- Product Introduction
- Purchase Guide
- Console Guide
- TCCLI Management Guide
- Best Practices
- API documentation
- History
- Introduction
- API Category
- Making API Requests
- Key APIs
- PostQuantumCryptoEncrypt
- PostQuantumCryptoDecrypt
- UpdateKeyDescription
- UpdateAlias
- ReEncrypt
- ListKeys
- ListKeyDetail
- GetServiceStatus
- GetKeyRotationStatus
- GenerateDataKey
- Encrypt
- EnableKeys
- EnableKeyRotation
- EnableKey
- DisableKeys
- DisableKeyRotation
- DisableKey
- DescribeKeys
- DescribeKey
- Decrypt
- CreateKey
- ScheduleKeyDeletion
- CancelKeyDeletion
- ImportKeyMaterial
- GetParametersForImport
- DeleteImportedKeyMaterial
- GenerateRandom
- ListAlgorithms
- UnbindCloudResource
- BindCloudResource
- GetRegions
- CancelKeyArchive
- ArchiveKey
- Asymmetric Key APIs
- White-Box Key APIs
- Data Types
- Error Codes
- Service Level Agreement
- FAQS
- KMS Policy
- Contact Us
- Glossary
- Product Introduction
- Purchase Guide
- Console Guide
- TCCLI Management Guide
- Best Practices
- API documentation
- History
- Introduction
- API Category
- Making API Requests
- Key APIs
- PostQuantumCryptoEncrypt
- PostQuantumCryptoDecrypt
- UpdateKeyDescription
- UpdateAlias
- ReEncrypt
- ListKeys
- ListKeyDetail
- GetServiceStatus
- GetKeyRotationStatus
- GenerateDataKey
- Encrypt
- EnableKeys
- EnableKeyRotation
- EnableKey
- DisableKeys
- DisableKeyRotation
- DisableKey
- DescribeKeys
- DescribeKey
- Decrypt
- CreateKey
- ScheduleKeyDeletion
- CancelKeyDeletion
- ImportKeyMaterial
- GetParametersForImport
- DeleteImportedKeyMaterial
- GenerateRandom
- ListAlgorithms
- UnbindCloudResource
- BindCloudResource
- GetRegions
- CancelKeyArchive
- ArchiveKey
- Asymmetric Key APIs
- White-Box Key APIs
- Data Types
- Error Codes
- Service Level Agreement
- FAQS
- KMS Policy
- Contact Us
- Glossary
Overview
The online encryption and decryption operations involve two APIs:
| API Name | Description | Note |
|---|---|---|
| Encrypt | Used for encryption | The KeyId and Plaintext parameters are required for this API. For more information, please see the Encrypt API document. |
| Decrypt | Used for decryption | The CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document. |
Encryption
The Encrypt API is used to encrypt up to 4 KB of data, such as database passwords, RSA keys, or other sensitive data. For application data, the DEK generated by the GenerateDataKey API can be used to perform encryption and decryption for the local data.
The examples below are called with TCCLI, which can also be called with any supported programming languages.
Examples
Encryption
If the Encrypt API is called with TCCLI, the plaintext data needs to be Base64-encoded. The This example is used for testing text is used in the following example.
Input
tccli kms Encrypt --KeyId 6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5 --Plaintext 'VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc='Output
If the execution is successful, the ciphertext and the CMK ID used to encrypt the plaintext will be returned, of which the ciphertext will be used for subsequent decryption operations.
{
"KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
"RequestId": "23781471-c213-44c5-92a4-731b882e25b5",
"CiphertextBlob": "Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg="
}Decryption
This example shows you how to decrypt the encrypted data, where the CMK is the one used in the above example.
Input
tccli kms Decrypt --CiphertextBlob 'Rrnqz5fthTxcSdCYIw5pBoEWLvrdqYNZ0oXKOmvYx/1Oo2R+DqEFPjjfVA1n1RE8PmVITaxuJwu9ZANK9uK3WA==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-mFM/5PEiMJsKC6fagEOfdlocOyC+a1n8PqaTOlBLT+rqjyKLVHUVtqamMQ3ERsYIe0wYoAMszR/FBrCJZ3a3B7f+8Xg='Output
If the execution is successful, the Base64-encoded plaintext and the CMK ID used to encrypt the plaintext will be returned. An additional decryption operation in Base64 is needed to obtain the plaintext.
{
"Plaintext": "VGhpcyBleGFtcGxlIGlzIHVzZWQgZm9yIHRlc3Rpbmc=",
"KeyId": "6xxxxxx-xxxx-xxxx-xxxx-5xxxxxxxxx5",
"RequestId": "bcce3fae-1794-4136-a486-d42780c10702"
}
Yes
No
Was this page helpful?