Data encryption--Torch Log Service-Volcengine

Docs

Torch Log Service

Data storage

Data encryption

TLS supports encrypted data storage and uses Key Management Service (KMS) from Volcanoengine to encrypt log topic-level data. This topic describes the steps to encrypt TLS data using customer-managed keys (SSE-KMS).

Data encryption overview

Encryption method	Description
Service Key (SSE-TLS)	It is the default encryption method provided by TLS. It requires no additional configuration from users, enabling seamless encryption during usage.
Customer Key (SSE-KMS)	It can generate, manage, and protect encryption keys via Key Management Service (KMS) from Volcanoengine; offers secure key storage, key generation, encryption operations, and key rotation. Features include: Full lifecycle control: Users have complete control over keys, independently managing their entire lifecycle—from creation and periodic rotation to final deletion; users will no longer need to rely on third-party. This ensures autonomy and security in key management. Proactive management attribute: It requires active user involvement in key management, such as creating master keys in the KMS console and precisely configuring usage permissions (e.g., authorizing specific roles or restricting operational scope) to ensure compliant and controlled key usage.

Encryption method

Description

Service Key (SSE-TLS)

It is the default encryption method provided by TLS. It requires no additional configuration from users, enabling seamless encryption during usage.

Customer Key (SSE-KMS)

It can generate, manage, and protect encryption keys via Key Management Service (KMS) from Volcanoengine; offers secure key storage, key generation, encryption operations, and key rotation. Features include:

Full lifecycle control:
Users have complete control over keys, independently managing their entire lifecycle—from creation and periodic rotation to final deletion; users will no longer need to rely on third-party. This ensures autonomy and security in key management.
Proactive management attribute:
It requires active user involvement in key management, such as creating master keys in the KMS console and precisely configuring usage permissions (e.g., authorizing specific roles or restricting operational scope) to ensure compliant and controlled key usage.

Limits

If the primary key is deleted or disabled, the customer-managed key becomes invalid. After the primary key becomes invalid, all read and write requests for the corresponding log topic will fail.
When configuring data encryption, once the encryption mechanism is selected, it is not supported to modify the data encryption mechanism. Encryption can only be enabled or disabled by configuring the EncryptConf parameter's enable setting in the API. Additionally, when updating a log topic subsequently, the complete EncryptConf parameter must be included each time.
For example, if the service-managed key encryption mechanism is initially selected, it cannot be later changed to customer-managed key encryption.

Billing notes

Encryption method	Description
Service Key (SSE-TLS)	No billing item is generated.
Customer Key (SSE-KMS)	First-time users need to activate the KMS service. Although activating KMS is free, using the service incurs fees. Using KMS for server-side encryption will incur API call fees. Creating KMS keys will incur key hosting fees, which are charged by KMS. For details, see KMS billing description.

Use cases

Encryption method	Use cases
Service Key (SSE-TLS)	Quickly deploy data encryption. No need to manage keys (managed by the service provider), suitable for scenarios requiring long-term key stability.
Customer Key (SSE-KMS)	Suitable for scenarios requiring self-managed keys to meet security and compliance requirements. Suitable for scenarios requiring regular permission audits to reduce key leakage risks.

Encryption configuration steps

When using TLS service-managed keys (SSE-TLS) for encryption, you can simply add the EncryptConf structure parameter to your API request to complete the encryption setup.
When using customer-managed keys (SSE-KMS) for encryption, you can follow these steps to configure the Key Management System.

1. Configure the Key Management System

Enable Key Management System (KMS) in the same region as TLS.
Create a customer master key and obtain the key ID. For details, refer to Key Management Quick Start and Bring Your Own Key.

2. Configure TLS

Configure TLS cross-service access to KMS. For details, see cross-service access authorization.
Grant user roles KMS encryption/decryption permissions and KMS read-only permissions, configure TLS trust relationships, and record the role TRN.
1. Log in to the IAM console.
2. In the left navigation bar, click Role Management.
3. Locate the role to be authorized, and in the Actions column, click Authorize.
4. Under Service, search for Key Management Service and click the KMSCryptoUserAccess and KMSReadOnlyAccess policies. And then click Submit.
5. Click the name of the role to be authorized. Then go to the Trust relationships tab and click Edit trust policy. Add the following content, and click Save.
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "TLS"
                ]
            }
        }
    ]
}
```
6. Under Basic information, record the role TRN.
Configure data encryption.
Only supported via API calls. When calling the API, add the EncryptConf structure parameter to the request to complete encryption settings. Supported API:
API
API Description
CreateTopic
Create a TLS topic. For details, refer to CreateTopic.
ModifyTopic
Modify the log topic information. For details, refer to ModifyTopic.

API	API Description
CreateTopic	Create a TLS topic. For details, refer to CreateTopic.
ModifyTopic	Modify the log topic information. For details, refer to ModifyTopic.

Request parameters

Parameters	Type	Required	Example value	Description
EncryptConf	Object of EncryptConf	No	Data encryption	Data encryption structure. When not configured, the data encryption feature is disabled.

EncryptConf

Parameters	Type	Required	Example value	Description
enable	Boolean	No	true	Enable data encryption. true: Yes. false: No.
encrypt_type	String	No	default	Encryption algorithm. Only `default` is supported.
user_cmk_info	Object of EncryptUserCmkConf	No	/	Configure key information. Takes effect when `enable` is `true`. Not configured: Uses service key (SSE-TLS) encryption. Configure user key: uses user key (SSE-KMS) encryption.

Parameters

Type

Required

Example value

Description

enable

Boolean

true

Enable data encryption.

true: Yes.
false: No.

encrypt_type

String

default

Encryption algorithm. Only default is supported.

user_cmk_info

Object of EncryptUserCmkConf

Configure key information. Takes effect when enable is true.

Not configured: Uses service key (SSE-TLS) encryption.
Configure user key: uses user key (SSE-KMS) encryption.

EncryptUserCmkConf

Parameters	Type	Required	Example value	Description
trn	string	No	trn:iam::123456789:role/service_role_for_tls	The TRN of the user IAM role. Log in to the IAM console. Click the role name under the Role Management tab and obtain the Role TRN in the Basic Information section.
region_id	string	No	ap-southeast-1	Region ID where the user master key is located. Refer to Regions and endpoints to obtain based on the actual environment.
user_cmk_id	string	No	fc227edb-3682-4577-a3b5xxxxxxxxx	User main key ID. The Key ID of the key created through Key Management Service (KMS).

API example

Using user-managed keys (SSE-KMS) encryption as an example.

EncryptConf = {
    "enable" : true,            
    "encrypt_type" : "default"  
    "user_cmk_info" :           
    {
          "trn" :  "trn:iam::123456789:role/service_role_for_tls"         
          "region_id" : "ap-southeast-1"      
          "user_cmk_id" : "fc227edb-3682-4577-a3b5xxxxxxxxx"     
    }
}

Last updated: 2025.12.01 10:33:25

Torch Log Service

Data encryption overview #

Limits #

Billing notes #

Use cases #

Encryption configuration steps #

1. Configure the Key Management System #

2. Configure TLS #

Request parameters #