Alibaba Cloud services that can be integrated with KMS - Key Management Service

This topic describes the Alibaba Cloud services that can be integrated with Key Management Service (KMS).

Important

If you purchased an Alibaba Cloud service that can be integrated with KMS and your business requirements can be met by using default keys, you do not need to purchase a KMS instance. A default key can be of the following types: service key and customer master key (CMK).

Workload data encryption

Service

Description

References

Elastic Compute Service (ECS)

By default, the disk encryption feature of ECS uses service keys to encrypt data. This feature can also use user-created keys to encrypt data. To encrypt data stored on each disk, you must use a key and a data key that are specific to the disk and use the envelope encryption mechanism.

The disk encryption feature encrypts the data that is transmitted from an ECS instance to a disk and decrypts the data that is read from the disk. Data encryption and decryption is performed on the host on which the ECS instance resides. During encryption and decryption, the performance of the disk is not affected.

After an encrypted disk is created and attached to an ECS instance, the ECS instance encrypts the following data:

Static data that is stored on the disk.
Data that is transmitted between the disk and the ECS instance. Data in the operating system of the ECS instance is not encrypted.
All snapshots that are created from the encrypted disk. These snapshots are referred to as encrypted snapshots.

Encryption overview

Container Service for Kubernetes (ACK)

ACK supports server-side encryption (SSE) based on KMS for the following types of workload data:

Kubernetes Secrets
In a Kubernetes cluster, Kubernetes Secrets are used to store and manage sensitive business data. For more information about Kubernetes Secrets, see Secrets. The sensitive business data includes application passwords, Transport Layer Security (TLS) certificates, and credentials that are used to download Docker images. Kubernetes stores Secrets in the etcd of the cluster.
Volumes
A volume can be a disk, an Object Storage Service (OSS) bucket, or a File Storage NAS file system. You can use KMS-based SSE to encrypt each type of volume. For example, you can create an encrypted disk and attach the disk to a Kubernetes cluster as a volume.

Use KMS to encrypt Kubernetes Secrets

Persistent storage encryption

Service	Description	References
Object Storage Service (OSS)	OSS uses the SSE feature to encrypt uploaded data. When you upload data to OSS, OSS encrypts the uploaded data and then stores the encrypted data in persistent storage. When you download data from OSS, OSS automatically decrypts the data and then returns the decrypted data to you. In addition, OSS declares that the data has been encrypted on OSS in an HTTP response header. OSS can use an encryption system that is dedicated to OSS to implement the SSE feature. This encryption method is referred to as SSE-OSS. The keys used in this encryption system are not managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys. OSS can also use KMS to implement the SSE feature. This encryption method is referred to as SSE-KMS. This method allows OSS to use service keys or user-managed keys to encrypt data. You can configure a service key for each bucket or specify a key when you upload an object.	Server-side encryption SDK references
File Storage NAS	By default, NAS uses a service key to encrypt data. To encrypt data stored on each volume, you must use a key and a data key that are specific to the volume and use the envelope encryption mechanism.	Server-side encryption
Tablestore	By default, Tablestore uses a service key to encrypt data. Tablestore can also use user-managed keys to encrypt your data. To encrypt data stored on each table, you must use a key and a data key that are specific to the table and use the envelope encryption mechanism.	None
Cloud Storage Gateway (CSG)	OSS-based encryption	Manage shares
Microservices Engine (MSE)	Configuration data in Microservices Registry of Microservices Engine (MSE) is stored in plaintext. MSE is integrated with Key Management Service (KMS) to allow you to encrypt and decrypt configuration data, such as data sources, tokens, usernames, and passwords. This helps reduce the risk of sensitive data leaks.	Configuration encryption

