Key Management Service (KMS) is a one-stop service platform for key management and data encryption. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data. KMS greatly reduces your costs of purchase, operations and maintenance (O&M), and research and development (R&D) on cryptographic infrastructure and data encryption services. This helps you focus on the business development.
Architecture
KMS consists of the key service and Secrets Manager components.
| Component | Description | Related topic |
|---|---|---|
| Key service | The key service provides fully managed keys and key protection features. The key service supports simple data encryption and digital signature management based on cloud-native API operations. | CMK overview |
| Secrets Manager | Secrets Manager provides the secret encryption, hosting, regular rotation, secure distribution, and centralized management features. Secrets Manager reduces the security risks caused by static secrets that are configured in traditional IT facilities. | Overview |
Benefits
KMS provides the benefits of data encryption and secret protection.
| Feature | Benefit | Description | Related topic |
|---|---|---|---|
| Data encryption | Leading security compliance capabilities |
KMS supports industry-leading infrastructures of cryptographic security and meets the level and compliance requirements for cryptographic security both in and outside China. |
Compliance |
| Fully managed |
Without the need to purchase cryptographic hardware and software, or invest in O&M and R&D of cryptographic facilities, you can directly use the data encryption feature and extend the feature. |
Use Managed HSM | |
| Cloud-native |
Based on simple cloud-native API operations, KMS can be integrated with a variety of Alibaba Cloud services. KMS allows you to configure server-side encryption (SSE) with only a few clicks. |
Alibaba Cloud services that can be integrated with KMS | |
| Simple application access |
KMS provides multiple methods such as KMS SDK and Encryption SDK to help you use KMS API for encryption. This allows you to meet multiple requirements for data encryption and decryption, and digital signature generation and verification. |
||
| Centralized and large-scale management |
KMS can be automatically activated and supports services such as Resource Orchestration Service (ROS) and Terraform to help you implement the default encryption policy on multi-account logon. KMS automatically enables SSE for services such as Elastic Compute Service (ECS) disks, Object Storage Service (OSS), ApsaraDB RDS, and MaxCompute. |
Activate KMS by using the API | |
| Secret protection | Cloud-native |
KMS supports cloud-native dynamic ApsaraDB RDS secrets to help you handle the main security threats faced by databases. |
Overview |
| Simple application access |
KMS provides multiple methods such as KMS SDK, Secrets Manager Client, and the Kubernetes plug-in to help you use dynamic secrets. |
Allow applications to access Secrets Manager | |
| Centralized and large-scale management |
KMS can be automatically activated and supports services such as ROS and Terraform to help you implement automatic orchestration of Alibaba Cloud resources such as databases and OSS buckets, and automatic management of fully managed secrets. This way, centralized secret management is realized. |
Activate KMS by using the API |