This topic describes symmetric encryption, which is the most commonly used data encryption method. KMS provides easy-to-use APIs that allow you to encrypt and decrypt data on the cloud.

If you do not specify the KeySpec parameter when you create a customer master key (CMK) in KMS, the CMK is a symmetric key. Alibaba Cloud supports popular symmetric key algorithms and provides a high level of data security with strong encryption.

Classification of symmetric keys

KMS supports the following two types of symmetric keys:
  • AES

    KMS supports 256-bit AES keys. If AES is used, set the KeySpec parameter to Aliyun_AES_256. The Encrypt API operation encrypts data in GCM mode. AES symmetric keys are supported at both SOFTWARE and HSM protection levels.

  • SM4

    KMS supports the commercial symmetric algorithm SM4 specified by the Chinese National Standards. If SM4 is used, set the KeySpec parameter to Aliyun_SM4. The Encrypt API operation encrypts data in GCM mode. KMS provides the SM4 algorithm by using Managed HSM. For more information, see Supported regions.

Encryption and decryption features

For encryption, you only need to specify the CMK ID (or CMK alias). KMS uses the specified CMK for encryption and returns the generated ciphertext data. When you call the Decrypt operation for decryption, you only need to enter the ciphertext data without specifying the CMK ID again. This feature is available for the ciphertext data generated by calling the following operations: Encrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext.

Use additional authenticated data

The symmetric keys of KMS use Galois/Counter Mode (GCM) for block ciphers. You can enter additional authenticated data (AAD) to additionally provide integrity protection for the encrypted data. By encapsulating the entered ADD, KMS enables you to customize authentication data easily. For more information, see Encryption Context.

Envelope encryption

With the GenerateDataKey and GenerateDataKeyWithoutPlaintext APIs, KMS can generate a two-level key hierarchy to accelerate envelope encryption. For more information, see What is envelope encryption? and Use envelope encryption to encrypt and decrypt local data.

Rotate symmetric keys

Each symmetric CMK in KMS supports multiple key versions. KMS rotates CMKs automatically by generating new key versions. You can customize the key rotation policy.

When a CMK has multiple versions, the encryption operations (including Encrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext) use the latest version of the specified CMK to encrypt data. For decryption, you do not need to specify the CMK ID or key version ID. KMS automatically identifies the CMK and its key version used to encrypt the ciphertext data, and uses the appropriate version of the key to decrypt the data.

A key rotation is represented by generating a new version of a key. After the rotation is complete, KMS automatically uses the new key version to encrypt data. However, the earlier key version is still available for decryption. For more information, see Automatic key rotation.


KMS allows you to encrypt your data stored on the cloud by using the Bring Your Own Key (BYOK) feature. This feature helps you meet stringent security and compliance requirements. We recommend that you use Managed HSM to protect your keys by importing key material into CMKs whose protection level is HSM. The keys imported into Managed HSM can only be destroyed, and their plaintext cannot be exported. For more information, see Import key materials.