This topic describes the terms used in Key Management Service (KMS).
Key Management Service
An Alibaba Cloud service. It provides features such as key hosting and cryptographic operations. KMS implements security practices such as key rotation and can be integrated with other cloud services to encrypt user data managed by these services. With KMS, you can focus on developing services such as data encryption, data decryption, and digital signature generation and verification. It helps you save costs in maintaining the security, integrity, and availability of your keys.
Customer master key
The key is primarily used to encrypt data keys (DKs) and generate enveloped data keys (EDKs), as well as to encrypt a small amount of data. You can call the CreateKey operation to create a CMK.
To encrypt business data, you can call the GenerateDataKey or GenerateDataKeyWithoutPlaintext operation to generate a symmetric key and use the specified CMK to encrypt the symmetric key (EDK). The EDK secures data when it is stored and transferred over unsecured communication processes. You can retrieve the EDK when you need it. For more information, see What is envelope encryption?
The plaintext key used to encrypt data.
Enveloped data key or encrypted data key
The ciphertext key generated through envelope encryption.
Hardware security module
The hardware device that performs cryptographic operations, and securely generates and stores keys. Managed HSM provided by KMS can meet the testing and validation requirements from regulatory agencies and provide users with high security assurances for their keys managed in KMS. For more information, see Overview.
The encapsulation of authenticated encryption with associated data (AEAD). KMS uses the imported encryption context as additional authenticated data (AAD) of the symmetric encryption algorithm for cryptographic operations and therefore provides additional integrity and authenticity for encrypted data. For more information, see Encryption Context.