<p class="shortdesc"></p> <table class="table" id="Definitions__table_ylw_lzc_flb"><caption></caption><colgroup><col style="width:25.510204081632654%"><col style="width:74.48979591836735%"></colgroup><thead class="thead"> <tr class="row"> <th class="entry" id="Definitions__table_ylw_lzc_flb__entry__1">Concepts </th> <th class="entry" id="Definitions__table_ylw_lzc_flb__entry__2">Description </th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__1 "> <p class="p">Key Management Service </p> </td> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__2 "> <p class="p">KMS is a secure and reliable key management service. You can use KMS for centralized key management to ensure security. </p> </td> </tr> <tr class="row"> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__1 "> <p class="p">Customer Master Keys </p> </td> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__2 "> <p class="p">Customer master keys (CMKs) are master keys you create with Ping An Cloud KMS. You can use CMKs to encrypt and protect data, and generate envelops. You can also use CMKs to directly encrypt small amounts of data. CMKs can be either customer managed keys or Ping An Cloud managed keys. You can encrypt multiple data keys with a CMK. </p> </td> </tr> <tr class="row"> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__1 "> <p class="p">Data Keys </p> </td> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__2 "> <p class="p">Data keys are encryption keys used to encrypt data. You can generate, encrypt, and decrypt data keys with a CMK. The GenerateDataKey interface generates a symmetric data key, and returns a plaintext copy and a cyphertext copy of the data key (the latter is encrypted under the corresponding CMK). KMS does not store any information of the data key. It only decrypts the ciphertext data key into the corresponding plaintext data key. </p> <div class="note important note_important"><span class="note__title">Important:</span> After using the plaintext data key to encrypt data, remove it immediately. Store the ciphertext data key only. </div> </td> </tr> <tr class="row"> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__1 "> <p class="p">Envelope Encryption </p> </td> <td class="entry" headers="Definitions__table_ylw_lzc_flb__entry__2 "> <p class="p">Envelope encryption is an encryption method with which you store, transmit, and use data encryption keys in an envelope. In this case, you no longer use CMKs to directly encrypt or decrypt data. In simple terms, envelope encryption refers to the practice where you encrypt data with a data key, and then encrypt the data key under another key. </p> </td> </tr> </tbody></table>