Dedicated Key Management Service (KMS) is a key management service that is fully managed by you. For example, you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed and configure the cryptographic resource pool used by Dedicated KMS. You can also define role-based access control (RBAC) policies to allow access from applications.


  • Self-managed application integration

    You can connect your applications to your Dedicated KMS instance over a VPC. Then, you can encrypt and decrypt data at the application layer by using the capabilities provided by the instance.

  • Third-party ISV application integration

    Some applications provided by third-party independent software vendors (ISVs) can call cryptographic operations of hardware security modules (HSMs) based on standard cryptographic middleware.

  • Cloud service integration

    You can authorize Shared KMS to forward server-side encryption requests from cloud services to Dedicated KMS.


  • Dedicated KMS provides a single-tenant instance that is deployed in the VPC of a tenant to allow access over private networks.
  • Dedicated KMS uses a single-tenant cryptographic resource pool to implement resource isolation and cryptographic isolation. This improves security.
  • Dedicated KMS simplifies the management of HSMs. You can use the stable, easy-to-use upper-layer key management features and cryptographic operations provided by Dedicated KMS to manage your HSMs.
  • Dedicated KMS allows you to integrate your HSMs with Alibaba Cloud services. This delivers secure and controllable encryption capabilities for Alibaba Cloud services. For more information, see Alibaba Cloud services that can be integrated with KMS.


Dedicated KMS is independently deployed and is offered as instances. The following figure shows the architecture of Dedicated KMS.


Dedicated KMS includes the following components:

  • Cryptographic resource pool

    A cryptographic resource pool refers to a single-tenant HSM cluster that you manage in Data Encryption Service. The single-tenant HSM cluster is a group of security devices that are used for key storage and cryptographic operations.

  • Key management system

    The key management system allows you to manage the lifecycle of keys in your custom dedicated HSM cluster.

  • Cryptographic operation service

    Dedicated KMS provides an easy-to-use API to schedule cryptographic operations. The keys that are used during cryptographic operations must be stored in the HSM cluster.

Supported regions

Dedicated KMS is available in the China (Shanghai) , China (Beijing), China (Hong Kong) and Malaysia (Kuala Lumpur) regions.