Key Management Service (KMS) is integrated with cloud services such as Elastic Compute Service (ECS), Object Storage Service (OSS), Container Service for Kubernetes (ACK), and ApsaraDB RDS. You can use KMS to encrypt the resources of these cloud services to ensure data security in the cloud.

Encrypt ECS resources

You can use KMS to encrypt ECS resources, such as system disks, data disks, and relevant images and snapshots.

The following example describes how to encrypt a data disk when you create an ECS instance. For more information about how to encrypt other ECS resources, see Use KMS to protect ECS workloads with a few clicks.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region as required.
  4. On the Instances page, click Create Instance.
  5. In the Storage section of the Basic Configurations step, perform the following steps to encrypt a data disk:
    1. Click Add Disk.
    2. Configure specifications for the disk.
    3. Select Disk Encryption and select a key from the drop-down list.
      You can select Default Service CMK to use the default service customer master key (CMK) or select a CMK that you created in KMS for encryption. Encrypt a data disk when you create an ECS instance
  6. Set other parameters by following the on-screen instructions.
    For more information, see Create an instance by using the wizard.

Encrypt OSS resources

After objects are uploaded to an OSS bucket, KMS automatically encrypts the objects.

  • Enable encryption when you create an OSS bucket
    1. Log on to the OSS console.
    2. On the Overview page, click Create Bucket.
    3. In the Create Bucket panel, set the Encryption Method parameter to KMS.
    4. Set the Encryption Algorithm parameter.
    5. Set the CMK parameter.
      • alias/acs/oss: OSS uses the default service CMK in KMS to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded.
      • CMK ID: OSS uses a specific CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you specify a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.
    6. Set other parameters by following the on-screen instructions.

      For more information, see Create buckets.

  • Encrypt data in an existing bucket
    1. Log on to the OSS console.
    2. In the left-side navigation pane, click Buckets.
    3. Click the name of the bucket whose data you want to encrypt.
    4. In the left-side navigation pane, choose Basic Settings > Server-side Encryption.
    5. In the Server-side Encryption section, click Configure.
      1. Set the Encryption Method parameter to KMS.
      2. Set the Encryption Algorithm parameter.
      3. Set the CMK parameter.
        • alias/acs/oss: OSS uses the default service CMK in KMS to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded.
        • CMK ID: OSS uses a specific CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you specify a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.
      4. Click Save.
        Notice The configurations of the default encryption method for a bucket do not affect the encryption configurations of the existing objects in the bucket.

Encrypt ACK resources

Professional managed Kubernetes clusters allow you to use a CMK that you created in KMS to encrypt Kubernetes secrets.

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Clusters.
  3. In the upper-right corner of the Clusters page, click Cluster Template.
  4. In the Select Cluster Template dialog box, select Professional Managed Kubernetes Cluster and click Create.
  5. On the Managed Kubernetes tab, find Secret Encryption, select Select Key, and then select a CMK ID from the drop-down list.
  6. Set other parameters by following the on-screen instructions.

Encrypt ApsaraDB RDS resources

ApsaraDB RDS supports disk encryption and transparent data encryption (TDE). The following example describes how to encrypt an SSD when you create an ApsaraDB RDS for MySQL instance.

  1. Go to the instance creation page in the ApsaraDB RDS console.
  2. Set the Storage Type parameter to Standard SSD or Enhanced SSD (Recommended) and select Disk Encryption.
  3. Select a CMK ID from the Key drop-down list.
    SSD
  4. Set other parameters by following the on-screen instructions.
    For more information, see Create an ApsaraDB RDS for MySQL instance.

Encrypt resources of other cloud services

For information about how to encrypt resources of other cloud services, see Alibaba Cloud services that can be integrated with KMS.