This topic introduces the terms that are used in Key Management Service (KMS).
|Key Service||Key Service fully manages and protects your keys. Key Service supports data encryption
and digital signature in simple mode based on cloud-native API operations.
For more information about Key Service, see Overview.
|customer master key (CMK)||A CMK is used to encrypt data keys and generate enveloped data keys (EDKs). A CMK can also be used to encrypt a small volume of data. You can call the CreateKey operation to create a CMK.|
|key material||Key material is required when you perform cryptographic operations. To make sure that
you can perform cryptographic operations based on the key material, we recommend that
you keep the key material confidential. Key material can be encrypted by using private
keys of asymmetric cryptographic algorithms or by using symmetric cryptographic algorithms.
CMKs are basic resources of KMS. A CMK is composed of a key ID, basic metadata, and key material. By default, key material is generated by KMS when you create a CMK. In this case, the value of the Origin parameter is Aliyun_KMS. You can also set the Origin parameter to EXTERNAL when you create a CMK. In this case, KMS does not generate key material, and you must import external key material for the CMK.
For more information about key material, see Import key material.
|envelope encryption||To encrypt business data, you can call the GenerateDataKey or GenerateDataKeyWithoutPlaintext operation to generate a symmetric key and use a specified CMK to encrypt the symmetric
key. An EDK is generated. The EDK is secure even if it is stored and transferred over
unsecured communication channels. If you want to use the symmetric key, you need only
to call the Decrypt operation to decrypt the EDK.
For more information about envelope encryption, see What is envelope encryption?
|data key||A data key is a plaintext key that is used to encrypt data.
You can call the GenerateDataKey operation to generate a data key, use a specified CMK to encrypt the data key, and then obtain the plaintext and ciphertext of the data key.
|enveloped data key or encrypted data key||An EDK is a ciphertext data key that is generated by using envelope encryption.
If the plaintext of a data key is not needed, you can call the GenerateDataKeyWithoutPlaintext operation to obtain only the ciphertext of the data key.
|hardware security module (HSM)||An HSM is a hardware device that performs cryptographic operations and securely generates
and stores keys. KMS provides the Managed HSM feature. This feature meets both the
testing and validation requirements of regulatory agencies. This feature provides
you with high security for your keys that are managed in KMS.
For more information about HSMs, see Overview.
|encryption context||An encryption context refers to the encapsulation of authenticated encryption with
associated data (AEAD) in KMS. For more information about AEAD, see An Interface and Algorithms for Authenticated Encryption. KMS uses the imported encryption context as the additional authenticated data (AAD)
to support cryptographic operations in which symmetric encryption algorithms are used.
The encryption context helps improve the integrity and authenticity of data that needs
to be encrypted.
For more information about encryption contexts, see EncryptionContext.
|Secrets Manager||Secrets Manager allows you to manage your secrets throughout their lifecycle and allows
applications to use secrets in a secure and efficient manner. This prevents sensitive
data leaks that are caused by hardcoded secrets.
For more information about Secrets Manager, see Overview.
|Certificates Manager||Certificates Manager provides highly available and secure capabilities to manage keys
and certificates. Certificates Manager also allows you to obtain certificates to generate
and verify signatures.
For more information about Certificates Manager, see Overview.
|Dedicated KMS||Dedicated KMS is a key management service that you can fully manage. For example,
you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed
and configure the cryptographic resource pool used by Dedicated KMS. You can also
define role-based access control (RBAC) policies to allow access from applications.
For more information about Dedicated KMS, see Overview.