Select a KMS instance - Key Management Service - Alibaba Cloud Documentation Center

Key Management Service (KMS) provides free default keys, paid instances of the software key management type, and paid instances of the hardware key management type. The free default keys can be one of the following types of keys: service keys and customer master keys (CMK). You can refer to this topic to select a suitable instance type.

indicates that the item is supported. indicates that the item is not supported.

Category	Item	Default key		Instance of the software key management type	Instance of the hardware key management type	References
Category	Item	Service key	CMK	Instance of the software key management type	Instance of the hardware key management type	References
Billing method		Free.	Free.	Subscription.	Subscription. To use this instance, you must purchase two hardware security modules (HSMs). For more information, see Billing of KMS.	Overview
Scenario	Server-side encryption in Alibaba Cloud services					Scenarios
	Data encryption in self-managed applications
	Secret lifecycle management
	Compliance with Federal Information Processing Standard (FIPS) 140-2 Level 3 validation requirements
Quota	Computing performance (symmetric encryption and decryption)	750 queries per second (QPS). The specification cannot be upgraded.	750 QPS. The specification cannot be upgraded.	1,000 QPS, 2,000 QPS, or 4,000 QPS. The specification can be upgraded.	2,000 QPS, 4,000 QPS, 8,000 QPS, or 6,000 QPS. The specification can be upgraded.	Performance quotas
	Number of keys	Within an Alibaba Cloud account, each Alibaba Cloud service can create one service key in each region.	Within an Alibaba Cloud account, you can create one CMK in each region.	1,000 to 100,000	1,000 to 100,000	None
	Number of secrets	Secrets are not supported.	Secrets are not supported.	0 to 100,000	0 to 100,000	None
Network type of the endpoint		Internet and virtual private cloud (VPC) managed by KMS.	Internet and VPC managed by KMS.	User-managed VPC.	User-managed VPC.	Regions and endpoints
Cross-account resource sharing						Share a KMS instance across multiple Alibaba Cloud accounts
Backup management						Backups
Security audit						Audit events of KMS Manage KMS instances
Key management	Key specifications	Aliyun_AES_256	Aliyun_AES_256	Symmetric key specifications: Aliyun_AES_256 Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K	Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128 Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K	Overview of Key Management
	Import of external key material (BYOK mode)					Import key material into a symmetric key Import key material into an asymmetric key
	Key rotation	You must purchase a value-added plan.	You must purchase a value-added plan.	Only symmetric keys are supported. Asymmetric keys are not supported.		Configure key rotation
	Scheduled key deletion					Schedule a key deletion task
	Key deletion protection					Enable key deletion protection
	Key alias					Manage key aliases
	Key tag					None
Cryptographic operation	Data encryption and decryption					KMS Instance SDK
Cryptographic operation	Signature generation and verification					KMS Instance SDK
Secret management	Secret creation					Manage and use generic secrets Manage and use RAM secrets Manage and use ApsaraDB RDS secrets Manage and use ECS secrets
	Secret deletion
	Secret rotation
	Secret tag
Secret value retrieval						Secret client Secret JDBC client RAM secret plug-in