Key Management Service (KMS) is an end-to-end platform for key management, data encryption, and secret management. It reduces the procurement, O&M, and R&D costs of building cryptographic infrastructure — so you can focus on your application logic rather than managing underlying security hardware.
KMS comprises two components: Key Management and Secrets Manager.
Key Management
Key Management lets you create, control, and use cryptographic keys to protect data across your applications and Alibaba Cloud services.
Key types
KMS provides three types of keys to fit different security and compliance requirements:
| Key type | Protection | Use cases | Pricing |
|---|---|---|---|
| Default keys | Software | Server-side encryption in Alibaba Cloud services | Free |
| Software-protected keys | Software | Application-level encryption, server-side encryption | Paid |
| Hardware-protected keys | Certified hardware security modules (HSMs) | Data encryption in applications, server-side encryption in Alibaba Cloud services, strict compliance requirements | Paid |
For details, see Overview of Key Management.
Features
HSM-backed compliance
Hardware-protected keys use certified hardware security modules (HSMs) to meet strict security and compliance requirements. See Hardware-protected key.
Cloud-native encryption
KMS integrates with a wide range of Alibaba Cloud services. Use it for server-side encryption across those services and for at-rest secret encryption in Container Service for Kubernetes (ACK) Pro clusters. See Alibaba Cloud services that can be integrated with KMS.
SDK and API access
Access KMS programmatically through:
Alibaba Cloud SDK — manage key lifecycles
KMS Instance SDK — perform cryptographic operations such as encryption, decryption, and signing and verification
Infrastructure-scale management
Use Resource Orchestration Service (ROS) or Terraform to automate server-side encryption across Elastic Compute Service (ECS) instances with cloud disks, Object Storage Service (OSS) buckets, ApsaraDB RDS instances, and MaxCompute projects. See Terraform overview.
Secrets Manager
Secrets Manager lets you store, rotate, and distribute secrets securely — eliminating the need to hardcode credentials in your applications.
Features
Dynamic secrets for Alibaba Cloud resources
KMS manages secrets for Resource Access Management (RAM), ApsaraDB RDS, and ECS resources. Configure rotation cycles to use dynamic secrets and reduce the impact of leaked AccessKey pairs of RAM users or the user credentials of ApsaraDB RDS and ECS resources. See Overview of Secrets Manager.
Simplified application integration
Retrieve secrets in your application through:
Infrastructure-scale management
Use ROS or Terraform to manage secrets at scale and automate operational orchestration. See Terraform overview.