This topic provides an overview of customer master key (CMK) types offered by KMS.
KMS supports symmetric and asymmetric cryptographic algorithms. These algorithms can be further categorized based on their usage.
|Algorithm class||Algorithm subclass||Key usage|
|Symmetric algorithm||AES||Data encryption and decryption|
|Symmetric algorithm||SM4 Note||Data encryption and decryption|
|Asymmetric algorithm||RSA||Data encryption and decryption; digital signature and verification|
|Asymmetric algorithm||ECC||Digital signature and verification|
Symmetric keys are mainly used for data encryption and protection. If you do not specify the KeySpec parameter, KMS creates a symmetric key by default. By calling the Encrypt and Decrypt operations, you can encrypt and decrypt data without the need to obtain the plaintext of the key. For more information, see Overview of symmetric encryption.
You can use asymmetric keys for data encryption and digital signatures. An asymmetric CMK in KMS consists of a public and a private key, which are cryptographically related to each other. The public key is made available for anyone to use, but the private key must be kept secure. To keep private keys secure, KMS does not provide an API to export the private key of an asymmetric key pair. You can use a private key for data decryption or a digital signature by utilizing the private key API operations. Anyone with the public key can use it to encrypt data or verify its signature. For more information, see Overview of asymmetric keys.
KMS provides Managed HSM. You must set the Protection Level of your CMK to HSM so that the key is hosted in Managed HSM. Managed HSM delivers a high level of security for keys with the help of special-purpose hardware. For a CMK with the HSM protection level, its plaintext only exists inside the HSM. KMS performs cryptographic operations by calling the HSM API. KMS and Alibaba Cloud O&M personnel cannot access the plaintext of the CMK while it is used for cryptographic operations. The plaintext of the CMK cannot be exported from HSM. For more information, see Overview and Using Managed HSM.
If you set Protection Level to SOFTWARE, KMS protects the key by using software with a trusted platform module (TPM) that provides root-of-trust protection.
In general, you are the manager of your CMKs in KMS, and their Creator attributes are set to the identifier of your Alibaba Cloud account.
Alibaba Cloud services implement server-side encryption by integrating KMS API operations.
In this scenario, KMS allows a cloud service to automatically create and manage an
encryption key specifically to encrypt and protect your data in the associated service.
This makes it easier for you to use the entry-level data encryption features and reduces
your overhead for key lifecycle and permission management. These service-managed keys
are called service keys. To allow you to easily identify the service key, KMS sets
the Creator attribute of the service key to the code of the Alibaba Cloud service,
and associates the service key with a unique alias in the format of acs/<Alibaba Cloud
service code>. For example, the Creator attribute of the service key managed by Alibaba
Cloud Object Storage Service (OSS) is set to
OSS, and the service key is associated with the alias
acs/oss. For more information, see Integration with KMS.