Key Management Service (KMS) is an end-to-end service platform for key management and data encryption. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data. KMS greatly reduces your costs of procurement, O&M, and research and development (R&D) on cryptographic infrastructure and data encryption products. This way, you can focus more on your business.
Functions and features
KMS consists of four components: Key Service, Secrets Manager, Certificates Manager, and Dedicated KMS.
| Component | Description | References |
|---|---|---|
| Key Service | Key Service fully manages and protects your keys. Key Service supports data encryption and digital signature in simple mode based on cloud-native API operations. | Overview |
| Secrets Manager | Secrets Manager provides the secret encryption, secret hosting, regular rotation, secure distribution, and centralized management features. Secrets Manager reduces the security risks caused by static secrets that are configured in traditional IT facilities. | Overview |
| Certificates Manager | Certificates Manager provides highly available and secure capabilities to manage keys and certificates. Certificates Manager also allows you to obtain certificates to generate and verify signatures. | Overview |
| Dedicated KMS | Dedicated KMS is a key management service that you can fully manage. For example, you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed and configure the cryptographic resource pool used by Dedicated KMS. You can also define role-based access control (RBAC) policies to allow access from applications. | Overview |
Benefits
The following table lists the benefits of each feature.
| Feature | Benefit | Description | References |
|---|---|---|---|
| Key Service | Leading security compliance capabilities |
KMS supports industry-leading cryptographic infrastructure and meets your security level and security compliance requirements. |
Compliance |
| Fully managed implementation |
You do not need to procure cryptographic hardware or software. You do not need to invest in O&M or R&D of cryptographic facilities. You can directly use the features provided by Key Service and extend the features. |
Use managed HSMs | |
| Cloud-native capabilities |
KMS can be integrated with a variety of Alibaba Cloud services based on cloud-native API operations. KMS allows you to configure server-side encryption (SSE) with only a few clicks. |
Alibaba Cloud services that can be integrated with KMS | |
| Simplified application access |
KMS provides multiple methods such as KMS SDKs and Encryption SDKs to help you use the KMS encryption API. This way, you can encrypt and decrypt data, as well as generate and verify digital signatures in a convenient manner. |
||
| Centralized and large-scale management |
KMS can be automatically activated and supports services such as Resource Orchestration Service (ROS) and Terraform. KMS allows you to implement automatic data encryption for multi-account logons by using the default encryption policy. KMS automatically enables SSE for resources such as Elastic Compute Service (ECS) instances that use cloud disks, Object Storage Service (OSS) buckets, ApsaraDB RDS instances, and MaxCompute projects. |
Activate KMS by using the API | |
| Secrets Manager | Cloud-native capabilities |
KMS generates dynamic ApsaraDB RDS secrets based on cloud-native API operations, which helps you handle the major security threats to databases. |
Overview |
| Simplified application access |
KMS provides multiple methods such as KMS SDKs, Secrets Manager Client, and the Kubernetes plug-in to help you use dynamic secrets. |
Connect an application to Secrets Manager | |
| Centralized and large-scale management |
KMS can be automatically activated and supports services such as ROS and Terraform. KMS allows you to implement the automatic orchestration of Alibaba Cloud resources such as databases and OSS buckets, and the automatic management of secrets. The secrets are fully managed in Secrets Manager. This achieves centralized secret management. |
Activate KMS by using the API | |
| Certificates Manager | Secure key storage | Certificates Manager uses managed hardware security modules (HSMs) to ensure that keys and certificates are securely generated and stored. | Overview |
| Lifecycle management | Certificates Manager allows you to manage keys and certificates. You can generate certificate signing requests (CSRs), import certificates and certificate chains, verify the signatures of certificate chains, and check certificate validity. | ||
| Easy API-based integration | Certificates Manager provides multiple API operations to help you integrate a certificate service with your development environment, accelerate product deployment, and roll out certificate-related features. | Certificate operations | |
| Dedicated KMS | Access over private networks | Dedicated KMS allows you to deploy a tenant-specific instance in the VPC of the tenant. This way, Dedicated KMS is accessible over a private network. | Overview |
| Resource isolation and cryptographic isolation | Dedicated KMS uses a tenant-specific cryptographic resource pool to implement resource isolation and cryptographic isolation. This improves security. The pool is also called an HSM cluster. | Overview | |
| Key management | Dedicated KMS allows you to use HSMs in an easier manner. Dedicated KMS provides upper-layer key management and cryptographic operation services for HSMs in a stable and easy manner. | Overview | |
| Integration with multiple Alibaba Cloud services | Dedicated KMS allows you to integrate your HSMs with Alibaba Cloud services in a seamless manner. This helps improve encryption security and controllability for Alibaba Cloud services. | Alibaba Cloud services that can be integrated with KMS |