Key Management Service (KMS) is integrated with cloud services such as Elastic Compute Service (ECS), Object Storage Service (OSS), Container Service for Kubernetes, and ApsaraDB for RDS. You can use KMS to encrypt the resources of these cloud services to ensure data security on the cloud.

Encrypt ECS resources

You can use KMS to encrypt ECS resources, such as system disks, data disks, and relevant images and snapshots.

The following example describes how to encrypt data disks when you create an ECS instance. For information about how to encrypt other ECS resources, see Use KMS to protect ECS instance workloads with one click.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the upper-right corner of the Instances page, click Create Instance.
  4. In the Storage section of the Basic Configurations step, perform the following steps to encrypt a data disk:
    1. Click Add Disk.
    2. Configure specifications for the disk.
    3. Select Disk Encryption and select a key from the drop-down list.
      You can select Default Service CMK to use the default service CMK or select a CMK you created in KMS for encryption.Encrypt a data disk during instance creation
  5. Specify other parameters as prompted. For more information, see Create an instance by using the provided wizard.

Encrypt OSS resources

After files are uploaded to an OSS bucket, KMS automatically encrypts the files.

  • Enable encryption during bucket creation
    1. Log on to the OSS console.
    2. In the upper-right corner of the Overview page, click Create Bucket.
    3. In the Create Bucket pane, set Encryption Method to KMS.
    4. Specify Encryption Algorithm.
    5. Specify CMK.
      • alias/acs/oss: OSS uses the service CMK in KMS to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded.
      • CMK ID: OSS uses a specific CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you specify a CMK ID, you must create a common key or an external key in the same region as the bucket in the KMS console. For more information, see Create a CMK.
      Note For more information about settings of other parameters, see Create buckets.
  • Encrypt data in an existing bucket
    1. Log on to the OSS console.
    2. In the left-side navigation pane, click Buckets.
    3. Click the name of your bucket.
    4. In the left-side navigation pane, choose Basic Settings > Server-side Encryption.
    5. Click Configure.
      • Set Encryption Method to KMS.
      • Specify Encryption Algorithm.
      • Specify CMK.
        • alias/acs/oss: OSS uses the service CMK in KMS to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded.
        • CMK ID: OSS uses a specific CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you specify a CMK ID, you must create a common key or an external key in the same region as the bucket in the KMS console. For more information, see Create a CMK.
      • Click Save.
        Notice The configurations of the default encryption method for a bucket do not affect the encryption configurations of the existing files in the bucket.

Encrypt Container Service for Kubernetes resources

In clusters of Container Service for Kubernetes Pro, you can use a CMK that you created in KMS to encrypt Kubernetes secrets.

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. In the upper-right corner of the Clusters page, click Create Kubernetes Cluster. In the Select Cluster Template dialog box, find Professional Managed Cluster (Preview) and click Create.
  4. On the ACK managed edition tab, find Secret Encryption, select Select Key, and then select a specific CMK ID from the drop-down list.
    ACK
  5. Specify other parameters as prompted. For more information, see Create an ACK Pro cluster.

Encrypt ApsaraDB for RDS resources

ApsaraDB for RDS supports disk encryption and Transparent Data Encryption (TDE). Disk encryption for ApsaraDB RDS for MySQL is used as an example to describe how to encrypt data.

  1. Go to the instance creation page of ApsaraDB for RDS.
  2. In the Storage Type field, select Standard SSD or Enhanced SSD (Recommended) and then select Disk Encryption.
  3. Select a CMK ID from the Key drop-down list.
    SSD
  4. Specify other parameters as prompted. For more information, see Create an ApsaraDB RDS for MySQL instance.

Encrypt resources of other cloud services

For information about how to encrypt resources of other cloud services, see Alibaba Cloud services that support integration with KMS.