This topic lists the APIs in KMS. For more information, see related documentation.

Alibaba Cloud also provides a command line tool for you to learn APIs and for the purpose of command line automation. For more information about how to install and use the command line tool, see Alibaba Cloud CLI

Key management APIs

Key management APIs are used to create and modify keys and manage their lifecycle.

API Description
CreateKey Creates a CMK. You can also choose to let KMS generate key material, or upload your own key material. CreateKey is the first step to create a BYOK (Bring Your Own Key).
GetParametersForImport Obtains the key material, which is the second step to create a BYOK.
ImportKeyMaterial Imports the key material to the CMK, which is the final step to create a BYOK.
EnableKey Modifies the key status to enabled.
DisableKey Modifies the key status to disabled.
ScheduleKeyDeletion Schedules key deletion. The key status changes to PendingDeletion. A CMK in the PendingDeletion state will be deleted when the scheduled period expires.
CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel a scheduled deletion request after it is submitted and before the end of the scheduled period. After the scheduled deletion is canceled, the CMK returns to the enabled state.
DeleteKeyMaterial Deletes the key material of a CMK. You can directly delete the key material of BYOK. After the key material is deleted, the BYOK is in the PendingImport state.
DescribeKey Queries detailed information about a specified CMK.
ListKeys Lists all CMKs within the current region that belong to the current Alibaba Cloud account.

Key operation APIs

Key operation APIs are used to perform data operations involving keys such as encryption and decryption.

API Description
Encrypt Uses a specified CMK to encrypt data. The API is used for online encryption of data of no more than 6 KB.
GenerateDataKey Generates a random number. After the random number is encrypted with the specified CMK, its ciphertext and plaintext are returned. The random number can be used as a data key to encrypt or decrypt a large amount of data locally.
Decrypt Decrypts ciphertexts generated with the Encrypt or GenerateDataKey API. You do not need to specify the CMK for decryption.

Alias management APIs

An alias is an independent object that must be bound to a unique CMK. Then it can be used to indicate the CMK replaced instead of KeyId.

API Description
CreateAlias Creates an alias and binds it to a CMK.
UpdateAlias Binds a specified alias to the new CMK.
DeleteAlias Deletes a specified alias.
ListAliases Lists all aliases of an Alibaba Cloud account in the current region.
ListAliasesByKeyId Lists all aliases bound to the specified CMK.

Tag management APIs

CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.

API Description
TagResource Adds or modifies the tags of a CMK.
UntagResource Deletes the specified tag of a CMK.
ListResourceTags Lists all tags of a CMK.