The key service is a core component of Key Management Service (KMS). The key service provides fully managed keys and key protection features. The key service supports simple data encryption and digital signature management based on cloud-native API operations.
Key hosting and protection
Feature | Description | Related topic |
Host and manage keys | An encryption key managed by KMS is called a customer master key (CMK). You can manage the lifecycle of a CMK. | |
You can rotate keys. | ||
You can set an alias for a key to easily use the key. You can also manage keys by calling API operations. | ||
Protect keys and meet compliance requirements | When you use keys, you must meet security and compliance requirements. We recommend that you set the protection level of your CMK to hardware security module (HSM) to protect the CMK by using dedicated hardware. This also allows keys to meet GM/T or FIPS 140-2 Level 3 compliance requirements. After the protection level of the CMK is set to HSM, the plaintext of the key material is stored only inside an HSM. No one can access the plaintext of the key material. The plaintext of the key material cannot be exported from the HSM. | |
Use Bring Your Own Key (BYOK) | You can import your own keys to KMS by using the BYOK feature to meet specific security requirements. Your own keys include keys managed offline, keys hosted in other clouds, and keys used in Alibaba Cloud Data Encryption Service. |
Data encryption
KMS provides cloud-native cryptographic API operations that are simpler than those for traditional cryptographic modules or cryptographic software libraries. In addition, KMS provides multiple SDKs to accelerate the development. For more information about how to use SDKs to develop code, see Overview of development tools.
Feature | Description | Related topic |
Encrypt data for Alibaba Cloud services with a few clicks | KMS is integrated with a variety of Alibaba Cloud services and provides cloud-native encryption features. You only need to perform simple configurations to allow KMS to automatically encrypt your data in other Alibaba Cloud services. | |
Encrypt data for Alibaba Cloud services by using code | KMS SDK KMS SDK encapsulates KMS API operations. You can view the sample code to learn how to call the Encrypt operation of KMS in your code to encrypt data. | |
Encryption SDK Encryption SDK is a client-side encryption library based on KMS API operations. You can view the quick start of Encryption SDK to learn how to call Encryption SDK in your code to use the envelope encryption feature. |
Description of encryption algorithms supported by KMS
The following table describes the encryption algorithms supported by KMS.
Algorithm class | Algorithm subclass | Encryption and decryption | Signature generation and verification |
Symmetric key algorithm | AES | Supported | Not supported |
Symmetric key algorithm | SM4 Note | Supported | Not supported |
Asymmetric key algorithm | RSA | Supported | Supported |
Asymmetric key algorithm | ECC | Not supported | Supported |
Asymmetric key algorithm | SM2 Note | Supported | Supported |
Only managed HSMs in the Chinese mainland support the SM4 and SM2 algorithms. For more information, see Supported regions.
Symmetric keys are used to encrypt or decrypt data. If you do not specify the KeySpec parameter during key creation, KMS creates a symmetric key. For more information, see Overview.
Asymmetric keys can be used to encrypt data, decrypt data, generate a signature, or verify a signature. An asymmetric CMK in KMS consists of a public key and a private key, which are cryptographically related to each other. The public key can be sent to anyone, but the private key must be kept secure. KMS does not provide an API operation for you to export the private key of an asymmetric key pair. You can only call API operations to use the private key to generate signatures or decrypt data. For more information, see Overview.