p class="p">The following figure describes how to encrypt and decrypt data with a CMK. </p> <img class="image" id="Usage__image_jjt_3mt_3lb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112324-106a108895b2.png" width="750"> <p class="p"><strong class="ph b">Encryption:</strong></p> <ol class="ol" id="Usage__ol_zh1_rlt_3lb"> <li class="li">Call the CreateKey API or use the console to create a CMK; </li> <li class="li">Call the Encrypt API to encrypt the plaintext of the sensitive data; </li> <li class="li">Return the ciphertext of the sensitive data. </li> </ol> <p class="p"><strong class="ph b">Decryption:</strong></p> <ol class="ol" id="Usage__ol_a31_rlt_3lb"> <li class="li">Call the Decrypt API to decrypt the ciphertext of the sensitive data when needed; </li> <li class="li">Return the plaintext of the sensitive data; </li> </ol> <p class="p">Besides, make sure the network between your local machine and the KMS provider is connected when using KMS. Because the ciphertext after encryption and the plaintext after decryption is transmitted between your local machine and KMS. </p> </section> <section class="section" id="Usage__section_ogp_shd_flb"><h2 class="doc-tairway">Scenario Two: Encrypt and Decrypt Data Locally with Envelope Encryption </h2> <p class="p">Envelope encryption is ideal for encrypting and decrypting large amounts of data locally. You can create a CMK with KMS, and a data key with the CMK. Then, you can use the data key to encrypt and decrypt data locally. You can encrypt and decrypt data without the need of transmission over networks, which lowers the cost while ensuring security. </p> <p class="p">The following figure describes how to encrypt and decrypt data locally with envelope encryption. </p> <img class="image" id="Usage__image_lft_jmt_3lb" src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200807112324-185bd47d92dd.png" width="750"> <p class="p"><strong class="ph b">Encryption:</strong></p> <ol class="ol" id="Usage__ol_ekc_vlt_3lb"> <li class="li">Call the CreateKey API or use the console to create a CMK; </li> <li class="li">Call the GenerateDataKey API provided by KMS to generate a data key. This operation returns a plaintext copy and a ciphertext copy of the data key; </li> <li class="li">Encrypt the local business data using the plaintext data key returned. After obtaining the ciphertext of the business data, delete the plaintext data key; </li> <li class="li">Persist the ciphertext of the business data and the ciphertext data key locally. </li> </ol> <div class="note important note_important"><span class="note__title">Important:</span> <p class="p">The next time when you need to encrypt data using envelope encryption, you can skip step one and step two. Call the Decrypt API to decrypt the ciphertext data key that is stored as described in step four to obtain the plaintext data key. Then encrypt the business data locally as described in step three. </p> <p class="p"><strong class="ph b">Decryption:</strong></p> <ol class="ol" id="Usage__ol_urj_zlt_3lb"> <li class="li">Call the KMS Decrypt API to decrypt the ciphertext data key to obtain the plaintext copy of it; </li> <li class="li">Return the plaintext data key; </li> <li class="li">Obtain the ciphertext of the local business data; </li> <li class="li">Decrypt the ciphertext business data with the plaintext data key. After obtaining the plaintext of the business data, delete the plaintext data key. </li> </ol> </div> </section> <section class="section" id="Usage__section_tmt_zlt_3lb"><h2 class="doc-tairway">Scenario Three: Store your Passwords Securely in a Password Safe </h2> <p class="p">You can import sensitive information into the Ping An Cloud password safe for management by calling the ImportKeychain API or through the Password Safe page in the KMS console. You can obtain the managed passwords through APIs, and use them locally. </p> </section>