This topic describes the terms used in Key Management Service (KMS).

Key Management Service

An Alibaba Cloud service. It provides features such as key hosting and cryptographic operations. KMS implements security practices such as key rotation and can be integrated with other cloud services to encrypt user data managed by these services. With KMS, you can focus on developing services such as data encryption, data decryption, and digital signature generation and verification. It helps you save costs in maintaining the security, integrity, and availability of your keys.

Customer master key

The key is primarily used to encrypt data keys (DKs) and generate enveloped data keys (EDKs), as well as to encrypt a small amount of data. You can call the CreateKey operation to create a CMK.

Envelope encryption

To encrypt business data, you can call the GenerateDataKey or GenerateDataKeyWithoutPlaintext operation to generate a symmetric key and use the specified CMK to encrypt the symmetric key (EDK). The EDK secures data when it is stored and transferred over unsecured communication processes. You can retrieve the EDK when you need it. For more information, see What is envelope encryption?

Data key

The plaintext key used to encrypt data.

Note You can call the GenerateDataKey operation to generate a DK, use the specified CMK to encrypt the DK, and return the plaintext (DK) and ciphertext (EDK) of the DK.

Enveloped data key or encrypted data key

The ciphertext key generated through envelope encryption.

Note If the plaintext of a DK is not needed, you can call the GenerateDataKeyWithoutPlaintext operation to return only the ciphertext of the DK.

Hardware security module

The hardware device that performs cryptographic operations, and securely generates and stores keys. Managed HSM provided by KMS can meet the testing and validation requirements from regulatory agencies and provide users with high security assurances for their keys managed in KMS. For more information, see Overview.

Encryption context

The encapsulation of authenticated encryption with associated data (AEAD). KMS uses the imported encryption context as additional authenticated data (AAD) of the symmetric encryption algorithm for cryptographic operations and therefore provides additional integrity and authenticity for encrypted data. For more information, see Encryption Context.