Compared with key management infrastructure (KMI), Key Management Service (KMS) features multi-service integration, ease of use, high reliability, and cost-effectiveness.

Multi-service integration

  • Authentication and access control

    KMS authenticates the validity of requests by using AccessKey pairs. KMS is integrated with Resource Access Management (RAM). This allows you to configure a variety of custom policies to meet requirements in different authorization scenarios. Requests that are initiated by valid users and pass attribute-based access control (ABAC) of RAM can be accepted by KMS. For more information, see Use RAM to control access to KMS resources.

  • Key usage auditing

    KMS is integrated with ActionTrail. This allows you to view the recent KMS usage and store the KMS usage information in other services such as OSS to meet audit requirements in the long term. For more information, see Use ActionTrail to query KMS event logs.

  • Data encryption for integrated cloud services

    KMS is integrated with multiple Alibaba Cloud services such as ECS, ApsaraDB for RDS, and OSS. You can easily use customer master keys (CMKs) in KMS to encrypt and control the data stored in these services and maintain control over the cloud computing and storage environments. You only need to pay for the service and do not need to implement complex encryption capabilities. In addition, KMS also protects native data of these services. For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS.

Ease of use

  • Easy encryption

    KMS simplifies abstract cryptographic concepts and provides cryptographic API operations that allow you to easily encrypt and decrypt data. For applications that require a key hierarchy, KMS provides convenient envelope encryption to quickly implement the key hierarchy: It generates data keys (DKs) and uses CMKs as key encryption keys (KEKs) to protect DKs. For more information, see What is envelope encryption?

  • Centralized key hosting

    KMS provides centralized key hosting and control.

    • You can create a new CMK at any time and use RAM to easily manage who can access the CMK.
    • You can use ActionTrail to audit key usage.
    • You can import keys to KMS from KMI or from hardware security modules (HSMs) of Data Encryption Service. For keys that are imported from external sources or created in KMS, their confidential information or sensitive data is used by other Alibaba Cloud services for data encryption and protection.
  • BYOK

    KMS supports Bring Your Own Key (BYOK). You can import your own keys to KMS to encrypt data on the cloud. This facilitates key management. You can import the following types of keys to KMS:

    • Keys in your on-premises KMI
    • Keys in user-managed HSMs of Alibaba Cloud Data Encryption Service
    Note Keys imported to managed HSMs in KMS cannot be exported by using any method because secure key exchange algorithms are used in KMS. Operators or third parties are not allowed to check the plaintext of keys. For more information, see Import key material and Key control.
  • Custom key rotation policies

    KMS supports automatic rotation of symmetric encryption keys based on security policies. You only need to configure a custom rotation cycle for a CMK. KMS automatically generates new CMK versions. A CMK can have multiple key versions. Each version can be used to decrypt corresponding ciphertext data. The latest key version (called the primary version) is an active encryption key and is used to encrypt current data. For more information, see Automatic key rotation.

High reliability, availability, and scalability

As a fully managed distributed service, KMS builds multi-zone redundant cryptographic computing capabilities in each region. This ensures that Alibaba Cloud services and your custom applications can send requests to KMS with low latency. You can create many keys in KMS across multiple regions based on your business requirements without the need to scale the underlying infrastructure.

Security and compliance

KMS has passed strict security design and verification to ensure stringent protection of your keys on the cloud.

  • KMS only provides TLS-based access channels and uses secure transmission encryption algorithm suites. It complies with security standards such as PCI DSS.
  • KMS provides cryptographic facilities verified and certified by regulatory agencies. It offers HSMs that are tested and certified by State Cryptography Administration (SCA) or have passed FIPS 140-2 Level 3 validation. For more information, see Compliance.
  • KMS uses HSMs to host keys for higher levels of security. For more information, see Overview.

Low costs

With KMS, you only pay for the resources that you use.

  • You do not need to pay for the initial cost of HSMs, as well as the cost of operating, maintaining, repairing, and replacing HSMs.
  • KMS reduces the costs of building highly available and reliable cryptographic device clusters and reduces the R&D and maintenance costs for user-created key management facilities.
  • KMS is integrated with other cloud services to eliminate the R&D overhead of a data encryption system. You only need to manage keys to achieve controllable data encryption on the cloud.