All Products
Search
Document Center

Key Management Service:Overview

Last Updated:Oct 31, 2023

The key service is a core component of Key Management Service (KMS). The key service provides fully managed keys and key protection features. The key service supports simple data encryption and digital signature management based on cloud-native API operations.

Key hosting and protection

Feature

Description

Related topic

Host and manage keys

An encryption key managed by KMS is called a customer master key (CMK). You can manage the lifecycle of a CMK.

You can rotate keys.

You can set an alias for a key to easily use the key. You can also manage keys by calling API operations.

Protect keys and meet compliance requirements

When you use keys, you must meet security and compliance requirements. We recommend that you set the protection level of your CMK to hardware security module (HSM) to protect the CMK by using dedicated hardware. This also allows keys to meet GM/T or FIPS 140-2 Level 3 compliance requirements. After the protection level of the CMK is set to HSM, the plaintext of the key material is stored only inside an HSM. No one can access the plaintext of the key material. The plaintext of the key material cannot be exported from the HSM.

Use Bring Your Own Key (BYOK)

You can import your own keys to KMS by using the BYOK feature to meet specific security requirements. Your own keys include keys managed offline, keys hosted in other clouds, and keys used in Alibaba Cloud Data Encryption Service.

Data encryption

KMS provides cloud-native cryptographic API operations that are simpler than those for traditional cryptographic modules or cryptographic software libraries. In addition, KMS provides multiple SDKs to accelerate the development. For more information about how to use SDKs to develop code, see Overview of development tools.

Feature

Description

Related topic

Encrypt data for Alibaba Cloud services with a few clicks

KMS is integrated with a variety of Alibaba Cloud services and provides cloud-native encryption features. You only need to perform simple configurations to allow KMS to automatically encrypt your data in other Alibaba Cloud services.

Encrypt data for Alibaba Cloud services by using code

KMS SDK

KMS SDK encapsulates KMS API operations. You can view the sample code to learn how to call the Encrypt operation of KMS in your code to encrypt data.

Sample code for data encryption

Encryption SDK

Encryption SDK is a client-side encryption library based on KMS API operations. You can view the quick start of Encryption SDK to learn how to call Encryption SDK in your code to use the envelope encryption feature.

Description of encryption algorithms supported by KMS

The following table describes the encryption algorithms supported by KMS.

Algorithm class

Algorithm subclass

Encryption and decryption

Signature generation and verification

Symmetric key algorithm

AES

Supported

Not supported

Symmetric key algorithm

SM4 Note

Supported

Not supported

Asymmetric key algorithm

RSA

Supported

Supported

Asymmetric key algorithm

ECC

Not supported

Supported

Asymmetric key algorithm

SM2 Note

Supported

Supported

Note

Only managed HSMs in the Chinese mainland support the SM4 and SM2 algorithms. For more information, see Supported regions.

Symmetric keys are used to encrypt or decrypt data. If you do not specify the KeySpec parameter during key creation, KMS creates a symmetric key. For more information, see Overview.

Asymmetric keys can be used to encrypt data, decrypt data, generate a signature, or verify a signature. An asymmetric CMK in KMS consists of a public key and a private key, which are cryptographically related to each other. The public key can be sent to anyone, but the private key must be kept secure. KMS does not provide an API operation for you to export the private key of an asymmetric key pair. You can only call API operations to use the private key to generate signatures or decrypt data. For more information, see Overview.