All Products
Search
Document Center

Key Management Service:Terms

Last Updated:Apr 18, 2024

This topic introduces the terms that are used in Key Management Service (KMS).

Key Management

Key Management provides cryptographic features such as secure key storage, lifecycle management of keys, data encryption, data decryption, and digital signature (signing and verification). For more information, see Overview of Key Management.

Secrets Manager

Secrets Manager allows you to manage your secrets throughout their lifecycle and allows applications to use secrets in a secure and efficient manner. This helps prevent sensitive data leaks that are caused by hardcoded secrets. For more information, see Overview.

Key Management Service instance (KMS instance)

KMS instances fall into the following categories: instances of the software key management type and instances of the hardware key management type. KMS instances can be used for server-side encryption in Alibaba Cloud services that are integrated with KMS and for cryptographic solutions of your self-managed applications.

  • Software key management: KMS instances of this type provide key and secret management services. KMS securely stores your keys and secrets in your dedicated databases that run on your exclusive containers. This ensures high scalability and security.

  • Hardware key management: KMS instances of this type provide key services by connecting to your hardware security module (HSM) cluster in Cloud Hardware Security Module and securely stores secrets in your dedicated databases that run on your exclusive containers. This ensures that keys and secrets meet the heightened standards for security and compliance. Before you enable a KMS instance of the hardware key management type, you must purchase and configure an HSM cluster in Cloud Hardware Security Module and connect the cluster to KMS.

    Note

    HSMs provided by Cloud Hardware Security Module are devices that are validated by the Chinese State Cryptographic Authority or FIPS 140-2 Level 3.

When you purchase a KMS instance, you can select a performance quota based on your business requirements. For more information, see Performance quotas.

hardware security module (HSM)

An HSM is a hardware device that performs cryptographic operations and securely generates and stores keys. HSMs are commonly used in building IT systems.

You can integrate KMS with Cloud Hardware Security Module to use HSM clusters. This improves the security of keys that are managed in KMS, helps meet higher compliance requirements, and helps meet the testing and certification requirements of regulators.

customer master key (CMK)

A CMK is a primary key that is created and managed by yourself in KMS. Each CMK consists of a key ID, basic metadata, and key material.

default key

A default key can be used only for server-side encryption in Alibaba Cloud services that are integrated with KMS. A default key can be one of the following types of keys:

  • Service key: a key that is created and managed by an Alibaba Cloud service for you and is used for server-side encryption.

  • CMK: a key that is created and managed by yourself in KMS. You can create only one CMK in each region. You can import key material or use key material that is generated by KMS to create a CMK.

A default key in KMS supports only the AES-256 symmetric cryptographic algorithm.

service key

A service key is created and managed by an Alibaba Cloud service for you in KMS. By default, a service key is used for server-side encryption in Alibaba Cloud services.

key material

Key material is an important resource when you perform cryptographic operations. If you want to perform cryptographic operations by using key material in a secure manner, we recommend that you keep your key material confidential. Key material can be the key material for private keys of asymmetric keys or the key material for symmetric keys.

  • When you create a default key of the CMK type, you can use key material that is automatically generated by KMS or import key material. If a key is created by using key material that is automatically generated by KMS, the Origin attribute of the key is Aliyun_KMS. If a key is created by using imported key material, the Origin attribute of the key is EXTERNAL.

  • When you create a software-protected key, you can use only key material that is automatically generated by KMS. If a key is created by using key material that is automatically generated by KMS, the Origin attribute of the key is Aliyun_KMS.

  • When you create a hardware-protected key, you can use the key material that is generated by an HSM or import key material. If a key is created by using key material that is generated by an HSM, the Origin attribute of the key is Aliyun_KMS. If a key is created by using imported key material, the Origin attribute of the key is EXTERNAL.

Secrets

Secrets are sensitive information that is used to authenticate applications. Secrets include usernames and passwords that are used to access databases, SSH keys, sensitive addresses, and AccessKey pairs.

application access point (AAP)

An AAP is an access control solution in KMS. KMS uses AAPs to authenticate identities and behavior of applications when the applications request resources in KMS. For more information, see Overview of AAPs.