Database encryption

Service	Description	References
ApsaraDB RDS	ApsaraDB RDS supports the following encryption methods: Use the cloud disk encryption feature ApsaraDB RDS provides the disk encryption feature free of charge for RDS instances that use cloud disks. After you enable this feature for your RDS instance, this feature encrypts the entire data disks of your instance based on block storage. The keys that are used for disk encryption are encrypted and stored in KMS. ApsaraDB RDS reads the keys only when you start or migrate your RDS instance. Transparent data encryption (TDE) ApsaraDB RDS for MySQL and ApsaraDB RDS for SQL Server support TDE. The keys that are used for TDE are encrypted and stored in KMS. ApsaraDB RDS reads the keys only when you start or migrate your RDS instance. After you enable TDE for your RDS instance, you can specify the database or table for encryption. The TDE feature encrypts the data of the specified database or table before the data is written to a destination device such as a disk, solid-state drive (SSD), or Peripheral Component Interconnect Express (PCIe) card, or to a service such as OSS. All data files and backups of the RDS instance are stored in ciphertext.	ApsaraDB RDS for MySQL: Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance and Configure TDE for an ApsaraDB RDS for MySQL instance ApsaraDB RDS for SQL Server: Configure disk encryption for an ApsaraDB RDS for SQL Server instance and Configure TDE for an ApsaraDB RDS for SQL Server instance ApsaraDB RDS for PostgreSQL: Configure disk encryption for an ApsaraDB RDS for PostgreSQL instance
ApsaraDB for MongoDB	The TDE feature is provided. The encryption methods for ApsaraDB for MongoDB are similar to those for ApsaraDB RDS.	Configure TDE for an instance
PolarDB		PolarDB for MySQL: Configure TDE for a PolarDB cluster PolarDB for Oracle: Configure TDE for a PolarDB for Oracle instance PolarDB for PostgreSQL: Configure TDE
ApsaraDB for OceanBase		TDE
Tair (Redis OSS-compatible)		Enable TDE
AnalyticDB	Both AnalyticDB and ApsaraDB for ClickHouse support disk encryption. The disk encryption is based on block storage, encrypting the entire data disk. Even if data backups are exposed, they cannot be decrypted, ensuring the security of your data.	AnalyticDB for MySQL: Disk encryption AnalyticDB for PostgreSQL: Enable disk encryption
ApsaraDB for ClickHouse		Disk Encryption

Log data encryption

Service	Description	References
ActionTrail	When you create a single-account or multi-account trail, you can enable encryption for events that are delivered to OSS in the ActionTrail console.	Create a single-account trail Create a multi-account trail
Simple Log Service (SLS)	Simple Log Service can be integrated with KMS to encrypt data for secure storage. Static data protection is provided.	Data encryption

Big data and AI

Service	Description	References
MaxCompute	MaxCompute can use service keys or user-managed keys to encrypt your data.	Data encryption
Platform for AI	You can configure SSE for the cloud services that are used in the architecture of PAI and different data flow stages, such as computing engines, ACK, and data storage services. This protects data security and privacy.	None
E-MapReduce	After encrypting the data disk, E-MapReduce encrypts both dynamic data transmission and static data stored on the disk. If your business has security compliance requirements, you can use this feature.	Enable data disk encryption

Other scenarios

Service	Description	References
Alibaba Cloud CDN (CDN)	When an OSS bucket is used as the origin server, you can use OSS-based SSE to protect distributed content.	Grant Alibaba Cloud CDN access permissions on private OSS buckets
ApsaraVideo Media Processing (MPS)	MPS supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. You can integrate MPS with KMS to protect video content regardless of the encryption method used.	None
ApsaraVideo VOD	VOD supports two encryption methods: Alibaba Cloud proprietary cryptography and HLS encryption. You can integrate VOD with KMS to protect video content regardless of the encryption method used.	Alibaba Cloud proprietary cryptography HLS encryption
Hologres	Hologres supports data encryption using KMS, ensuring static data protection to meet enterprise regulatory and compliance requirements.	Encrypt data in Hologres
ApsaraVideo Live	Alibaba Cloud video encryption protects video data, ensuring that when the content is downloaded to a local device, the video remains encrypted and cannot be maliciously redistributed. This encryption effectively prevents video leakage and unauthorized access, making it widely used in sectors such as online education, finance, corporate training, and exclusive streaming content.	Alibaba Cloud proprietary cryptography
Elastic Desktop Service (EDS) Enterprise	During the creation of a cloud computer, you can enable disk encryption for both the system disk and the data disk.	Create cloud computers