Key Management Service (KMS) provides features such as key hosting and cryptographic operations. KMS implements security practices such as key rotation and can be integrated with other cloud services to encrypt user data managed by these services. With KMS, you can focus on developing services such as data encryption, data decryption, and digital signature generation and verification. It helps you save costs in maintaining the security, integrity, and availability of your keys.


  • Secure key hosting

    KMS supports encryption key hosting. An encryption key hosted on KMS is called a customer master key (CMK). You can manage the lifecycle of a CMK by enabling or disabling it. For more information, see Key management.

  • BYOKs
    KMS supports Bring Your Own Keys (BYOKs). You can lease you own keys to KMS for encryption and protection of cloud data to facilitate key management. The following key types can be leased:
    • Keys your on-premise key management infrastructure (KMI)
    • Keys in hardware security modules (HSMs) that you provision and manage Data Encryption Service
    Note Keys imported to managed HSMs of KMS cannot be exported through any mechanism because secure key exchange algorithms are used. The key plaintext will not be viewed by the operator or any third party. For more information, see Import key materials and Key control.
  • Automatic rotation of encryption keys

    A CMK in KMS supports multiple key versions. Each key version represents an independently generated key. Multiple key versions of a CMK do not have any relation with each other. KMS can automatically rotate encryption keys to help you implement best security practices and meet compliance and audit requirements. For more information, see Overview and Automatic key rotation.

  • Fully managed HSMs

    KMS provides fully managed HSMs. You can host keys to HSMs, so that cryptographic operations are kept within HSMs to protect cryptographic security. HSMs in KMS meet different compliance requirements for cryptographic security in different regions and markets. For more information, see Overview and Using Managed HSM.

  • Simple cryptographic operation APIs
    • KMS provides cryptographic operation APIs simpler than those for traditional cryptographic modules or cryptographic software libraries. For more information, see Key operation.
    • Encryption keys in KMS support authenticated encryption with associated data (AEAD) and protect data integrity by delivering additional authenticated data (AAD). For more information, see Encryption Context.
  • CMK aliases

    KMS allows you to create CMK aliases, which can facilitate CMK usage. For more information, see Use aliases. For example, you can use CMK aliases in specific scenarios to implement Manual key rotation.

  • Resource tags

    Like other Alibaba Cloud services, KMS also supports resource tags. Resource tags make it easier to manage cryptographic resources in KMS. For more information, see Tag management.


KMS has been integrated with multiple Alibaba Cloud services. This further proves the advantages of KMS. For more information, see Benefits.

  • KMS is integrated with ECS, ApsaraDB for RDS, and OSS: You can use CMKs in KMS to encrypt and control data stored in these services and protect native data of these services.
  • KMS is integrated with RAM: You can configure a variety of custom policies through RAM to meet requirements for different authorization scenarios.
  • KMS is integrated with ActionTrail: This allows you to view the recent KMS usage and store the KMS usage in other services such as OSS to meet audit requirements for a long period.