Alibaba Cloud services encrypt data at rest using keys from Key Management Service (KMS). KMS handles key hierarchy design, key rotation, re-encryption, and cryptographic correctness — so you do not need to build or maintain your own encryption system.
Alibaba Cloud services integrated with KMS use the Advanced Encryption Standard (AES) 256-bit algorithm.
Choose a key type
KMS supports two key types for service integration. The right choice depends on how much control you need over the key lifecycle and access policy.
| Service-managed keys | User-managed keys | |
|---|---|---|
| Who creates the key | The Alibaba Cloud service creates a default key (service key) in KMS on your behalf | You create and own the key (customer master key, or CMK) |
| Authorization required | None — the service has implicit access | Explicit — grant the service access via a RAM permission policy |
| Access policy | Managed by the Alibaba Cloud service; not configurable | Exclusively controlled by you; configurable per service |
| Audit visibility | Viewable via ActionTrail | Viewable via ActionTrail |
| Key lifecycle | Managed by the Alibaba Cloud service | Managed by you |
| Key alias format | acs/<service-code> (e.g., acs/oss for OSS) | Set by you |
| BYOK support | No | Yes — import offline key material via Bring Your Own Key (BYOK) |
Service-managed keys
Each Alibaba Cloud service can create one default service key in KMS. To identify which service owns a key, KMS sets the Creator attribute to the service code and associates the key with the alias acs/<service-code>. For example, Object Storage Service (OSS) creates a key with Creator = OSS and alias acs/oss.
No configuration or authorization is required. Use ActionTrail to audit how the service key is used.
User-managed keys
To use a CMK you own:
Create a CMK in KMS.
In Resource Access Management (RAM), configure a permission policy that grants the Alibaba Cloud service access to the CMK, and attach the policy to the service.
When the service requests the CMK, KMS validates the request against RAM before returning the key.
This approach lets you allow or deny specific services access to specific keys, rotate keys on your own schedule, and delete key material immediately when needed.
BYOK lets you import key material generated outside of KMS. Unlike KMS-generated key material, imported key material can be deleted immediately. Use BYOK only if your compliance requirements mandate it — it adds key management overhead. For details, see Import key material.
How it works
Alibaba Cloud services use envelope encryption to protect your data. This mechanism uses a key hierarchy of at least two layers, keeping the volume of data sent to KMS minimal while ensuring the CMK never touches your raw data.
When an Alibaba Cloud service writes encrypted data:
The service requests a new data key from KMS, specifying the CMK to use.
KMS generates a unique data key and returns both the plaintext and ciphertext (CMK-encrypted) versions to the service.
The service uses the plaintext data key in memory to encrypt your business data.
The service discards the plaintext data key and writes the ciphertext of the data key and the ciphertext of the business data to persistent storage, packaged together in an "envelope."
When the service reads the encrypted data:
The service reads the data key ciphertext and the business data ciphertext from storage.
The service sends the data key ciphertext to KMS to decrypt it.
KMS returns the plaintext data key to the service.
The service uses the plaintext data key in memory to decrypt the business data, then discards the key.
The plaintext data key never leaves the memory of the host where the service instance runs. It is never written to any persistent storage medium.
