All Products
Search
Document Center

Key Management Service:Overview of integration with KMS

Last Updated:Sep 08, 2023

Key Management Service (KMS) provides default data encryption capabilities for other Alibaba Cloud services. To encrypt data in an Alibaba Cloud service, you can use the service key that is created by the Alibaba Cloud service or a key that is created in KMS. This topic describes the integration of Alibaba Cloud services with KMS, including the integration benefits and the encryption mechanism.

Benefits of integrating Alibaba Cloud services with KMS

  • Increase data security and privacy protection

    KMS provides data encryption capabilities for most Alibaba Cloud services. You can configure an encryption solution when or after you purchase an Alibaba Cloud service. KMS performs end-to-end encryption on cloud data, such as data generated by database engines, when Alibaba Cloud services are being used. This provides a secure encryption solution for your cloud data and increases the overall security and privacy of your data.

  • Eliminate the fees for developing your own data encryption systems

    When you develop your own data encryption systems, you may encounter various challenges. You can integrate your services with KMS to address the challenges. The following list describes the challenges:

    • Design a proper key hierarchy and data distribution mode to balance encryption performance and security.

    • Design the key rotation and data re-encryption mechanisms.

    • Master cryptography technologies and use appropriate encryption algorithms to ensure that encryption systems are robust, secure, and tamper-proof.

Types of keys that support data encryption in Alibaba Cloud services

KMS provides default keys, software-protected keys, and hardware-protected keys. You can use these keys to encrypt data in Alibaba Cloud services. The following table describes the keys. For more information, see Overview of Key Management.

Key creator

Key type

Key material origin

Billing

Description

Alibaba Cloud service

Default key (service key)

KMS

Free of charge

Within an Alibaba Cloud account, each Alibaba Cloud service can create only one service key in a region.

User

Customer master key (CMK) which is used as the default key

Supported key material origins:

  • KMS

  • Bring your own key (BYOK)

Free of charge

After you create a key, you must authorize your Alibaba Cloud service to use the key. For more information, see Use RAM to manage access to KMS resources.

Software-protected key

KMS

Paid

Hardware-protected key

Supported key material origins:

  • KMS

  • BYOK

Paid

Use a key for server-side encryption in Alibaba Cloud services

In this example, a key is configured for server-side encryption in an Alibaba Cloud service when you purchase the Alibaba Cloud service. You can also configure a key after you purchase an Alibaba Cloud service. For more information, see the documentation on the official website of each Alibaba Cloud service.

Service key

You can view the service keys that are created in the KMS console.

  1. When you purchase an Alibaba Cloud service, select Default Service CMK. This way, you can use the service key created by your Alibaba Cloud service to encrypt server-side data. In this example, an Elastic Compute Service (ECS) instance is purchased.购买ECS时选择KMS默认密钥加密

    Note

    For easy identification, a service key is automatically associated with an alias in the alias/acs/<cloud product code> format. For example, the service key created by ECS is associated with the alias/acs/ecs alias.

  2. In the KMS console, view the service key that is created.服务密钥

    Note
    • For a service key, the value of KeyManagerType is Service Key.

    • A service key is managed by an Alibaba Cloud service. You cannot manage a service key in the KMS console. For example, you cannot enable or disable a service key. You can view the operation and usage records of a service key in the ActionTrail console.

User-created key

  • CMK as a default key

    1. Enable a CMK in the KMS console. For more information, see Default key.

      In this example, the alias of the CMK is alias/byok.默认密钥主密钥

    2. When you purchase an Alibaba Cloud service, select the CMK that is used as a default key to encrypt server-side data.

      In this example, an ECS instance is purchased.使用默认密钥主密钥

  • Software-protected key

    1. Purchase a KMS instance of the software key management type. For more information, see Purchase and enable a KMS instance.

    2. In the KMS console, create a software-protected key. For more information, see Software-protected key.

    3. When you purchase an Alibaba Cloud service, select the software-protected key to encrypt server-side data.

  • Hardware-protected key

    1. Purchase a KMS instance of the hardware key management type. For more information, see Purchase and enable a KMS instance.

    2. In the KMS console, create a hardware-protected key. For more information, see Hardware-protected key.

    3. When you purchase an Alibaba Cloud service, select the hardware-protected key to encrypt server-side data.

Encryption process

The encryption process in each Alibaba Cloud service varies based on the business form and customer requirements. In most cases, envelope encryption is used to implement server-side encryption in Alibaba Cloud services. Data keys are encrypted by using KMS keys and then are used to encrypt server-side data, as shown in the following figure.

云产品集成KMS加密原理
  1. Create a key in KMS.

  2. Call the GenerateDataKey operation of KMS to request a data key.

  3. KMS returns a data key, which contains the data key plaintext and the data key ciphertext. The data key ciphertext is generated by encrypting the data key plaintext by using the specified key.

  4. An Alibaba Cloud service uses the data key plaintext to encrypt data plaintext to generate data ciphertext, and writes the data key ciphertext and the data ciphertext in persistent storage.

Note
  • The data key ciphertext and the data ciphertext are packaged together in an envelope.

  • KMS transfers the data key to your Alibaba Cloud service over a secure transmission channel. The data key plaintext is used only in the memory of your Alibaba Cloud service and is not stored in persistent storage.

Access control

KMS checks whether an Alibaba Cloud service has permissions to use a specific key based on Resource Access Management (RAM). You can configure permission policies for an Alibaba Cloud service in the RAM console or follow the on-screen instructions in the console of the Alibaba Cloud service to allow or deny the Alibaba Cloud service to use a specific key. For more information, see Use RAM to manage access to KMS resources.

Auditing

You can audit the use of keys for Alibaba Cloud services in ActionTrail. For more information, see Use ActionTrail to query KMS events.

References

Alibaba Cloud services that can be integrated with KMS