Keys are the core component of Key Management Service (KMS). KMS manages two key types—customer master keys (CMKs) and default keys—covering full lifecycle management, secure storage, data encryption, and digital signatures through cloud-native API calls.
Use cases
KMS keys serve two primary purposes:
Cryptographic operations in self-managed applications: Call the KMS OpenAPI or SDK to perform encryption, decryption, digital signing, and signature verification directly in your applications. For details, see Integrate KMS with self-managed applications.
Server-side encryption for Alibaba Cloud services: Integrate keys with KMS-supported services—such as Object Storage Service (OSS), Elastic Block Storage (EBS), and ApsaraDB RDS—to enable transparent encryption for data at rest. For details, see Overview of KMS integration for server-side encryption.
Key types
KMS provides two key types, distinguished by who manages the key and how much control you retain.
| Key type | Use cases | Sub-type | Algorithm | Management permissions | Shareability | Cost |
|---|---|---|---|---|---|---|
| CMK | Use in self-managed applications via API; server-side encryption with Alibaba Cloud services | Software-protected key; hardware-protected key; external key (XKI) | Symmetric and asymmetric | Full lifecycle control: create, enable, disable, rotate, and delete | Shareable across services and accounts | Paid |
| Default key | Server-side encryption with Alibaba Cloud services | Service key; default CMK | Symmetric only | Limited: only some properties can be modified; creation is not supported. For details, see Key management feature comparison below. | Limited to the current account | Free |
CMK
CMKs are keys you create and fully control. Use them when you need custom cryptographic logic in your own applications, or when you need to bring your own key material and control rotation, deletion, and access policies.
CMKs support both symmetric keys and asymmetric keys. For details, see Key management types and key specifications.
CMK sub-types
Choose a CMK sub-type based on the protection level and key material ownership your use case requires.
| CMK sub-type | When to use | Protection method | Key material source | Billing |
|---|---|---|---|---|
| Software-protected key | General use cases that balance cost and security | Software-level: stored in a dedicated encrypted database within KMS | KMS-generated (default), or imported via Bring Your Own Key (BYOK) | Requires a software key management instance. Supports subscription and pay-as-you-go. |
| Hardware-protected key | High-compliance scenarios: finance, government, or workloads requiring GM/T or FIPS standards | Hardware-level physical protection: the key is generated and used exclusively within a Hardware Security Module (HSM); plaintext key material never leaves the HSM. Key metadata is stored in the KMS database and managed through a dedicated hardware instance. | KMS-generated (default), or imported via BYOK | Requires a hardware key management instance and two HSM instances. Supports subscription and pay-as-you-go. For HSM pricing, see Cloud Hardware Security Module billing. |
| External key (XKI) | Hybrid or multi-cloud deployments where you must retain key material in your own infrastructure | Your external key manager (EKM) handles all key material and cryptographic operations; KMS stores only key metadata and proxies requests to your EKM | Your EKM only | Requires an external key management instance |
Default keys
Default keys are automatically created by KMS or other Alibaba Cloud services. They are free and require no setup, making them the lowest-friction option for enabling server-side encryption in integrated cloud services.
Default keys support server-side encryption for Alibaba Cloud services only. They do not support standalone cryptographic operations such as calling APIs for encryption and decryption.
Keys migrated from KMS 1.0 are in a read-only state and do not support any operations.
Default key sub-types
| Default key sub-type | Created by | What you can do | Uniqueness |
|---|---|---|---|
| Default CMK | Created automatically in KMS 3.0 | Modify some properties; import external key material (BYOK) only when enabling the key for the first time; creation of new keys is not supported | One per Alibaba Cloud account per region |
| Service key | Created and used by a specific cloud service, such as OSS or ApsaraDB RDS | Key properties cannot be modified; key rotation requires purchasing a value-added service | One per Alibaba Cloud account per cloud service per region |
Default keys support symmetric keys only. For details, see Key management types and key specifications.
