The following tables list API operations available for use in KMS. For more information, see OpenAPI Explorer.

Alibaba Cloud also provides a command line tool for you to learn APIs and for the purpose of command line automation. For more information about how to install and use the command line tool, seeAlibaba Cloud CLI.

Key API operations

  • CMK management

    CMK management API operations are used to create and modify CMKs and manage their lifecycle.

    Operation Description
    CreateKey Creates a CMK. You can use key material created in KMS or import external key material to the CMK. Importing external key material is known as Bring Your Own Key (BYOK). Calling CreateKey is the first step of BYOK.
    GetParametersForImport Obtains key material to be imported. This operation is the second step of BYOK.
    ImportKeyMaterial Imports key material to a CMK. This operation is the final step of BYOK.
    EnableKey Changes the state of a CMK to Enabled.
    DisableKey Changes the state of a CMK to Disabled.
    ScheduleKeyDeletion Schedules the deletion of a CMK. After you call this operation, the CMK enters the Pending Deletion state. The CMK is automatically deleted after the specified waiting period elapses.
    CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel the scheduled deletion of a CMK before the scheduled waiting period elapses. After the deletion is canceled, the CMK enters the Enabled state again.
    DeleteKeyMaterial Deletes key material of a CMK. You can directly delete key material that is imported from an external source. After key material of a CMK is deleted, the CMK enters the Pending Import state.
    DescribeKey Queries the detailed information of a CMK.
    ListKeys Queries all CMKs of the current Alibaba Cloud account in the current region.
    UpdateKeyDescription Updates the description of a CMK.
  • Key version management

    Key version management API operations are used for CMK rotation.

    Operation Description
    DescribeKeyVersion Queries the detailed information of a key version.
    ListKeyVersions Queries all key versions of a CMK.
    UpdateRotationPolicy Updates the rotation policy of a symmetric CMK. If automatic rotation is configured, KMS automatically generates a new key version on a periodic basis.
    CreateKeyVersion Creates a new version for a CMK. This operation is available only for asymmetric CMKs.
  • Cryptographic operation

    Cryptographic API operations are used to perform cryptographic operations such as data encryption and decryption.

    Operation Description
    Encrypt Uses a specified CMK to encrypt data. This operation is used to encrypt data of no more than 6 KB.
    GenerateDataKey Generates a random number and encrypts the random number with a specified CMK. The ciphertext and plaintext of the random number are returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data.
    GenerateDataKeyWithoutPlaintext Generates a random number and encrypts the random number with a specified CMK. The ciphertext of the random number is returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data.
    ExportDataKey Encrypts a data key by using a specific public key and exports the data key.
    GenerateAndExportDataKey Generates a random data key, encrypts the data key by using a specific CMK and public key, and returns the ciphertext encrypted by using the CMK and that encrypted by using the public key.
    Decrypt Decrypts the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation. You do not need to specify a CMK for decryption.
    ReEncrypt Re-encrypts ciphertext. Decrypts the specified ciphertext, uses a different CMK to encrypt the obtained plaintext data or data key, and returns ciphertext.
    AsymmetricSign Uses the private key of an asymmetric key pair to generate a digital signature.
    AsymmetricVerify Uses the public key of an asymmetric key pair to verify a digital signature that is generated by using the private key.
    AsymmetricDecrypt Uses the private key of an asymmetric key pair to decrypt the data that is encrypted by using the public key.
    AsymmetricEncrypt Uses the public key of an asymmetric key pair to encrypt data.
    GetPublicKey Obtains the public key of an asymmetric key pair. You can use the public key to encrypt data or verify digital signatures offline.
  • Alias management

    An alias is an independent object in KMS. It must be bound to a unique CMK. You can set the KeyId parameter in certain API operations to an alias to specify a CMK.

    Operation Description
    CreateAlias Creates an alias and binds it to a CMK.
    UpdateAlias Changes the CMK to which a specified alias is bound.
    DeleteAlias Deletes an alias.
    ListAliases Queries all aliases under the current Alibaba Cloud account in the current region.
    ListAliasesByKeyId Queries all aliases bound to a specified CMK.

Secrets Manager API operations

KMS Secrets Manager hosts, protects, distributes, and rotates secrets.

Operation Description
CreateSecret Creates a secret and stores the secret value in the initial version.
ListSecrets Queries all secrets created by your Alibaba Cloud account in the current region.
DeleteSecret Deletes a secret.
DescribeSecret Obtains the metadata of a secret.
GetSecretValue Obtains a secret value.
PutSecretValue Stores the secret value of a new version into a secret object.
UpdateSecret Updates the metadata of a secret.
UpdateSecretVersionStage Updates the stage label that marks a secret version.
RestoreSecret Restores a deleted secret.
ListSecretVersionIds Queries all versions of a secret.
GetRandomPassword Obtains a random password string.

Tag management API operations

CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.

Operation Description
TagResource Adds tags to or modifies existing tags of a CMK or secret.
UntagResource Removes a tag from a CMK or secret.
ListResourceTags Queries all tags of a CMK or secret.

Other API operations

Operation Description
DescribeRegions Queries available regions under your Alibaba Cloud account.
OpenKmsService Activates KMS under your Alibaba cloud account.
DescribeAccountKmsStatus Queries the status of KMS under your Alibaba cloud account.