All Products
Search
Document Center

Key Management Service:Overview of key management

Last Updated:Sep 26, 2024

Key management is a core feature of Key Management Service (KMS). The feature allows you to manage and store software-protected keys, hardware-protected keys, and default keys throughout their lifecycles. The feature also allows you to encrypt and sign data based on cloud-native API operations. This topic describes the key types and cryptographic API operations that are supported by KMS.

Key types

KMS provides software-protected keys, hardware-protected keys, default keys, and external keys to meet your business, security, and compliance requirements. The following table describes the types of keys.

Note

If you use the default key, purchasing a KMS instance is not required. However, if you use software-protecte keys, hardware-protected keys, or external keys, purchasing a KMS instance is required. For differences among the features of instances, see Instance selection.

Key type

Scenario

Supported operation

Algorithm

Key specification

Description

Default key

A default key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.

Only data encryption and data decryption are supported.

AES

Aliyun_AES_256

A default key can be one of the following keys:

  • Service key: A service key is created and managed by an Alibaba Cloud service.

  • CMK: A default key of the customer master key (CMK) type is a key that you create and manage in KMS. You can create only one default key of the CMK type in each region. You can import key material or use the key material that is generated by KMS to create a default key of the CMK type.

Software-protected key

  • A software-protected key is used for cryptographic solutions for your self-managed applications.

    For example, you can create an Advanced Encryption Standard (AES) key to encrypt or decrypt data. You can also create a Rivest-Shamir-Adleman (RSA) key to calculate and verify digital signatures.

  • A software-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.

Data encryption, data decryption, and signing and verification are supported.

AES, RSA, and Elliptic Curve Cryptography (ECC)

  • Symmetric key specifications: Aliyun_AES_256

  • Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K

For more information, see Key types and key specifications.

You can use only key material that is generated by KMS to create a software-protected key.

Note

You cannot import key material that is generated by KMS to create a software-protected key.

Hardware-protected key

  • A hardware-protected key is used for cryptographic solutions for your self-managed applications.

    For example, you can create an

    AES key to encrypt or decrypt data or create a RSA or ECC key to calculate and verify digital signatures.

  • A hardware-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.

Data encryption, data decryption, and signing and verification are supported.

AES, RSA, and ECC

  • Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128

  • Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K

For more information, see Key types and key specifications.

You can use key material that is generated by KMS or import key material to create a hardware-protected key and manage the key throughout its lifecycle.

Important

Before you can use a hardware-protected key, you must purchase hardware security modules (HSMs) and configure HSM clusters in Cloud Hardware Security Module.

Make sure that the HSMs comply with Federal Information Processing Standard (FIPS) 140-2 Level 3.

External Key

  • An external key is used for cryptographic solutions for your self-managed applications.

    For example, you can create an AES

    key to encrypt and decrypt data.

  • An external key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.

Data encryption and data decryption are supported.

AES

Aliyun_AES_256

You can create a key in the key management infrastructure (KMI) and then import the key to KMS. You manage the lifecycle of keys that are created in the KMI.

Cryptographic API operations

KMS supports cloud-native cryptographic API operations, which are easier to use than the API operations for traditional HSMs or in cryptographic software libraries. In addition, KMS provides multiple SDKs to accelerate the development process. For more information about how to use keys to encrypt and decrypt data, see SDK references.

Before you call key-related operations, pay attention to the following information:

  • AdvanceEncrypt, AdvanceDecrypt, AdvanceGenerateDataKey, and GenerateDataKey: To call these operations, you must use symmetric keys.

  • Encrypt and Decrypt: To call these operations, you must use symmetric or asymmetric keys.

  • Sign, Verify, and GetPublicKey: To call these operations, you must use asymmetric keys.

Operation

Description

AdvanceEncrypt

Encrypts plaintext into ciphertext.

Important
  • If automatic key rotation is enabled, call the AdvanceEncrypt, AdvanceDecrypt, or AdvanceGenerateDataKey operation to prevent the key rotation feature from becoming invalid. For more information about automatic key rotation, see Configure key rotation.

  • Before you can call the AdvanceDecrypt operation, you must save the ciphertext (CiphertextBlob) and authentication data (Aad) that are returned by the AdvanceEncrypt operation.

AdvanceDecrypt

Decrypts ciphertext into plaintext.

AdvanceGenerateDataKey

Generates a data key and encrypts data by using envelope encryption of KMS.

Important

Before you can call the AdvanceDecrypt operation, you must save the ciphertext (CiphertextBlob) and authentication data (Aad) that are returned by the AdvanceGenerateDataKey operation.

Encrypt

Encrypts plaintext into ciphertext.

Important

Before you can call the Decrypt or AdvanceDecrypt operation, you must save the key ID (KeyId), ciphertext (CiphertextBlob), encryption algorithm (Algorithm), initial vector (Iv), padding mode (PaddingMode), and authentication data (Aad) that are returned by the Encrypt operation.

Decrypt

Decrypts ciphertext into plaintext.

GenerateDataKey

Generates a data key and encrypts data by using envelope encryption of KMS.

Sign

Generates a signature by using an asymmetric key.

Important

You can call the Verify operation to verify the signature. You can also obtain the public key (GetPublicKey) and verify the signature on your computer.

Verify

Verifies a signature by using an asymmetric key.

GetPublicKey

Queries the public key of a specified asymmetric key.