Key Management Service (KMS) is suitable for a wide range of scenarios. This topic describes the common scenarios in which KMS can be used.

Common scenarios

Role Demand Common scenario Solution
Application developer Make sure the security of sensitive data in applications. An application developer must use sensitive business data and operating data in applications. The application developer wants to encrypt the sensitive data by using encryption keys and use KMS to protect the encryption keys. Encrypt and protect sensitive data
IT O&M engineer Provide a secure environment for IT facilities that are deployed on the cloud. The IT infrastructure in the cloud is shared with other tenants. In this case, an IT O&M engineer cannot establish physical security boundaries in the cloud in the same manner as in traditional data centers. However, the IT O&M engineer must build a trusted, visible, and controllable security mechanism for the cloud computing and storage environment. Manage the cloud computing and storage environment
Chief security officer (CSO) Make sure the security and compliance of information systems. A CSO must make sure that key management requirements in specific compliance standards are met. The CSO must also make sure that the requirements for application and information system security are met by using cryptographic technologies. Help information systems meet compliance requirements
Independent service vendor (ISV) Use third-party encryption to provide security capabilities for a service. An ISV is requested by customers to encrypt and protect user data in a service.
  • The ISV wants to focus on developing business features instead of implementing key management and distribution features.
  • Customers hope that the ISV provides controllable and reliable capabilities to encrypt and protect data.
Provide a third-party encryption solution for ISVs

Encrypt and protect sensitive data

You can use data encryption to protect sensitive data that is generated or stored on the cloud. Alibaba Cloud provides multiple methods to encrypt and protect sensitive data.

Encryption method Demand Description References
Envelope encryption Make sure the security of sensitive data in applications. Sensitive data must be encrypted and decrypted with high queries per second (QPS) performance, or a large amount of data canont be directly encrypted. For example, you encrypt sensitive data such as mobile phone numbers and ID card numbers. The envelope encryption feature stores your customer master keys (CMKs) in KMS. You need to only deploy enveloped data keys (EDKs). You can use KMS to decrypt the EDKs and use the returned plaintext data keys (DKs) to encrypt or decrypt your local business data.

You can also use Encryption SDK in which the envelope encryption feature is encapsulated to encrypt data.

Direct encryption Make sure the security of sensitive data in applications. The QPS for sensitive data encryption and decryption is less than the system throttling threshold. The size of the data is less than or equal to 6 KB. For example, you encrypt sensitive data such as AccessKey pairs and usernames and passwords that are used to access databases. You can call the encryption API operation of KMS to directly encrypt sensitive data by using CMKs. Use a KMS CMK to encrypt and decrypt data online
Server-side encryption (SSE) Provide basic assurance for the data security environment of IT facilities in the cloud. For example, you can use the SSE feature of Object Storage Service (OSS) to protect buckets that store sensitive data or use transparent data encryption (TDE) to protect tables that contain sensitive data. If you use Alibaba Cloud services to store data, you can use the SSE feature of these services to encrypt and protect data in an effective manner. Alibaba Cloud services that can be integrated with KMS
Secrets Manager Secrets Manager allows you to manage the lifecycle of your secrets and allows applications to use secrets in a secure and efficient manner. This prevents sensitive data leaks that are caused by hardcoded secrets. You can host sensitive data, such as passwords, tokens, SSH keys, and AccessKey pairs, in Secrets Manager and use a secure method to manage the data. You can host your sensitive data in Secrets Manager and use application-level security access mechanisms to ensure secure access to sensitive data. You can also dynamically rotate secrets to prevent data leaks.

Manage the cloud computing and storage environment

You can integrate KMS with other Alibaba Cloud services to use the SSE feature. This way, you can manage the cloud computing and storage environment, and isolate and protect your computing and storage resources by using a distributed multi-tenant system. You can manage the distributed computing and storage environment by managing the lifecycle, usage status, and access control policies of CMKs in KMS. You can also integrate KMS with ActionTrail to check and audit key usage in KMS. The following table describes the common scenarios in which KMS is used to manage the cloud computing and storage environment.

