Alibaba Cloud services that can be integrated with KMS - Key Management Service

Alibaba Cloud services can use service-managed keys or user-managed keys, including the keys that are imported by using the Bring Your Own Key (BYOK) feature, to encrypt different types of data in different scenarios. This topic describes the Alibaba Cloud services that can be integrated with Key Management Service (KMS).

Notice If you purchase an Alibaba Cloud service that can be integrated with KMS and you want to use service-managed keys or user-managed keys to encrypt data, you do not need to separately purchase Dedicated KMS.

Workload data encryption


Service	Description	References
Elastic Compute Service (ECS)	By default, the disk encryption feature of ECS uses service-managed keys to encrypt data. This feature can also use user-managed keys to encrypt data. Each disk has its own customer master key (CMK) and data key and uses the envelope encryption mechanism to encrypt data. An ECS instance automatically encrypts the data that is transmitted to an encrypted disk and decrypts the data that is read from the disk. Data is encrypted or decrypted on the host on which the ECS instance resides. During encryption and decryption, the performance of the disk is not affected. After an encrypted disk is created and attached to an ECS instance, the ECS instance encrypts the following data: Static data that is stored on the disk. Data that is transmitted between the disk and the ECS instance. Data in the operating system of the ECS instance is not encrypted. All snapshots that are created from the encrypted disk. These snapshots are called encrypted snapshots.	Encryption overview
Container Service for Kubernetes (ACK)	ACK supports server-side encryption (SSE) based on KMS for the following types of workload data: Kubernetes Secrets In a Kubernetes cluster, Kubernetes Secrets are used to store and manage sensitive business data. For more information about Kubernetes Secrets, see Secrets. The sensitive business data includes application passwords, Transport Layer Security (TLS) certificates, and credentials that are used to download Docker images. Kubernetes stores Secrets in etcd of the cluster. Volumes A volume can be a disk, an Object Storage Service (OSS) bucket, or an Apsara File Storage NAS file system. You can use the specific SSE encryption method of KMS to encrypt each type of volumes. For example, you can create an encrypted disk and attach the disk to a Kubernetes cluster as a volume.	Use KMS to encrypt Kubernetes Secrets
Web App Service	Web App Service is integrated with KMS to encrypt sensitive configuration data, such as access credentials of ApsaraDB RDS.	None
Application Configuration Management	Application Configuration Management is integrated with KMS to encrypt application configurations. This ensures the security of sensitive configurations, such as data sources, tokens, usernames, and passwords, and reduces the risk of configuration leaks. Application Configuration Management can use KMS in one of the following ways: Encrypt data in KMS Call a data encryption API operation to transmit configurations to KMS. Then, KMS encrypts the configurations by using a specified CMK. Use the envelope encryption mechanism to encrypt data in Application Configuration Management Application Configuration Management uses a data key to encrypt configurations and calls a KMS API operation to encrypt the data key by using a specified CMK.	Create and use encrypted configuration

Persistent storage encryption


Service	Description	References
Object Storage Service (OSS)	OSS uses the SSE feature to encrypt uploaded data. When you upload data to OSS, OSS encrypts the uploaded data and then stores the encrypted data in persistent storage. When you download data from OSS, OSS automatically decrypts the data and then returns the decrypted data to you. In addition, OSS declares that the data has been encrypted on the server in a header of the returned HTTP response. OSS can use an encryption system that is dedicated to OSS to implement the SSE feature. In this case, the feature is called SSE-OSS. The keys used in this encryption system are not managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys. OSS can also use KMS to enable the SSE feature. In this case, the feature is called SSE-KMS. OSS uses service-managed keys or user-managed keys to encrypt your data. OSS allows you to configure a default CMK for each bucket or specify a CMK that you can use when you upload an object.	Server-side encryption SDK reference
Apsara File Storage NAS	By default, Apsara File Storage NAS uses service-managed keys to encrypt your data. Each volume has its own CMK and data key and uses the envelope encryption mechanism to encrypt your data.	Server-side encryption
Tablestore	By default, Tablestore uses service-managed keys to encrypt your data. Tablestore can also use user-managed keys to encrypt your data. Each table has its own CMK and data key and uses the envelope encryption mechanism to encrypt your data.	None
Cloud Storage Gateway (CSG)	CSG supports the following encryption methods: Gateway encryption: Files in the gateway cache are encrypted before the files are uploaded to OSS. OSS-based encryption	Enable gateway encryption Manage shares

