Key Management Service (KMS) provides features such as key hosting and cryptographic operations. KMS implements security practices such as key rotation and can be integrated with other Alibaba Cloud services to encrypt user data managed by these services. KMS frees you up from maintaining the security, integrity, and availability of your keys. You only need to focus on data encryption, data decryption, and digital signature generation and verification based on your business requirements.


  • Encryption key hosting

    KMS supports encryption key hosting. An encryption key hosted on KMS is called a customer master key (CMK). You can manage the lifecycle of a CMK by enabling or disabling the CMK. For more information, see Key management.

  • BYOK
    KMS supports Bring Your Own Key (BYOK). You can lease your own keys to KMS to encrypt data on the cloud. This facilitates key management. The following types of keys can be leased:
    • Keys in your on-premises key management infrastructure (KMI)
    • Keys in user-managed hardware security modules (HSMs) that are deployed in Alibaba Cloud Data Encryption Service
    Note With secure key exchange algorithms used in KMS, keys imported to managed HSMs in KMS cannot be exported by using any method. Operators or third parties are not allowed to check the plaintext of keys. For more information, see Import and delete key material and Key control.
  • Automatic rotation of encryption keys

    A CMK in KMS can have multiple key versions. Each version represents an independently generated key and does not have any relation with other versions. KMS can automatically rotate encryption keys. This helps you implement best security practices and meet compliance audit requirements. For more information, see Overview and Configure automatic key rotation.

  • Fully managed HSMs

    KMS provides fully managed HSMs. You can host keys to HSMs, so that cryptographic operations are implemented within HSMs to protect key security. HSMs in KMS meet the compliance requirements for cryptographic security in different regions and markets. For more information, see Overview and Use Managed HSM.

  • Simple cryptographic API operations
    • KMS provides cryptographic API operations that are simpler than those for traditional cryptographic modules or cryptographic software libraries. For more information, see Key operation.
    • Encryption keys in KMS support authenticated encryption with associated data (AEAD) and protect data integrity by delivering additional authenticated data (AAD). For more information, see EncryptionContext.
  • CMK aliases

    KMS allows you to create CMK aliases, which can facilitate CMK usage. For more information, see Use aliases. For example, you can use CMK aliases to manually rotate CMKs in specific scenarios. For more information, see Manual key rotation.

  • Resource tags

    Like other Alibaba Cloud services, KMS also supports resource tags. Resource tags make it easier to manage key resources in KMS. For more information, see Tag management.


KMS is integrated with multiple Alibaba Cloud services. This significantly improves the advantages of KMS. For more information, see Benefits.

  • KMS is integrated with Elastic Compute Service (ECS), ApsaraDB for RDS, and Object Storage Service (OSS). You can use CMKs in KMS to encrypt and control data stored in these services and protect native data of these services.
  • KMS is integrated with Resource Access Management (RAM). You can configure a variety of custom policies by using RAM to meet requirements for different authorization scenarios.
  • KMS is integrated with ActionTrail. This allows you to view the recent KMS usage and store the KMS usage information in other services such as OSS to meet audit requirements in the long term.