The following tables list API operations available for use in KMS. For more information, see OpenAPI Explorer.

Alibaba Cloud also provides a command line tool for you to learn APIs and for the purpose of command line automation. For more information about how to install and use the command line tool, see Alibaba Cloud CLI.

Key management

Key management API operations are used to create and modify keys and manage their lifecycle.

Operation Description
CreateKey Creates a CMK. You can also choose to let KMS generate key materials, or upload your own key materials. CreateKey is the first step to create a Bring Your Own Key (BYOK).
GetParametersForImport Obtains key materials, which is the second step to create a BYOK.
ImportKeyMaterial Imports key materials to the CMK, which is the final step to create a BYOK.
EnableKey Modifies the key status to Enabled.
DisableKey Modifies the key status to Disabled.
ScheduleKeyDeletion Schedules key deletion. The key status changes to PendingDeletion. A CMK in the PendingDeletion state will be deleted when the scheduled period expires.
CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel a scheduled deletion request after it is submitted and before the end of the scheduled period. After the scheduled deletion is canceled, the CMK returns to the Enabled state.
DeleteKeyMaterial Deletes key materials of a CMK. You can directly delete key materials of a BYOK. After key materials are deleted, the BYOK is in the PendingImport state.
DescribeKey Queries detailed information about a specified CMK.
ListKeys Lists all CMKs within the current region that belong to the current Alibaba Cloud account.
UpdateKeyDescription Updates the description of a CMK.

Key version management

Key version management API operations are used for CMK rotation.

Operation Description
DescribeKeyVersion Queries a key version.
ListKeyVersions Lists all key versions of a specified CMK.
UpdateRotationPolicy Updates the CMK rotation policy. If automatic rotation is enabled, KMS automatically generates a new key version on a periodic basis.

Key operation

Key operation API operations are used to perform data operations involving keys such as encryption and decryption.

Operation Description
Encrypt Uses a specified CMK to encrypt data. This operation is used for online encryption of data of no more than 6 KB.
GenerateDataKey Generates a random number. After the random number is encrypted with the specified CMK, its ciphertext and plaintext are returned. The random number can be used as a data key to encrypt or decrypt a large amount of data locally.
GenerateDataKeyWithoutPlaintext Generates a random number. After the random number is encrypted with the specified CMK, its ciphertext is returned. The random number can be used as a data key to encrypt or decrypt a large amount of data locally.
Decrypt Decrypts ciphertexts generated with the Encrypt or GenerateDataKey API operation. You do not need to specify the CMK for decryption.

Alias management

An alias is an independent object that must be bound to a unique CMK. Then it can be used to replace the KeyId of the CMK.

Operation Description
CreateAlias Creates an alias and binds it to a CMK.
UpdateAlias Binds a specified alias to a new CMK.
DeleteAlias Deletes a specified alias.
ListAliases Lists all aliases of an Alibaba Cloud account in the current region.
ListAliasesByKeyId Lists all aliases bound to a specified CMK.

Tag management

CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.

Operation Description
TagResource Adds or modifies the tags of a CMK.
UntagResource Deletes the specified tag of a CMK.
ListResourceTags Lists all tags of a CMK.