Key Management Service (KMS) is a managed service for you to create and manage encryption keys (master keys) used to encrypt your data. Alibaba Cloud KMS enables you to maintain control over who can use your master keys and gain access to your encrypted data.
Scenarios
| Role | Demand | Solution |
|---|---|---|
| Application/Website developer | I need encryption keys to protect my application data. I have secured and full access to the keys, but the plaintext encryption keys cannot be deployed to multiple servers where my applications are deployed. | With the envelope encryption of KMS, you can first create a master key, and use it to generate a data key, then use the data key to encrypt your application data. Because the encrypted data key is inherently protected by encryption, it can be deployed together with the application it encrypted, and the plaintext master key can be kept safely in KMS service. |
| Service developer | My customers manage their own keys, they can authorize me to use their keys to encrypt data when necessary. | The customers manage their master keys in KMS, and they can authorize you to call KMS APIs to encrypt data with the master keys. |
| Chief Security Officer | I need strict permission control over the encryption keys, and each authorization can be audited. | KMS can be integrated with RAM to achieve a fine-grained access control over keys. You can use CloudMonitor to audit key usage. |