Alibaba Cloud can encrypt your data stored in Alibaba Cloud services by using keys from Key Management Service (KMS). Alibaba Cloud supports the Advanced Encryption Standard (AES) 256-bit algorithm for encryption, which meets the encryption requirements of sensitive data.

The integration of Alibaba Cloud services with KMS brings the following benefits:
  • Enhanced security and privacy protection for data stored in Alibaba Cloud services

    Alibaba Cloud services can use KMS keys to encrypt any of your data, including the data that you can directly access or internal data of Alibaba Cloud services that you can only indirectly access, such as files generated by database engines. This ensures the security and privacy of your data stored in Alibaba Cloud services.

  • No need to develop your own data encryption system
    To develop your own data encryption system, you must:
    • Design a proper key hierarchy and data distribution mode to balance between encryption performance and security.
    • Design the key rotation and data re-encryption mechanisms.
    • Master cryptography technologies to ensure that your encryption algorithm is robust, secure, and tamper-proofing.
    • Improve the engineering robustness and reliability of your system to ensure data persistence.
    The integration of Alibaba Cloud services with KMS resolves all these complex engineering and security issues for you and reduces R&D costs.

Select appropriate keys

You can select different types of keys stored in KMS for encryption based on your data protection requirements.

  • Service-managed keys

    Each Alibaba Cloud service can create a default key, which is also called a service key, for you in KMS. Yo do not need to manage this service key. It is managed by the Alibaba Cloud service. In addition, you do not need to explicitly authorize the Alibaba Cloud service to use this service key. By using ActionTrail, you can audit the use of the service key by the Alibaba Cloud service.

    To allow you to easily identify the service key, KMS sets the Creator attribute of the service key to the code of the Alibaba Cloud service, and associates the service key with a special alias in the format of acs/<Alibaba Cloud service code>. For example, the Creator attribute of the service key created by Object Storage Service (OSS) is set to OSS, and the service key is associated with the alias acs/oss.

  • User-managed keys

    You can use keys created by yourself to encrypt data stored in Alibaba Cloud services. This gives you more control over how data is encrypted. You must explicitly authorize Alibaba Cloud services to use your keys. You can use Resource Access Management (RAM) to perform the authorization. By configuring a permission policy and granting the policy to an Alibaba Cloud service in RAM, you can allow or deny the Alibaba Cloud service to use a specific customer master key (CMK) stored in KMS. When the Alibaba Cloud service requests the CMK from KMS, KMS checks the permission of the Alibaba Cloud service through RAM.

    Besides keys generated by KMS, you can securely import offline key materials to CMKs in KMS through the Bring Your Own Key (BYOK) feature and use these CMKs as your keys. In this way, you can gain more control over the keys. For example, you cannot immediately delete the key materials generated by KMS, but you can immediately delete the key materials imported to KMS. Exercise caution when using the BYOK feature because it incurs extra management costs. For more information, see Import key materials.

Encrypt data in Alibaba Cloud services

The encryption design varies with Alibaba Cloud services based on their business forms and customer needs. Generally, a key hierarchy consisting of at least two layers is used, and business data is encrypted by using the envelope encryption mechanism.

The first layer is the CMK in KMS, and the second layer is the data key (DK). The CMK is used to encrypt and decrypt the DK, while the DK is used to encrypt and decrypt your business data. When storing your business data to a persistent storage medium, an Alibaba Cloud service writes both the ciphertext of the DK (encrypted by KMS using the CMK) and the ciphertext of the business data (encrypted by the Alibaba Cloud service using the DK) to this medium. This mechanism is known as envelope encryption. The ciphertext of the DK and the ciphertext of the business data are packaged together in an "envelope." When reading the encrypted data, the Alibaba Cloud service reads both the ciphertext of the DK and the ciphertext of the business data. The Alibaba Cloud service must first decrypt the ciphertext of the DK before using the decrypted DK to decrypt the ciphertext of the business data.

In envelope encryption, the CMK is protected by the key management infrastructure of KMS. The Alibaba Cloud service must be authorized to use the CMK to generate the DK for encrypting business data or decrypt the ciphertext of the DK for decrypting business data. The plaintext of the DK never leaves the memory of the host where the Alibaba Cloud service instance resides. That is, the DK will not be stored in plaintext in any persistent storage medium.