Scenario Demand Description References
Elastic Compute Service (ECS) Use KMS keys to ensure the security of system disks, data disks, snapshots, and images of ECS instances. KMS is suitable for scenarios that require data security and regulatory compliance. After you authorize ECS to use KMS keys, ECS can encrypt and protect system disks, data disks, snapshots, and images. For example, to start an ECS instance, you must decrypt both the system disk and the data disk. You also must encrypt snapshots that are created from encrypted disks. This hepls enhance the security of ECS instances and storage resources by using KMS. Encryption overview
Persistent storage Use the client-side encryption feature or the SSE feature of KMS to ensure the security of your data that is stored in OSS. Advanced Encryption Standard (AES) and SM algorithms are supported. The persistent storage services provided by Alibaba Cloud ensure data storage reliability by using the distributed and redundancy method. These services include ApsaraDB RDS, OSS, and Apsara File Storage NAS. When KMS is integrated with these services to encrypt data before the data is stored, data redundancy in distributed systems becomes controllable and visible. For any read requests, data must first be decrypted by KMS. None
Other computing and storage scenarios Use KMS keys to protect the data of your storage services in the cloud. Multiple Alibaba Cloud services support integration with KMS. Alibaba Cloud services that can be integrated with KMS

Help information systems meet compliance requirements

Enterprises or organizations may encounter the following situations when they evaluate the compliance requirements for cryptographic technologies:

  • Compliance regulations require information systems to be protected by cryptographic technologies and the cryptographic technologies to meet relevant technical standards and security specifications.
  • The use of cryptographic technologies is not mandatory in compliance specifications. However, cryptographic technologies conduce to the compliance process. For example, the use of cryptographic technologies helps you obtain higher scores in scoring rules.

The following table describes the features that are provided by KMS to help enterprises meet compliance requirements.

Feature Description References
Cryptographic compliance KMS supports managed hardware security modules (HSMs). The managed HSMs are third-party hardware devices that are certified by regulatory agencies. The HSMs run in an approved security mode. The managed HSMs are validated by State Cryptography Administration (SCA) and Federal Information Processing Standard (FIPS) 140-2 Level 3.
Key rotation KMS supports automatic rotation of encryption keys. Enterprises can configure custom rotation policies to meet data security specifications and best practices.
Secrets rotation You can use Secrets Manager to meet the rotation requirement for secrets such as passwords and AccessKey pairs. In addition, you can enjoy effective and reliable emergency responses to data leaks. Rotate generic secrets
Data confidentiality KMS allows you to encrypt and protect personal privacy data. This helps you prevent privacy leaks when your system is attacked and meet the requirements of laws and regulations that are related to data protection. None
Data integrity KMS is integrated with Log Service and ActionTrail. You can use KMS to encrypt logs of Alibaba Cloud services to prevent the logs from being tampered with. KMS also ensures the confidentiality and integrity of log data. None
Authentication and access control KMS is integrated with Resource Access Management (RAM) to implement centralized authentication and authorization. Use RAM to control access to KMS resources
Key usage auditing KMS stores all API call records in ActionTrail, which allows you to perform compliance auditing on key usage. Use ActionTrail to query KMS event logs

Provide a third-party encryption solution for ISVs

As an ISV, you can integrate KMS as a third-party data security solution to protect the data of customers in your services. After you allow customers to manage keys in KMS and authorize ISVs to use these keys, KMS acts as a third-party security protection system between the ISVs and the customers. The customers and the ISVs can work together to ensure system security.

Role Description References
Customer administrator An administrator generates keys in KMS and manages the lifecycle of the keys. The administrator can use RAM to manage the permissions on keys. The administrator can allow ISVs to use specified keys in KMS by using methods such as resource authorization across Alibaba Cloud accounts. Use a RAM role to grant permissions across Alibaba Cloud accounts
ISV An ISV uses the specified keys to encrypt and protect data by integrating KMS. List of operations by function
Customer auditor An auditor uses ActionTrail to audit the usage records of keys in KMS. Use ActionTrail to query KMS event logs