Alibaba Cloud services can use service-managed keys or user-managed keys, including the keys that are imported by using the Bring Your Own Key (BYOK) feature, to encrypt different types of data in different scenarios. This topic describes the Alibaba Cloud services that can be integrated with Key Management Service (KMS).
If you purchase an Alibaba Cloud service that can be integrated with KMS and you want to use service-managed keys or user-managed keys to encrypt data, you do not need to separately purchase Dedicated KMS.
Workload data encryption
Service | Description | References |
Elastic Compute Service (ECS) | By default, the disk encryption feature of ECS uses service-managed keys to encrypt data. This feature can also use user-managed keys to encrypt data. Each disk has its own customer master key (CMK) and data key and uses the envelope encryption mechanism to encrypt data. An ECS instance automatically encrypts the data that is transmitted to an encrypted disk and decrypts the data that is read from the disk. Data is encrypted or decrypted on the host on which the ECS instance resides. During encryption and decryption, the performance of the disk is not affected. After an encrypted disk is created and attached to an ECS instance, the ECS instance encrypts the following data:
| |
Container Service for Kubernetes (ACK) | ACK supports server-side encryption (SSE) based on KMS for the following types of workload data:
| |
Web App Service | Web App Service is integrated with KMS to encrypt sensitive configuration data, such as access credentials of ApsaraDB RDS. | None |
Persistent storage encryption
Service | Description | References |
Object Storage Service (OSS) | OSS uses the SSE feature to encrypt uploaded data.
OSS can use an encryption system that is dedicated to OSS to implement the SSE feature. In this case, the feature is called SSE-OSS. The keys used in this encryption system are not managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys. OSS can also use KMS to enable the SSE feature. In this case, the feature is called SSE-KMS. OSS uses service-managed keys or user-managed keys to encrypt your data. OSS allows you to configure a default CMK for each bucket or specify a CMK that you can use when you upload an object. | |
File Storage NAS | By default, File Storage NAS uses service-managed keys to encrypt your data. Each volume has its own CMK and data key and uses the envelope encryption mechanism to encrypt your data. | |
Tablestore | By default, Tablestore uses service-managed keys to encrypt your data. Tablestore can also use user-managed keys to encrypt your data. Each table has its own CMK and data key and uses the envelope encryption mechanism to encrypt your data. | None |
Cloud Storage Gateway (CSG) | OSS-based encryption |
Database encryption
Service | Description | References |
ApsaraDB RDS | ApsaraDB RDS supports the following encryption methods:
|
|
ApsaraDB for MongoDB | The encryption methods for ApsaraDB for MongoDB are similar to those for ApsaraDB RDS. | |
PolarDB | The encryption methods for PolarDB are similar to those for ApsaraDB RDS. |
|
ApsaraDB for OceanBase | The encryption methods for ApsaraDB for OceanBase are similar to those for ApsaraDB RDS. | |
Tair (Redis OSS-compatible) | The encryption methods for Tair (Redis OSS-compatible) are similar to those for ApsaraDB RDS. |
Log data encryption
Service | Description | References |
ActionTrail | When you create a single-account or multi-account trail, you can enable encryption for events that are delivered to OSS in the ActionTrail console. | |
Log Service | Log Service is integrated with KMS to encrypt data for secure storage. |
Big data and AI
Service | Description | References |
MaxCompute | MaxCompute uses service-managed keys or user-managed keys to encrypt your data. | |
Machine Learning Platform for AI (PAI) | You can configure SSE for the Alibaba Cloud services that are used in different data flow stages in the architecture of PAI, such as computing engines, ACK, and data storage services. This protects data security and privacy. | None |
Other scenarios
Service | Description | References |
Alibaba Cloud CDN (CDN) | When an OSS bucket is used as the origin server, you can use OSS-based SSE to protect distributed content. For more information about how to allow CDN to access an encrypted OSS bucket, see CDN documentation. | |
ApsaraVideo for Media Processing (MTS) | MTS supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. You can integrate MTS with KMS to protect video content regardless of the encryption method used. | None |
ApsaraVideo VOD | ApsaraVideo VOD supports two encryption methods: Alibaba Cloud proprietary cryptography and HLS encryption. You can integrate ApsaraVideo VOD with KMS to protect video content regardless of the encryption method used. |