Instance selection - Key Management Service - Alibaba Cloud Documentation Center

Key Management Service (KMS) provides free default keys, paid instances of the software key management type, and paid instances of the hardware key management type. The free default keys can be one of the following types of keys: service keys and customer master keys (CMK). You can refer to this topic to select a suitable instance type.

indicates that the item is supported. indicates that the item is not supported.

Category	Item	Default key		Instance of the software key management type	Instance of the hardware key management type	References
Category	Item	Service key	CMK	Instance of the software key management type	Instance of the hardware key management type	References

Category	Item	Default key		Instance of the software key management type	Instance of the hardware key management type	References
Category	Item	Service key	CMK	Instance of the software key management type	Instance of the hardware key management type	References
Billing method		Free.	Free.	Subscription Pay as you go	Subscription Pay as you go To use this instance, you must purchase two hardware security modules (HSMs). For more information, see Billing of KMS.	Overview
Scenario	Server-side encryption in Alibaba Cloud services					Scenarios
	Data encryption in self-managed applications
	Secret lifecycle management
	Compliance with Federal Information Processing Standard (FIPS) 140-2 Level 3 validation requirements
Quota	Computing performance (symmetric encryption and decryption)	1000 queries per second (QPS). The specification cannot be upgraded.	1000 QPS. The specification cannot be upgraded.	Shared gateway access: 1,000 QPS. Upgrade is not supported. Dedicated gateway access: 1,000, 2,000, or 4,000 QPS available at purchase. Upgrades are supported.	Shared gateway access: 1,000 QPS. Upgrade is not supported. Dedicated gateway access: 2,000, 4,000, 6,000 or 8,000 QPS available at purchase. Upgrades are supported.	Performance quotas
	Number of keys	Within an Alibaba Cloud account, each Alibaba Cloud service can create one service key in each region.	Within an Alibaba Cloud account, you can create one CMK in each region.	1,000 to 100,000	1,000 to 100,000	None
	Number of secrets	Secrets are not supported.	Secrets are not supported.	0 to 100,000	0 to 100,000	None
Network type of the endpoint		Public network Virtual private cloud (VPC) network	Public network VPC network	Public network VPC network	Public network VPC network	Regions and endpoints
Multi-account resource sharing						Share a KMS instance across multiple Alibaba Cloud accounts
Backup management						Backups
Security audit						Use ActionTrail to query KMS events
Key management	Key specifications	Aliyun_AES_256	Aliyun_AES_256	Symmetric key specifications: Aliyun_AES_256 Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K	Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128 Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K	Overview of Key Management
	Import of external key material (BYOK mode)					Import key material into a symmetric key Import key material into an asymmetric key
	Key rotation	You must purchase a value-added plan.	You must purchase a value-added plan.	Only symmetric keys are supported. Asymmetric keys are not supported.		Configure key rotation
	Scheduled key deletion					Schedule a key deletion task
	Key deletion protection					Enable key deletion protection
	Key alias					Manage key aliases
	Key tag					Tag management
Cryptographic operation	Data encryption and decryption					Alibaba Cloud SDK
Cryptographic operation	Signature generation and verification					Alibaba Cloud SDK
Secret management	Secret creation					Secret management
	Secret deletion
	Secret rotation
	Secret tag
Secret value retrieval						Secret client Secret JDBC client RAM secret plug-in