Database encryption


Service	Description	References
ApsaraDB RDS	ApsaraDB RDS supports the following encryption methods: Disk encryption For disks that are used by ApsaraDB RDS instances, Alibaba Cloud provides the disk encryption feature free of charge. This feature encrypts disks based on block storage. The keys that are used for disk encryption are encrypted and stored in KMS. ApsaraDB RDS reads the keys only when you start or migrate instances. Transparent data encryption (TDE) ApsaraDB RDS for MySQL and ApsaraDB RDS for SQL Server support TDE. The keys that are used for TDE are encrypted and stored in KMS. ApsaraDB RDS reads the keys only when you start or migrate instances. After TDE is enabled for an ApsaraDB RDS instance, you can specify the database or table to be encrypted. The data of the specified database or table is encrypted before it is written to the destination device such as a disk, solid-state drive (SSD), or Peripheral Component Interconnect Express (PCIe) card, or to a service such as OSS. All data files and backups of the ApsaraDB RDS instance are stored in ciphertext.	ApsaraDB RDS for MySQL: Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance and Configure TDE for an ApsaraDB RDS for MySQL instance ApsaraDB RDS for SQL Server: Configure disk encryption for an ApsaraDB RDS for SQL Server instance and Configure TDE for an ApsaraDB RDS for SQL Server instance ApsaraDB RDS for PostgreSQL: Configure disk encryption for an ApsaraDB RDS for PostgreSQL instance
ApsaraDB for MongoDB	The encryption methods for ApsaraDB for MongoDB are similar to those for ApsaraDB RDS.	Configure TDE for an ApsaraDB for MongoDB instance
PolarDB	The encryption methods for PolarDB are similar to those for ApsaraDB RDS.	PolarDB for MySQL: Configure TDE PolarDB for Oracle: Configure TDE for a PolarDB for Oracle instance PolarDB for PostgreSQL: Configure TDE
ApsaraDB for OceanBase	The encryption methods for ApsaraDB for OceanBase are similar to those for ApsaraDB RDS.	TDE
ApsaraDB for Redis	The encryption methods for ApsaraDB for Redis are similar to those for ApsaraDB RDS.	Enable TDE

Log data encryption


Service	Description	References
ActionTrail	When you create a single-account or multi-account trail, you can enable encryption for events that are delivered to OSS in the ActionTrail console.	Create a single-account trail Create a multi-account trail
Log Service	Log Service is integrated with KMS to encrypt data for secure storage.	Encrypt data

Big data and AI


Service	Description	References
MaxCompute	MaxCompute uses service-managed keys or user-managed keys to encrypt your data.	Data encryption
Machine Learning Platform for AI (PAI)	You can configure SSE for the Alibaba Cloud services that are used in different data flow stages in the architecture of PAI, such as computing engines, ACK, and data storage services. This protects data security and privacy.	None

Other scenarios


Service	Description	References
Alibaba Cloud CDN (CDN)	When an OSS bucket is used as the origin server, you can use OSS-based SSE to protect distributed content. For more information about how to allow CDN to access an encrypted OSS bucket, see CDN documentation.	Grant Alibaba Cloud CDN access permissions on private OSS buckets
ApsaraVideo for Media Processing (MTS)	MTS supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. You can integrate MTS with KMS to protect video content regardless of the encryption method used.	None
ApsaraVideo VOD	ApsaraVideo VOD supports two encryption methods: Alibaba Cloud proprietary cryptography and HLS encryption. You can integrate ApsaraVideo VOD with KMS to protect video content regardless of the encryption method used.	Alibaba Cloud proprietary cryptography HLS encryption