You can host different types of customer master keys (CMKs) in Key Management Service (KMS) based on your business requirements. For example, you can use a CMK to encrypt and decrypt data. You can also use a CMK to generate and verify a signature.

Key-based cryptographic algorithms

KMS allows you to use various algorithms to support cryptographic operations. The algorithms are classified into two types: symmetric key algorithms and asymmetric key algorithms, as listed in the following table.

Algorithm class Algorithm subclass Support encryption and decryption Support signature generation and verification
Symmetric key algorithm AES Yes No
Symmetric key algorithm SM4Note Yes No
Asymmetric key algorithm RSA Yes Yes
Asymmetric key algorithm ECC No Yes
Asymmetric key algorithm SM2Note Yes Yes
Note Managed HSM supports the SM4 and SM2 algorithms only in mainland China. For more information, see Supported regions.

Symmetric keys are used to encrypt or decrypt data. If you do not specify the KeySpec parameter during key creation, KMS creates a symmetric key. You can call the Encrypt or Decrypt operation to encrypt or decrypt data without the need to obtain the plaintext of a symmetric key. For more information, see Overview.

Asymmetric keys can be used to encrypt data, decrypt data, generate a signature, or verify a signature. An asymmetric CMK in KMS consists of a public key and a private key, which are cryptographically related to each other. The public key can be made available for anyone to use, but the private key must be kept secure. To keep private keys secure, KMS does not provide an API operation for you to export the private key of an asymmetric key pair. You can use a private key to decrypt data or generate a signature by calling the related operations. Anyone with a public key can use it to encrypt data or verify the signature generated by the corresponding private key. For more information, see Overview.

Protection levels

KMS provides the Managed HSM feature. You can set the protection level of your CMK to HSM to host the CMK in an HSM. Managed HSM uses HSMs as dedicated hardware to safeguard keys. For a CMK whose protection level is HSM, the plaintext of its key material is stored only inside an HSM. KMS calls an HSM-related API operation to perform cryptographic operations. During the operations, KMS and Alibaba Cloud O&M personnel cannot access the plaintext of the key material. The plaintext of the key material cannot be exported from the HSM. For more information, see Overview and Use Managed HSM.

If you set the protection level of your CMK to SOFTWARE, KMS uses a software module to protect the CMK and uses a trusted platform module (TPM) to provide root-of-trust protection for the software module.

Key managers

In most cases, you are the manager of your CMK in KMS, and its Creator attribute is set to the ID of your Alibaba Cloud account.

Alibaba Cloud services that are integrated with KMS can implement server-side encryption. In this scenario, an Alibaba Cloud service can automatically host an encryption key in KMS to encrypt and protect your data. This makes it easier for you to use the entry-level data encryption features and reduces your overhead for key lifecycle and permission management. These service-managed keys are called service keys. To facilitate identification, KMS sets the Creator attribute of the service key hosted by an Alibaba Cloud service to the code of this service and assigns an alias in the format of acs/<Code of the Alibaba Cloud service> to the service key. For example, the Creator attribute of the service key hosted by Alibaba Cloud Object Storage Service (OSS) is set to OSS and alias acs/oss is assigned to the service key. For more information, see Integration with KMS.