Help Center/ Data Encryption Workshop/ Best Practices/ Key Management Service/ Using KMS to Encrypt Offline Data/ Encrypting or Decrypting Small Volumes of Data
Updated on 2025-05-22 GMT+08:00
View PDF
Share

Encrypting or Decrypting Small Volumes of Data

Scenario

You can use online tools on the Key Management Service (KMS) console or call the necessary KMS APIs to directly encrypt or decrypt small-size data with a customer master key (CMK), such as passwords, certificates, or phone numbers.

Restrictions

Currently, a maximum of 4 KB of data can be encrypted or decrypted in this way.

Encryption and Decryption Using Online Tools

  • Encrypting data
  1. Click the name of the target custom key to access the key details page. Click the Tool tab.
  2. Click Encrypt. In the text box on the left, enter the data to be encrypted, as shown in Figure 1.

    Figure 1 Encrypting data

  3. Click Execute. The encrypted data is displayed in the Encryption/Decryption Result area.

    • Use the current CMK to encrypt the data.
    • To clear your input, click Clear.
    • In the Encryption result area, click to copy the encrypted data and save it to a local file.

  • Decrypting data
  1. You can click any non-default key in Enabled status to go to the encryption and decryption page of the online tool.
  2. Click Decrypt and enter the data to be decrypted in the text box, as shown in Figure 2.

    • The tool will identify the original encryption CMK and use it to decrypt the data.
    • If the key has been deleted, the decryption will fail.
    Figure 2 Decrypting data

  3. Click Execute. The decrypted data is displayed in the Encryption/Decryption Result area.

    • In the Decryption result area, click to copy the decrypted data and save it to a local file.

    • The information to be encrypted using commands or APIs cannot contain special characters. Otherwise, the decryption result may fail to be displayed on the console.

    • Enter the plaintext on the console, the text will be encoded to Base64 format before encryption.

      The decryption result returned via API will be in Base64 format. Perform Base64 decoding to obtain the plaintext entered on the console.

Calling APIs for Encryption and Decryption

Figure 3 shows an example about how to call KMS APIs to encrypt and decrypt an HTTPS certificate.

Figure 3 Encrypting and decrypting an HTTPS certificate

The procedure is as follows:

  1. Create a CMK on KMS.
  2. Call the KMS API for encrypting a data key and use the specified CMK to encrypt the plaintext certificate.
  3. Deploy the certificate onto a server.
  4. The server calls the KMS API for decrypting a data key and decrypts the ciphertext certificate.

    If you enter and encrypt text on the console, the text will be encoded to Base64 format before being transferred to the backend for encryption. The decryption result returned via API will be in Base64 format. Text encrypted via API cannot be decrypted on the console, or garbled characters will be returned.