The following tables list API operations available for use in Key Management Service (KMS).

Key service operations

  • CMK management

    Customer master key (CMK) management operations are used to create and modify CMKs and manage their lifecycles.

    API Description
    CreateKey Creates a CMK. You can use key materials created in KMS or import external key materials to the CMK. Importing external key materials is known as Bring Your Own Key (BYOK). This operation is the first step of BYOK.
    GetParametersForImport Queries key materials to be imported. This operation is the second step of BYOK.
    ImportKeyMaterial Imports key materials to a CMK. This operation is the final step of BYOK.
    EnableKey Changes the status of a CMK to Enabled.
    DisableKey Changes the status of a CMK to Disabled.
    ScheduleKeyDeletion Schedules the deletion of a CMK. After you call this operation, the CMK enters the Pending Deletion state. The CMK is automatically deleted after the specified waiting period elapses.
    CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel the scheduled deletion of a CMK before the specified waiting period elapses. After the deletion is canceled, the CMK enters the Enabled state again.
    DeleteKeyMaterial Deletes key materials of a CMK. You can directly delete key materials that are imported from an external source. After key materials of a CMK are deleted, the CMK enters the Pending Import state.
    DescribeKey Queries the information about a CMK.
    ListKeys Queries all CMKs of the current Alibaba Cloud account in the current region.
    UpdateKeyDescription Updates the description of a CMK.
  • Key version management

    Operations for key version management are used to rotate CMKs.

    API Description
    DescribeKeyVersion Queries the information about a key version.
    ListKeyVersions Queries all key versions of a CMK.
    UpdateRotationPolicy Updates the rotation policy of a symmetric CMK. If automatic rotation is enabled, KMS automatically generates a key version on a regular basis.
    CreateKeyVersion Creates a key version for a CMK. This operation is available only for asymmetric CMKs.
  • Cryptographic operations

    You can perform cryptographic operations on data, such as data encryption and decryption. The operations in the following table are used to perform cryptographic operations.

    API Description
    Encrypt Encrypts data by using a specific CMK. This operation is used to encrypt data of no more than 6 KB.
    GenerateDataKey Generates a random number and encrypts the random number with a specific CMK. The ciphertext and plaintext of the random number are returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data.
    GenerateDataKeyWithoutPlaintext Generates a random number and encrypts the random number with a specific CMK. Only the ciphertext of the random number is returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data.
    ExportDataKey Encrypts a data key by using a specific public key and exports the data key.
    GenerateAndExportDataKey Generates a random data key, encrypts the data key by using a specific CMK and public key, and returns the ciphertext generated by using the CMK and that generated by using the public key.
    Decrypt Decrypts the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation. You do not need to specify a CMK for decryption.
    ReEncrypt Re-encrypts ciphertext. When you call this operation, KMS first decrypts the specified ciphertext and then uses a different CMK to encrypt the generated plaintext or data key. Ciphertext is returned.
    AsymmetricSign Uses the private key of an asymmetric CMK to generate a digital signature.
    AsymmetricVerify Uses the public key of an asymmetric CMK to verify a digital signature that is generated by using the private key.
    AsymmetricDecrypt Uses the private key of an asymmetric CMK to decrypt the data that is encrypted by using the public key.
    AsymmetricEncrypt Uses the public key of an asymmetric CMK to encrypt data.
    GetPublicKey Queries the public key of an asymmetric CMK. You can use the public key to encrypt data or verify digital signatures offline.
  • Alias management

    An alias is an independent object in KMS. An alias must be bound to a unique CMK. You can set the KeyId parameter in specific operations to an alias to specify a CMK.

    API Description
    CreateAlias Creates an alias and binds it to a CMK.
    UpdateAlias Associates an existing alias with a different CMK ID.
    DeleteAlias Deletes an alias.
    ListAliases Queries all aliases of the current Alibaba Cloud account in the current region.
    ListAliasesByKeyId Queries all aliases that are bound to a specific CMK.

Secrets Manager operations

Secrets Manager operations are used to manage, protect, distribute, and rotate secrets.

API Description
CreateSecret Creates a secret and stores the secret value in the initial version.
ListSecrets Queries all secrets of the current Alibaba Cloud account in the current region.
DeleteSecret Deletes a secret.
DescribeSecret Queries the metadata of a secret.
GetSecretValue Queries a secret value.
PutSecretValue Stores the secret value of a new version into a secret.
UpdateSecret Updates the metadata of a secret.
UpdateSecretVersionStage Updates the stage label that marks a secret version.
RestoreSecret Restores a deleted secret.
ListSecretVersionIds Queries all versions of a secret.
GetRandomPassword Queries a random password string.

Certificate operations

Certificate operations are used to create, delete, update, and query certificates. Certificate operations are also used to verify the signatures on certificates.

API Description
CreateCertificate Creates a certificate.
UploadCertificate Imports a certificate and a certificate chain issued by a certificate authority (CA) into Certificates Manager.
GetCertificate Queries a certificate that is managed by Certificates Manager.
DescribeCertificate Queries the information about a certificate.
UpdateCertificateStatus Updates the status of a certificate.
DeleteCertificate Deletes a certificate and the private key and certificate chain of the certificate.
CertificatePrivateKeySign Generates a digital signature by using a specific certificate.
CertificatePublicKeyVerify Verifies a digital signature by using a specific certificate.
CertificatePublicKeyEncrypt Encrypts data by using a specific certificate.
CertificatePrivateKeyDecrypt Decrypts data by using a specific certificate.

Tag management operations

CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.

API Description
TagResource Adds tags to or modifies existing tags of a CMK or secret.
UntagResource Removes a tag from a CMK or secret.
ListResourceTags Queries all tags of a CMK or secret.

Other operations

API Description
DescribeRegions Queries available regions for the current Alibaba Cloud account.
OpenKmsService Activates KMS for the current Alibaba Cloud account.
DescribeAccountKmsStatus Queries the status of KMS for the current Alibaba Cloud account.