Choose a key type
Use the following to match your requirements to the right key type.
| Requirement | Recommended key type |
|---|---|
| Zero setup or cost | Default key (service key or default CMK) |
| Full lifecycle control: rotation, deletion, and BYOK | CMK (software-protected key) |
| Hardware-backed protection for compliance (GM/T, FIPS) | CMK (hardware-protected key) |
| Key material must stay in your own infrastructure | CMK (external key / XKI) |
| Call encryption/decryption APIs from your application | CMK (any sub-type) |
| Asymmetric keys for signing and verification | CMK (software-protected or hardware-protected key) |
Feature comparison
Integration and application support
| Key type | Sub-type | Data encryption/decryption (self-managed apps) | Signing/verification (self-managed apps) | Server-side encryption for Alibaba Cloud services |
|---|---|---|---|---|
| Default key | Default CMK | Not supported | Not supported | Supported |
| Service key | Not supported | Not supported | Supported | |
| CMK | Software-protected key | Supported | Supported | Supported |
| Hardware-protected key | Supported | Supported | Supported | |
| External key (XKI) | Supported | Not supported | Not supported |
For details, see Overview of KMS integration for server-side encryption. To call KMS from your own code, see Integrate KMS with self-managed applications and Alibaba Cloud SDKs.
Key management feature comparison
All key types support key identifier management (aliases and tags).
| Key type | Sub-type | Key rotation | Schedule key deletion | Deletion protection | Import external key material (BYOK) | Backup management |
|---|---|---|---|---|---|---|
| Default key | Default CMK | Supported (requires a value-added service) | Supported | Supported | Not supported | Not supported |
| Service key | Not supported | Not supported | Not supported | Not supported | Not supported | |
| CMK | Software-protected key | Supported (symmetric keys only) | Supported | Supported | Supported | Supported |
| Hardware-protected key | Supported | Supported | Supported | Not supported | ||
| External key (XKI) | Not supported | Not supported | Not supported | Not supported | Not supported |
For operation details, see:
Key rotation: Key rotation
Key deletion: Schedule key deletion and Enable deletion protection
Key identifier management: Manage key aliases and Tag management
Import external key material: Import symmetric key material and Import asymmetric key material
Backup management: Backup management
Security and performance
All key types support security auditing via ActionTrail. For performance data, see Performance metrics and Use ActionTrail to query management events for Key Management Service.
| Key type | Sub-type | Symmetric encryption/decryption performance |
|---|---|---|
| Default key | Default CMK | 1,000 requests/second; upgrades not supported |
| Service key | 1,000 requests/second; upgrades not supported | |
| CMK | Software-protected key | Shared gateway: 1,000 requests/second; upgrades not supported. Dedicated gateway: 1,000, 2,000, or 4,000 requests/second; upgrades supported. |
| Hardware-protected key | Shared gateway: 1,000 requests/second; upgrades not supported. Dedicated gateway: 2,000, 4,000, 6,000, or 8,000 requests/second; upgrades supported. | |
| External key (XKI) | 1,000 requests/second; upgrades not supported |
FAQ
What is BYOK?
BYOK (Bring Your Own Key) is a feature that lets you generate key material outside of KMS and import it. BYOK is a feature, not a standalone key type. The following table shows which key types support it.
| Key type | Sub-type | BYOK support | Details |
|---|---|---|---|
| CMK | Software-protected key | Yes | Import key material after creating the key. See Import symmetric key material and Import asymmetric key material. |
| Hardware-protected key | Yes | Same import process as software-protected keys. | |
| External key (XKI) | No | Key material is managed entirely by your EKM; import into KMS is not supported. | |
| Default key | Default CMK | Yes | Import is available only when enabling the key for the first time. |
| Service key | No | Key material is managed by the cloud service; import is not supported. |
How do Alibaba Cloud key types correspond to AWS key types?
| Alibaba Cloud | Amazon Web Services (AWS) |
|---|---|
| CMK | Customer managed keys |
| Service key | AWS managed keys |
Appendix: Components of a key
A complete key has three parts: a key identifier, metadata, and key material.
Key identifier
A unique reference used in the console, an API, or a policy. KMS supports three identifier types:
ID: A unique string that serves as the primary identifier for the key.
Alibaba Cloud Resource Name (ARN): Includes the region ID, Alibaba Cloud account ID, and key ID. Format:
acs:kms:<REGION_ID>:<ALIBABA_CLOUD_ACCOUNT_ID>:key/<KEY_ID>.Key alias: A user-defined name that points to a specific key. Format:
alias/<ALIAS_NAME>.
Metadata
Information describing the key's properties: ID, creation date, status (enabled or disabled), and purpose (encryption/decryption or signing/verification).
Key material
The binary data used for cryptographic operations. KMS supports two sources:
KMS-generated: KMS generates the key material internally.
External (BYOK): Generate the key material locally and import it into KMS.