Starting from March 31, 2022, Key Management Service (KMS) will be evolved to an Alibaba Cloud cloud-native feature that provides encryption and decryption capabilities for cloud services. In addition, Dedicated KMS will be released as a cloud service to provide tenant-specific storage and cryptographic resources.
Reasons for upgrade
KMS provides storage and cryptographic resources that are shared among tenants. Dedicated KMS provides tenant-specific storage and cryptographic resources. Dedicated KMS has the following advantages:
- Dedicated KMS provides tenant-specific instances and is deployed in the VPC of a tenant. Dedicated KMS supports securer access over an internal network than KMS because KMS uses shared gateways.
- Dedicated KMS provides tenant-specific cryptographic resource pools to implement resource isolation and cryptographic isolation. Dedicated KMS supports securer use of tenant resources than KMS because KMS allows different tenants to share computing resources and cryptographic resources.
- Dedicated KMS uses application access point (AAP) authentication. KMS uses RAM authentication. Dedicated KMS allows users to complete key authentication configurations in a more efficient manner.
Impacts
The upgrade does not affect the existing users of KMS. If new users want to manage keys, the users must purchase Dedicated KMS. The following table describes the impacts of the upgrade on new users.
Feature | Scenario | Impact |
---|---|---|
Customer master key | Service-managed keys are used by cloud services to encrypt cloud resources. | None. |
Service-managed keys are used by clients to encrypt or decrypt data. | This feature is not supported. | |
User-managed keys are used by cloud services to encrypt cloud resources. | New users must purchase Dedicated KMS of the Standard edition to use this feature.
You can go to the Dedicated KMS console to purchase Dedicated KMS. |
|
User data is encrypted. | New users must purchase Dedicated KMS of the Standard edition to use this feature.
You can go to the Dedicated KMS console to purchase Dedicated KMS. |
|
Secret | Secrets are used to obtain sensitive information. |
This feature is not supported. |
Secrets are rotated. | This feature is not supported. | |
Certificate | Certificates are hosted. | New users must purchase SSL certificates to use this feature. |
Certificates are used to generate signatures and verify the signatures. | This feature is not supported. |