Alibaba Cloud can encrypt your data stored in Alibaba Cloud services by using keys from Key Management Service (KMS). Alibaba Cloud supports the Advanced Encryption Standard (AES) 256-bit algorithm for encryption, which meets the encryption requirements of sensitive data.
- Enhanced security and privacy protection for data stored in Alibaba Cloud services
Alibaba Cloud services can use KMS keys to encrypt any of your data, including the data that you can directly access or internal data of Alibaba Cloud services that you can only indirectly access, such as files generated by database engines. This ensures the security and privacy of your data stored in Alibaba Cloud services.
- No need to develop your own data encryption system
To develop your own data encryption system, you must:
- Design a proper key hierarchy and data distribution mode to balance between encryption performance and security.
- Design the key rotation and data re-encryption mechanisms.
- Master cryptography technologies to ensure that your encryption algorithm is robust, secure, and tamper-proofing.
- Improve the engineering robustness and reliability of your system to ensure data persistence.
Select appropriate keys
You can select different types of keys stored in KMS for encryption based on your data protection requirements.
- Service-managed keys
Each Alibaba Cloud service can create a default key, which is also called a service key, for you in KMS. You do not need to manage this service key. It is managed by the Alibaba Cloud service. In addition, you do not need to explicitly authorize the Alibaba Cloud service to use this service key. By using ActionTrail, you can audit the use of the service key by the Alibaba Cloud service.
To allow you to easily identify the service key, KMS sets the Creator attribute of the service key to the code of the Alibaba Cloud service, and associates the service key with a special alias in the format of
acs/<Alibaba Cloud service code>. For example, the Creator attribute of the service key created by Object Storage Service (OSS) is set to OSS, and the service key is associated with the alias acs/oss.
- User-managed keys
You can use keys created by yourself to encrypt data stored in Alibaba Cloud services. This gives you more control over how data is encrypted. You must explicitly authorize Alibaba Cloud services to use your keys. You can use Resource Access Management (RAM) to perform the authorization. By configuring a permission policy and granting the policy to an Alibaba Cloud service in RAM, you can allow or deny the Alibaba Cloud service to use a specific customer master key (CMK) stored in KMS. When the Alibaba Cloud service requests the CMK from KMS, KMS checks the permission of the Alibaba Cloud service through RAM.
Besides keys generated by KMS, you can securely import offline key materials to CMKs in KMS through the Bring Your Own Key (BYOK) feature and use these CMKs as your keys. In this way, you can gain more control over the keys. For example, you cannot immediately delete the key materials generated by KMS, but you can immediately delete the key materials imported to KMS. Exercise caution when using the BYOK feature because it incurs extra management costs. For more information, see Import key material.
Encrypt data in Alibaba Cloud services
The encryption design varies with Alibaba Cloud services based on their business forms and customer needs. Generally, a key hierarchy consisting of at least two layers is used, and business data is encrypted by using the envelope encryption mechanism.
In envelope encryption, the CMK is protected by the key management infrastructure of KMS. The Alibaba Cloud service must be authorized to use the CMK to generate the DK for encrypting business data or decrypt the ciphertext of the DK for decrypting business data. The plaintext of the DK never leaves the memory of the host where the Alibaba Cloud service instance resides. That is, the DK will not be stored in plaintext in any persistent storage medium.