This topic describes the Alibaba Cloud services that support integration with Key Management Service (KMS). These Alibaba Cloud services can use server-managed keys or user-managed keys, including the keys uploaded through the Bring Your Own Key (BYOK) feature, to encrypt your data.

The integration with KMS allows you to protect your data stored in Alibaba Cloud services at low costs, provides security boundaries for business data, and enhances Alibaba Cloud's capabilities in protecting business security. Alibaba Cloud services can encrypt not only the business data that you can directly access, but also the business data that you can only indirectly access.

ECS

By default, the disk encryption feature of Elastic Compute Service (ECS) uses the service key to encrypt your data. This feature also supports user-managed keys. Each disk has its own customer master key (CMK) and data key (DK), and uses the envelope encryption mechanism to encrypt your data.

An ECS instance automatically encrypts the data transmitted to an encrypted disk and decrypts the data read from the disk. Data is encrypted and decrypted on the host where the ECS instance resides. During encryption and decryption, the performance of the disk hardly degrades.

After an encrypted disk is created and attached to an ECS instance, the ECS instance encrypts the following data:
  • Static data stored on the disk.
  • Data transmitted between the disk and the ECS instance. Data in the operating system of the ECS instance is not encrypted.
  • All snapshots created from the encrypted disk. These snapshots are called encrypted snapshots.
Note Container Service can also use the disk encryption feature to encrypt your data.

OSS

Object Storage Service (OSS) uses the server-side encryption (SSE) feature to encrypt uploaded data. When you upload data to OSS, OSS encrypts the data and stores the encrypted data in persistent storage. When you download data from OSS, OSS automatically decrypts the encrypted data and returns the decrypted data to you. In addition, OSS declares that the data has been encrypted on the server through a header in the returned HTTP response.

OSS can use an encryption system dedicated to OSS to implement the SSE feature. In this case, this feature is called SSE-OSS. The keys used in this encryption system are managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys.

OSS can also use KMS to implement the SSE feature. In this case, this feature is called SSE-KMS. OSS uses the service key or user-managed keys to encrypt your data. OSS allows you to configure a default CMK for each bucket or specify the CMK to use when uploading an object.

For more information, see Server-side encryption and SDK reference of OSS.

ApsaraDB

  • ApsaraDB for RDS
    ApsaraDB for Relational Database Service (RDS) supports the following methods for encrypting data:
    • Disk encryption

      For disks used by RDS instances, Alibaba Cloud provides the disk encryption feature for free, which encrypts the disks based on block storage. The keys used for disk encryption are encrypted and stored in KMS. RDS reads the keys only when starting or migrating instances.

    • TDE

      RDS MySQL and RDS SQL Server support transparent data encryption (TDE). The keys used for TDE are encrypted and stored in KMS. RDS reads the keys only when starting or migrating instances. After TDE is enabled for an RDS instance, you can specify the database or table to be encrypted. The data of the specified database or table is first encrypted and then written to the destination device such as a hard disk drive (HDD), solid-state drive (SSD), or Peripheral Component Interconnect Express (PCIe) card, or to any service such as OSS or Archive Storage. All data files and backups of the RDS instance are stored in ciphertext.

    For more information, see the following topics:
  • ApsaraDB for MongoDB

    The encryption method for ApsaraDB for MongoDB is similar to that for ApsaraDB for RDS. For more information, see Configure TDE.

ACM

Application Configuration Management (ACM) integrates KMS to encrypt application configurations. This ensures the security of sensitive configurations, such as data sources, tokens, usernames, and passwords, and reduces the risk of configuration leakage. ACM can use KMS in either of the following ways:
  • Encrypt data in KMS

    ACM calls KMS API to transmit configurations to KMS and encrypt the configurations with the specified CMK.

  • Encrypt data in ACM by using the envelope encryption mechanism

    ACM uses a DK to encrypt configurations in ACM and calls KMS API to encrypt the DK with the specified CMK.

For more information, see Create and use encrypted configuration.

NAS

By default, Network Attached Storage (NAS) uses the service key to encrypt your data. Each volume has its own CMK and DK, and uses the envelope encryption mechanism to encrypt your data. Currently, only the NAS service key can be used as the CMK. User-managed keys will be supported in the future.

Table Store

By default, Table Store uses the service key to encrypt your data. Table Store also supports user-managed keys. Each table has its own CMK and DK, and uses the envelope encryption mechanism to encrypt your data.

MaxCompute

MaxCompute uses the service key as the CMK to encrypt your data.

CSG

Cloud Storage Gateway (CSG) supports OSS-based data encryption. For more information, see Manage shares.

ApsaraVideo for Media Processing

ApsaraVideo for Media Processing supports both Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. Both methods can integrate KMS to protect video content.

ApsaraVideo VOD

ApsaraVideo VOD supports Alibaba Cloud video encryptionand HLS encryption. Both methods can integrate KMS to protect video content.

Web+

Web App Service (Web+) integrates KMS to encrypt sensitive configuration data.