All Products
Search
Document Center

Key Management Service:Use KMS to encrypt resources of cloud services

Last Updated:Jan 23, 2024

Key Management Service (KMS) is integrated with cloud services such as Elastic Compute Service (ECS), Object Storage Service (OSS), Container Service for Kubernetes (ACK), and ApsaraDB RDS. You can use KMS to encrypt the resources of these cloud services to ensure data security in the cloud.

Encrypt ECS resources

You can use KMS to encrypt ECS resources such as system disks, data disks, and relevant images and snapshots.

The following example describes how to encrypt a data disk when you create an ECS instance. For more information about other methods to encrypt ECS resources, see Use KMS to protect ECS workloads with a few clicks.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region in which you want to create an ECS instance.

  4. On the Instances page, click Create Instance.

  5. In the Storage section of the Basic Configurations step, perform the following operations to encrypt a data disk:

    1. Click Add Disk.

    2. Configure specifications for the disk.

    3. Select Disk Encryption and select a key from the drop-down list.

      You can select Default Service CMK to use the default service customer master key (CMK) or select a CMK that you created in KMS for encryption. Encrypt a data disk when you create an ECS instance

  6. Configure other parameters by following the on-screen instructions.

Encrypt OSS resources

After you upload objects to an OSS bucket, KMS automatically encrypts the objects.

  • Enable encryption when you create an OSS bucket

    1. Log on to the OSS console.

    2. In the Bucket Management section of the Overview page, click Create Bucket.

    3. In the Create Bucket panel, set the Encryption Method parameter to KMS.

    4. Configure the Encryption Algorithm parameter. Valid values:

      • AES256

      • SM4

        Note KMS provides the SM4 algorithm by using Managed HSM. For more information, see Overview.
    5. Configure the CMK parameter.

      You can select a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you select a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.

    6. Configure other parameters by following the on-screen instructions.

      For more information, see Create buckets.

  • Encrypt data in an existing bucket

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets.

    3. Click the name of the bucket whose data you want to encrypt.

    4. In the left-side navigation pane, choose Content Security > Server-side Encryption.

    5. In the Server-side Encryption section, click Configure.

      1. Set the Encryption Method parameter to KMS.

      2. Configure the Encryption Algorithm parameter. Valid values:

        • AES256

        • SM4

          Note KMS provides the SM4 algorithm by using Managed HSM. For more information, see Overview.
      3. Configure the CMK parameter.

        You can select a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you select a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.

      4. Click Save.

        Important

        The modification of the default encryption method for a bucket does not affect the encryption configurations of the existing objects in the bucket.

Encrypt ACK resources

Professional managed Kubernetes clusters in ACK allow you to use a CMK that you created in KMS to encrypt Kubernetes secrets.

  1. Log on to the ACK console.

  2. In the left-side navigation pane, click Clusters.

  3. In the upper-right corner of the Clusters page, click Cluster Templates.

  4. In the Select Cluster Template dialog box, select Professional Managed Kubernetes Cluster and click Create.

  5. On the Managed Kubernetes tab, find the Secret Encryption parameter, select Select Key, and then select a CMK ID from the drop-down list.

  6. Configure other parameters by following the on-screen instructions.

    For more information, see Create an ACK Pro cluster.

Encrypt ApsaraDB RDS resources

ApsaraDB RDS supports disk encryption and transparent data encryption (TDE). The following example describes how to encrypt a standard or enhanced SSD when you create an ApsaraDB RDS for MySQL instance.

  1. Go to the Basic Configurations page in the ApsaraDB RDS console.

  2. Set the Storage Type parameter to Standard SSD or Enhanced SSD (Recommended). Then, select Disk Encryption.

  3. Select a CMK ID from the Key drop-down list.

    SSD

  4. Configure other parameters by following the on-screen instructions.

    For more information, see Create an ApsaraDB RDS for MySQL instance.

Encrypt resources of other cloud services

For information about how to encrypt resources of other cloud services, see Alibaba Cloud services that can be integrated with KMS.