Key Management Service:Terms

Key Management

Key Management provides cryptographic operations for your applications and Alibaba Cloud services, including secure key storage, key lifecycle management, data encryption, data decryption, and digital signature (signing and verification). For details, see Key types.

Secrets Manager

Secrets Manager handles the full lifecycle of secrets, allowing applications to use them in a secure and efficient manner. It eliminates the need to hardcode secrets in application code, reducing the risk of sensitive data leaks. For details, see Overview.

KMS instance

A KMS instance is a dedicated resource that isolates your keys and secrets from other tenants. KMS instances come in two types:

• Software key management: Stores keys and secrets in software-based dedicated instances. Offers high scalability while maintaining security.

• Hardware key management: Connects to your hardware security module (HSM) cluster in Cloud Hardware Security Module to store keys, and stores secrets in dedicated KMS instances. Meets heightened security and compliance standards. Before enabling a hardware key management instance, purchase and configure an HSM cluster in Cloud Hardware Security Module and connect it to KMS.

  Note

  HSMs provided by Cloud Hardware Security Module are validated by the Chinese State Cryptographic Authority or FIPS 140-2 Level 3.

KMS instances support server-side encryption in Alibaba Cloud services integrated with KMS, and cryptographic solutions for your self-managed applications. When purchasing a KMS instance, select a performance quota based on your business requirements. For details, see Performance quotas.

Hardware security module (HSM)

An HSM is a hardware device that performs cryptographic operations and securely generates and stores cryptographic keys. HSMs are commonly used in building IT systems.

Integrating KMS with Cloud Hardware Security Module lets you use HSM clusters to back your KMS keys. This improves key security, helps meet higher compliance requirements, and satisfies the testing and certification requirements of regulators.

Customer master key (CMK)

A customer master key (CMK) is a primary key that you create and manage in KMS. Each CMK consists of a key ID, basic metadata, and key material.

Default key

A default key is used exclusively for server-side encryption in Alibaba Cloud services integrated with KMS. It can be one of the following:

All default keys support only the AES-256 symmetric cryptographic algorithm.

Service key

A service key is created and managed by an Alibaba Cloud service in KMS on your behalf. It is used by default for server-side encryption in that Alibaba Cloud service.

Key material

Key material is the cryptographic data that powers encryption and decryption operations. Keep key material confidential at all times. Key material can be the private key material of an asymmetric key or the key material of a symmetric key.

The source of key material determines the Origin attribute on the key:

Secrets

Secrets are sensitive credentials used to authenticate applications and services. Examples include:

• Database usernames and passwords

• SSH keys

• Sensitive addresses

• Alibaba Cloud AccessKey pairs

Use Secrets Manager to manage your secrets throughout their lifecycle without embedding them in code.

Application access point (AAP)

An application access point (AAP) is the access control mechanism that KMS uses to authenticate the identity and behavior of applications requesting KMS resources. AAPs let you define which applications can access which keys or secrets, and under what conditions. For details, see Overview of AAPs.