- Product Introduction
- Purchase Guide
- Console Guide
- TCCLI Management Guide
- Best Practices
- API documentation
- History
- Introduction
- API Category
- Making API Requests
- Key APIs
- PostQuantumCryptoEncrypt
- PostQuantumCryptoDecrypt
- UpdateKeyDescription
- UpdateAlias
- ReEncrypt
- ListKeys
- ListKeyDetail
- GetServiceStatus
- GetKeyRotationStatus
- GenerateDataKey
- Encrypt
- EnableKeys
- EnableKeyRotation
- EnableKey
- DisableKeys
- DisableKeyRotation
- DisableKey
- DescribeKeys
- DescribeKey
- Decrypt
- CreateKey
- ScheduleKeyDeletion
- CancelKeyDeletion
- ImportKeyMaterial
- GetParametersForImport
- DeleteImportedKeyMaterial
- GenerateRandom
- ListAlgorithms
- UnbindCloudResource
- BindCloudResource
- GetRegions
- CancelKeyArchive
- ArchiveKey
- Asymmetric Key APIs
- White-Box Key APIs
- Data Types
- Error Codes
- Service Level Agreement
- FAQS
- KMS Policy
- Contact Us
- Glossary
- Product Introduction
- Purchase Guide
- Console Guide
- TCCLI Management Guide
- Best Practices
- API documentation
- History
- Introduction
- API Category
- Making API Requests
- Key APIs
- PostQuantumCryptoEncrypt
- PostQuantumCryptoDecrypt
- UpdateKeyDescription
- UpdateAlias
- ReEncrypt
- ListKeys
- ListKeyDetail
- GetServiceStatus
- GetKeyRotationStatus
- GenerateDataKey
- Encrypt
- EnableKeys
- EnableKeyRotation
- EnableKey
- DisableKeys
- DisableKeyRotation
- DisableKey
- DescribeKeys
- DescribeKey
- Decrypt
- CreateKey
- ScheduleKeyDeletion
- CancelKeyDeletion
- ImportKeyMaterial
- GetParametersForImport
- DeleteImportedKeyMaterial
- GenerateRandom
- ListAlgorithms
- UnbindCloudResource
- BindCloudResource
- GetRegions
- CancelKeyArchive
- ArchiveKey
- Asymmetric Key APIs
- White-Box Key APIs
- Data Types
- Error Codes
- Service Level Agreement
- FAQS
- KMS Policy
- Contact Us
- Glossary
This operation guide takes Python as an example. Operations in other programming languages can be performed in a similar way.
Preparations
Dependent environment of the sample code: Python 2.7.
Activate KMS: you can do so in the Tencent Cloud Console.
Activate TencentCloud API key service: get the
SecretID, SecretKey, and endpoint. The general format of the endpoint is *.tencentcloudapi.com. For example, the endpoint of KMS is kms.tencentcloudapi.com. For more information, please see the documentation of the specified product.Install the SDK: run the following command. For more information, please see the tencentcloud-sdk-python project on GitHub.
pip install tencentcloud-sdk-python
Process
You can follow the four steps below to encrypt sensitive data.
1. Create a customer master key (CMK) in the console or through the
CreateKey API.2. Call the
Encrypt API of KMS to encrypt your sensitive data and get the ciphertext.3. Store the ciphertext data based on your business needs.
4. When reading data, call the
Decrypt API of KMS to decrypt the ciphertext into plaintext.Directions
Step 1. Create a CMK
Step 2. Encrypt the sensitive data
Prerequisite: the CMK created in step 1 is enabled.
In the console
The online tools are suitable for one-time or non-batch encryption and decryption operations, such as the initial generation of key ciphertext. With the online tools, you can focus on your core business without developing tools for non-batch encryption and decryption. For more information, please see Encryption and Decryption.
In the SDK for Python
The
Encrypt API is used to encrypt up to 4 KB of data, such as database passwords, RSA keys, or other sensitive information. This document describes how to encrypt data through the SDK for Python. You can also use other supported programming languages.The
KeyId and Plaintext parameters are required for this API. For more information, please see the Encrypt API document.Encryption in the SDK for Python
The sample code below demonstrates how to use the specified CMK for data encryption.
Python sample code
# -*- coding: utf-8 -*-import base64from tencentcloud.common import credentialfrom tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKExceptionfrom tencentcloud.common.profile.client_profile import ClientProfilefrom tencentcloud.common.profile.http_profile import HttpProfilefrom tencentcloud.kms.v20190118 import kms_client, modelsdef KmsInit(region="ap-guangzhou", secretId="", secretKey=""):try:credProfile = credential.Credential(secretId, secretKey)client = kms_client.KmsClient(credProfile, region)return clientexcept TencentCloudSDKException as err:print(err)return Nonedef Encrypt(client, keyId="", plaintext=""):try:req = models.EncryptRequest()req.KeyId = keyIdreq.Plaintext = base64.b64encode(plaintext)rsp = client.Encrypt(req) # Call the `Encrypt` APIreturn rspexcept TencentCloudSDKException as err:print(err)return Noneif __name__ == '__main__':# User-defined parameterssecretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"region = "ap-guangzhou"keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"plaintext = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"client = KmsInit(region, secretId, secretKey)rsp = Encrypt(client, keyId, plaintext)print "plaintext=", plaintext, ", cipher=", rsp.CiphertextBlob
Step 3. Store the encrypted data
Store the ciphertext according to the application scenarios of your business.
Step 4. Decrypt the sensitive data
In the console
In the SDK for Python
The
Decrypt API is used to decrypt data.The
CiphertextBlob parameter is required for this API. For more information, please see the Decrypt API document.Python sample code
# -*- coding: utf-8 -*-import base64from tencentcloud.common import credentialfrom tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKExceptionfrom tencentcloud.common.profile.client_profile import ClientProfilefrom tencentcloud.common.profile.http_profile import HttpProfilefrom tencentcloud.kms.v20190118 import kms_client, modelsdef KmsInit(region="ap-guangzhou", secretId="", secretKey=""):try:credProfile = credential.Credential(secretId, secretKey)client = kms_client.KmsClient(credProfile, region)return clientexcept TencentCloudSDKException as err:print(err)return Nonedef Decrypt(client, keyId="", ciphertextBlob=""):try:req = models.DecryptRequest()req.CiphertextBlob = ciphertextBlobrsp = client.Decrypt(req) # Call the `Decrypt` APIreturn rspexcept TencentCloudSDKException as err:print(err)return Noneif __name__ == '__main__':# User-defined parameterssecretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"region = "ap-guangzhou"keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"ciphertextBlob = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"client = KmsInit(region, secretId, secretKey)rsp = Decrypt(client, keyId, ciphertextBlob)print "cipher=", ciphertextBlob, ", base64 decoded plaintext=", base64.b64decode(rsp.Plaintext)
Yes
No
Was this page helpful?