Dedicated Key Management Service (KMS) is a key management service that you can fully manage. For example, you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed and configure the cryptographic resource pool used by Dedicated KMS. You can also define role-based access control (RBAC) policies to allow access from applications.


  • Self-managed application integration

    You can connect self-managed applications to your Dedicated KMS instance over a VPC. Then, you can encrypt and decrypt data at the application layer by using the capabilities provided by the instance.

  • Third-party ISV application integration

    Applications that are provided by third-party independent software vendors (ISVs) can call the cryptographic operations of hardware security modules (HSMs) based on standard cryptographic middleware.

  • Cloud service integration

    You can authorize Shared KMS to forward server-side encryption requests from cloud services to Dedicated KMS.


  • Dedicated KMS provides a tenant-specific instance that is deployed in the VPC of a tenant to allow access over an internal network.
  • Dedicated KMS uses a tenant-specific cryptographic resource pool to implement resource isolation and cryptographic isolation. This improves security.
  • Dedicated KMS simplifies the management of HSMs. You can use the stable, easy-to-use upper-layer key management features and cryptographic operations provided by Dedicated KMS to manage your HSMs.
  • Dedicated KMS allows you to integrate your HSMs with Alibaba Cloud services in a seamless manner. This delivers secure and controllable encryption capabilities for Alibaba Cloud services. For more information, see Alibaba Cloud services that can be integrated with KMS.


Dedicated KMS is independently deployed and is offered as instances. The following figure shows the architecture of Dedicated KMS.


Dedicated KMS includes the following components:

  • Cryptographic resource pool

    A cryptographic resource pool refers to a tenant-specific HSM cluster that you can manage in Data Encryption Service. The HSM cluster is a group of security devices that are used for key storage and cryptographic operations.

    For more information about Data Encryption Service, see Data Encryption Service.

  • Key management system

    The key management system allows you to manage the lifecycle of keys in your custom dedicated HSM cluster.

  • Cryptographic operation service

    Dedicated KMS provides an easy-to-use API to schedule cryptographic operations. The keys that are used during cryptographic operations must be stored in the HSM cluster.

Supported regions

Dedicated KMS is available in the China (Shanghai), China (Beijing), China (Hong Kong), and Malaysia (Kuala Lumpur) regions.