Dedicated Key Management Service (KMS) of the Standard edition stores your encryption keys in a dedicated hardware security module (HSM) cluster and supports native encryption capabilities of Alibaba Cloud services. It delivers HSM-backed key management and cryptographic operations for your applications. An optional Secrets Manager component lets you manage secrets throughout their lifecycle and give applications secure, efficient access.
Use cases
Encrypt data in self-managed applications: Connect applications to your Dedicated KMS instance over a VPC, then encrypt and decrypt data at the application layer using the instance's cryptographic API.
Integrate ISV applications: Applications from third-party independent software vendors (ISVs) can call the cryptographic operations of your Dedicated KMS instance.
Manage secrets securely: Store and manage secrets in Secrets Manager to eliminate hard-coded secrets in your applications and reduce the risk of credential leaks.
Enable cloud service encryption: Authorize Dedicated KMS to handle server-side encryption requests from Alibaba Cloud services, so cloud service data is encrypted using keys stored in your own HSM cluster. For the full list of supported services, see Alibaba Cloud services that can be integrated with KMS.
How it works
Dedicated KMS of the Standard edition is deployed as isolated instances. Each instance connects to a tenant-specific HSM cluster that you own and manage in Data Encryption Service.
Dedicated KMS includes the following components:
Cryptographic resource pool: A tenant-specific HSM cluster managed in Data Encryption Service. The cluster is a group of security devices dedicated to key storage and cryptographic operations.
Key management system: Manages the lifecycle of keys in your dedicated HSM cluster.
Cryptographic operation service: Exposes a unified API for encrypting and decrypting data. All cryptographic operations run against keys stored in the HSM cluster.
Secrets Manager (optional): Manages secrets throughout their lifecycle and configures applications for secure, efficient access. Eliminates hard-coded secrets in application code.
Benefits
Isolate resources per tenant: Each instance is deployed in your VPC and backed by a tenant-specific cryptographic resource pool, providing both resource isolation and cryptographic isolation.
Simplify HSM management: Dedicated KMS handles the complexity of HSM administration, giving you stable, easy-to-use key management and cryptographic operation APIs on top of your HSM cluster.
Integrate with Alibaba Cloud services: HSMs integrate with Alibaba Cloud services, making server-side encryption of cloud service data more secure and manageable. For the full list of supported services, see Alibaba Cloud services that can be integrated with KMS.
Limits
| Metric | Limit |
|---|---|
| Customer master keys (CMKs) per instance | 1,000 |
| Secrets per instance | 10,000,000 |
| Queries per second (QPS) per instance | 2,000 |
Supported regions
Dedicated KMS of the Standard edition is available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
Billing
Dedicated KMS of the Standard edition uses the subscription billing method. For pricing details, see Billing of Dedicated KMS.