A customer master key (CMK) is used to encrypt data keys (DKs) and generate enveloped data keys (EDKs). It can also be used to encrypt a small volume of data. This topic provides an overview of CMKs. You can use different types of CMKs in KMS to encrypt data, decrypt data, generate a signature, or verify a signature based on your business requirements.

Key-based cryptographic algorithms

KMS supports symmetric and asymmetric cryptographic algorithms. These algorithms can be further categorized based on their usage.

Algorithm class Algorithm subclass Support encryption and decryption Support signature generation and verification
Symmetric key algorithm AES Yes No
Symmetric key algorithm SM4 Note Yes No
Asymmetric key algorithm RSA Yes Yes
Asymmetric key algorithm ECC No Yes
Asymmetric key algorithm SM2 Note Yes Yes
Note Managed HSM supports the SM4 and SM2 algorithms only in mainland China. For more information, see Supported regions in Managed HSM.

Symmetric keys are mainly used to encrypt or decrypt data. If you do not specify the KeySpec parameter during key creation, KMS creates a symmetric key. You can call the Encrypt or Decrypt operation to encrypt or decrypt data without the need to obtain the plaintext of a symmetric key. For more information, see Overview of symmetric encryption.

Asymmetric keys can be used to encrypt data, decrypt data, generate a signature, or verify a signature. An asymmetric CMK in KMS consists of a public key and a private key, which are cryptographically related to each other. The public key can be made available for anyone to use, but the private key must be kept secure. To keep private keys secure, KMS does not provide an API operation for you to export the private key of an asymmetric key pair. You can use a private key to decrypt data or generate a signature by calling the related operations. Anyone with a public key can use it to encrypt data or verify the signature generated by the corresponding private key. For more information, see Introduction to asymmetric keys.

Protection levels

KMS provides the Managed HSM feature. You can set the protection level of your CMK to HSM to host the CMK in a hardware security module (HSM). Managed HSM uses HSMs as dedicated hardware to safeguard keys. For a CMK whose protection level is HSM, the plaintext of its key material is stored only inside an HSM. KMS calls an HSM-related API operation to perform cryptographic operations. During the operations, KMS and Alibaba Cloud O&M personnel cannot access the plaintext of the key material. The plaintext of the key material cannot be exported from the HSM. For more information, see Overview and Use Managed HSM.

If you set the protection level of your CMK to SOFTWARE, KMS uses a software module to protect the CMK and uses a trusted platform module (TPM) to provide root-of-trust protection for the software module.

Key managers

In most cases, you are the manager of your CMK in KMS, and its Creator attribute is set to the ID of your Alibaba Cloud account.

Alibaba Cloud services that are integrated with KMS can implement server-side encryption. In this scenario, an Alibaba Cloud service can automatically host an encryption key in KMS to encrypt and protect your data. This makes it easier for you to use the entry-level data encryption features and reduces your overhead for key lifecycle and permission management. These service-managed keys are called service keys. To facilitate identification, KMS sets the Creator attribute of the service key hosted by an Alibaba Cloud service to the code of this service and assigns an alias in the format of acs/<Code of the Alibaba Cloud service> to the service key. For example, the Creator attribute of the service key hosted by Alibaba Cloud Object Storage Service (OSS) is set to OSS and alias acs/oss is assigned to the service key. For more information, see Integration with KMS.