Key types and cryptographic operations provided by KMS - Key Management Service

Key management is a core feature of Key Management Service (KMS). The feature allows you to manage and store software-protected keys, hardware-protected keys, and default keys throughout their lifecycles. The feature also allows you to encrypt and sign data based on cloud-native API operations. This topic describes the key types and cryptographic API operations that are supported by KMS.

Key types

KMS provides software-protected keys, hardware-protected keys, default keys, and external keys to meet your business, security, and compliance requirements. The following table describes the types of keys.

Note

If you use the default key, purchasing a KMS instance is not required. However, if you use software-protecte keys, hardware-protected keys, or external keys, purchasing a KMS instance is required. For differences among the features of instances, see Instance selection.

Key type	Scenario	Supported operation	Algorithm	Key specification	Description
Default key	A default key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Only data encryption and data decryption are supported.	AES	Aliyun_AES_256	A default key can be one of the following keys: Service key: A service key is created and managed by an Alibaba Cloud service. CMK: A default key of the customer master key (CMK) type is a key that you create and manage in KMS. You can create only one default key of the CMK type in each region. You can import key material or use the key material that is generated by KMS to create a default key of the CMK type.
Software-protected key	A software-protected key is used for cryptographic solutions for your self-managed applications. For example, you can create an Advanced Encryption Standard (AES) key to encrypt or decrypt data. You can also create a Rivest-Shamir-Adleman (RSA) key to calculate and verify digital signatures. A software-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Data encryption, data decryption, and signing and verification are supported.	AES, RSA, and Elliptic Curve Cryptography (ECC)	Symmetric key specifications: Aliyun_AES_256 Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K For more information, see Key types and key specifications.	You can use only key material that is generated by KMS to create a software-protected key. Note You cannot import key material that is generated by KMS to create a software-protected key.
Hardware-protected key	A hardware-protected key is used for cryptographic solutions for your self-managed applications. For example, you can create an AES key to encrypt or decrypt data or create a RSA or ECC key to calculate and verify digital signatures. A hardware-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Data encryption, data decryption, and signing and verification are supported.	AES, RSA, and ECC	Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128 Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K For more information, see Key types and key specifications.	You can use key material that is generated by KMS or import key material to create a hardware-protected key and manage the key throughout its lifecycle. Important Before you can use a hardware-protected key, you must purchase hardware security modules (HSMs) and configure HSM clusters in Cloud Hardware Security Module. Make sure that the HSMs comply with Federal Information Processing Standard (FIPS) 140-2 Level 3.
External Key	An external key is used for cryptographic solutions for your self-managed applications. For example, you can create an AES key to encrypt and decrypt data. An external key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Data encryption and data decryption are supported.	AES	Aliyun_AES_256	You can create a key in the key management infrastructure (KMI) and then import the key to KMS. You manage the lifecycle of keys that are created in the KMI.

Cryptographic API operations

KMS supports cloud-native cryptographic API operations, which are easier to use than the API operations for traditional HSMs or in cryptographic software libraries. In addition, KMS provides multiple SDKs to accelerate the development process. For more information about how to use keys to encrypt and decrypt data, see SDK references.

Before you call key-related operations, pay attention to the following information:

AdvanceEncrypt, AdvanceDecrypt, AdvanceGenerateDataKey, and GenerateDataKey: To call these operations, you must use symmetric keys.
Encrypt and Decrypt: To call these operations, you must use symmetric or asymmetric keys.
Sign, Verify, and GetPublicKey: To call these operations, you must use asymmetric keys.

Operation	Description
AdvanceEncrypt	Encrypts plaintext into ciphertext. Important If automatic key rotation is enabled, call the AdvanceEncrypt, AdvanceDecrypt, or AdvanceGenerateDataKey operation to prevent the key rotation feature from becoming invalid. For more information about automatic key rotation, see Configure key rotation. Before you can call the AdvanceDecrypt operation, you must save the ciphertext (CiphertextBlob) and authentication data (Aad) that are returned by the AdvanceEncrypt operation.
AdvanceDecrypt	Decrypts ciphertext into plaintext.
AdvanceGenerateDataKey	Generates a data key and encrypts data by using envelope encryption of KMS. Important Before you can call the AdvanceDecrypt operation, you must save the ciphertext (CiphertextBlob) and authentication data (Aad) that are returned by the AdvanceGenerateDataKey operation.
Encrypt	Encrypts plaintext into ciphertext. Important Before you can call the Decrypt or AdvanceDecrypt operation, you must save the key ID (KeyId), ciphertext (CiphertextBlob), encryption algorithm (Algorithm), initial vector (Iv), padding mode (PaddingMode), and authentication data (Aad) that are returned by the Encrypt operation.
Decrypt	Decrypts ciphertext into plaintext.
GenerateDataKey	Generates a data key and encrypts data by using envelope encryption of KMS.
Sign	Generates a signature by using an asymmetric key. Important You can call the Verify operation to verify the signature. You can also obtain the public key (GetPublicKey) and verify the signature on your computer.
Verify	Verifies a signature by using an asymmetric key.
GetPublicKey	Queries the public key of a specified asymmetric key.