Key Management Service (KMS) is an end-to-end service platform for key management and data encryption. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data. When you encrypt data, you need a key. But who protects the key itself? KMS solves this problem: it centralizes all cryptographic operations so you get secure key storage and encryption without procuring hardware security modules (HSMs) or building cryptographic infrastructure.
Why use KMS
KMS consists of four components. Each solves a distinct security challenge.
Protect encryption keys using managed HSMs—without owning or maintaining the underlying hardware.
Eliminate hardcoded secrets — instead of embedding database passwords or API keys in application code, store them in KMS and retrieve them securely at runtime.
Sign and verify data using digital signatures backed by managed keys.
Meet compliance requirements with industry-standard cryptographic infrastructure.
Enable server-side encryption (SSE) across Alibaba Cloud services — including Elastic Compute Service (ECS), Object Storage Service (OSS), ApsaraDB RDS, and MaxCompute — using cloud-native APIs or a few console clicks.
Components
| Component | Problem it solves | Description |
|---|---|---|
| Key Service | Key protection and data encryption | Manages and protects your keys. Supports data encryption and digital signatures in simple mode based on cloud-native API operations. |
| Secrets Manager | Hardcoded and static secrets | Provides secret encryption, hosting, regular rotation, secure distribution, and centralized management. Reduces security risks from static secrets in traditional IT systems. |
| Certificates Manager | Certificate lifecycle management | Manages keys and certificates end-to-end. Supports generating certificate signing requests (CSRs), importing certificates and certificate chains, verifying signatures, and checking certificate validity. |
| Dedicated KMS | Compliance and isolation requirements | A fully managed key management service deployed in your own virtual private cloud (VPC), with a tenant-specific cryptographic resource pool (HSM cluster) and role-based access control (RBAC). |
Benefits
Key Service
| Benefit | Description |
|---|---|
| Leading security compliance capabilities | Supports industry-standard cryptographic infrastructure and meets security level and compliance requirements. |
| Fully managed implementation | No need to procure cryptographic hardware or software, or invest in operations and maintenance (O&M) and research and development (R&D) for cryptographic facilities. |
| Cloud-native capabilities | Integrates with Alibaba Cloud services via cloud-native API operations. Configure SSE with only a few console clicks. |
| Simplified application access | Use KMS SDKs and Encryption SDKs to encrypt and decrypt data and generate and verify digital signatures. |
| Centralized and large-scale management | Supports Resource Orchestration Service (ROS) and Terraform. Automatically enables SSE for ECS instances, OSS buckets, ApsaraDB RDS instances, and MaxCompute projects. Supports automatic data encryption for multi-account logons. |
Secrets Manager
| Benefit | Description |
|---|---|
| Cloud-native capabilities | Generates dynamic ApsaraDB RDS secrets based on cloud-native API operations, addressing major database security threats. |
| Simplified application access | Use KMS SDKs, Secrets Manager Client, or the Kubernetes plug-in to access dynamic secrets from your applications. |
| Centralized and large-scale management | Supports ROS and Terraform for automatic orchestration of databases and OSS buckets. All secrets are fully managed in Secrets Manager. |
Certificates Manager
| Benefit | Description |
|---|---|
| Secure key storage | Uses managed HSMs to ensure keys and certificates are securely generated and stored. |
| Lifecycle management | Manage keys and certificates end-to-end: generate CSRs, import certificates and certificate chains, verify certificate chain signatures, and check certificate validity. |
| Easy API-based integration | Multiple API operations let you integrate a certificate service with your development environment, accelerate product deployment, and ship certificate-related features faster. |
Dedicated KMS
| Benefit | Description |
|---|---|
| Access over private networks | Deploy a tenant-specific instance in your own VPC, keeping all cryptographic operations off the public internet. |
| Resource isolation and cryptographic isolation | Uses a tenant-specific cryptographic resource pool (HSM cluster) for complete resource and cryptographic isolation. |
| Key management | Provides upper-layer key management and cryptographic operation services for HSMs, making HSMs easier to use. |
| Integration with multiple Alibaba Cloud services | Integrate your HSMs with Alibaba Cloud services to improve encryption security and control. |