This topic provides an overview of customer master key (CMK) types offered by KMS.

Cryptographic algorithms

KMS supports symmetric and asymmetric cryptographic algorithms. These algorithms can be further categorized based on their usage.

Algorithm class Algorithm subclass Key usage
Symmetric algorithm AES Data encryption and decryption
Symmetric algorithm SM4 Note Data encryption and decryption
Asymmetric algorithm RSA Data encryption and decryption; digital signature and verification
Asymmetric algorithm ECC Digital signature and verification
Note Only Managed HSMs in mainland China support the SM4 algorithm. For a list of regions where Managed HSMs are available, seeSupported regions.

Symmetric keys are mainly used for data encryption and protection. If you do not specify the KeySpec parameter, KMS creates a symmetric key by default. By calling the Encrypt and Decrypt operations, you can encrypt and decrypt data without the need to obtain the plaintext of the key. For more information, see Overview of symmetric encryption.

You can use asymmetric keys for data encryption and digital signatures. An asymmetric CMK in KMS consists of a public and a private key, which are cryptographically related to each other. The public key is made available for anyone to use, but the private key must be kept secure. To keep private keys secure, KMS does not provide an API to export the private key of an asymmetric key pair. You can use a private key for data decryption or a digital signature by utilizing the private key API operations. Anyone with the public key can use it to encrypt data or verify its signature. For more information, see Overview of asymmetric keys.

Protection level

KMS provides Managed HSM. You must set the Protection Level of your CMK to HSM so that the key is hosted in Managed HSM. Managed HSM delivers a high level of security for keys with the help of special-purpose hardware. For a CMK with the HSM protection level, its plaintext only exists inside the HSM. KMS performs cryptographic operations by calling the HSM API. KMS and Alibaba Cloud O&M personnel cannot access the plaintext of the CMK while it is used for cryptographic operations. The plaintext of the CMK cannot be exported from HSM. For more information, see Overview and Using Managed HSM.

If you set Protection Level to SOFTWARE, KMS protects the key by using software with a trusted platform module (TPM) that provides root-of-trust protection.

Key manager

In general, you are the manager of your CMKs in KMS, and their Creator attributes are set to the identifier of your Alibaba Cloud account.

Alibaba Cloud services implement server-side encryption by integrating KMS API operations. In this scenario, KMS allows a cloud service to automatically create and manage an encryption key specifically to encrypt and protect your data in the associated service. This makes it easier for you to use the entry-level data encryption features and reduces your overhead for key lifecycle and permission management. These service-managed keys are called service keys. To allow you to easily identify the service key, KMS sets the Creator attribute of the service key to the code of the Alibaba Cloud service, and associates the service key with a unique alias in the format of acs/<Alibaba Cloud service code>. For example, the Creator attribute of the service key managed by Alibaba Cloud Object Storage Service (OSS) is set to OSS, and the service key is associated with the alias acs/oss. For more information, see Integration with KMS.