Key Service is a core component of Key Management Service (KMS). Key Service allows you to manage and store software-protected keys, hardware-protected keys, and default keys throughout their lifecycles. Key Service also allows you to encrypt and sign data based on cloud-native operations. This topic describes the key types and cryptographic operations that are provided by KMS.
|Key type||Scenario||Functionality||Algorithm||Key specification||Description|
|Default key||A default key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.||Only data encryption and data decryption are supported.||AES||Aliyun_AES_256||A default key can be one of the following types of keys:|
|Software-protected key||Cryptographic operations such as signing and verification, data encryption, and data decryption are supported.||AES, RSA, and Elliptic Curve Cryptography (ECC)||You can use only key material that is generated by KMS to create a software-protected key and manage the key throughout its lifecycle. |
Note You cannot import key material to create a software-protected key.
|Hardware-protected key||Cryptographic operations such as signing and verification, data encryption, and data decryption are supported.||AES, RSA, and ECC, triple Data Encryption Standard (DES)||You can use key material that is generated by KMS or import key material to create a hardware-protected key. |
Important Before you can use a hardware-protected key, you must purchase hardware security modules (HSMs) and configure HSM clusters in Data Encryption Service. HSMs need to comply with Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. .
KMS provides cloud-native cryptographic operations that are simpler than those for traditional HSMs or in cryptographic software libraries.
|Encrypt||Encrypts plaintext to ciphertext.|
|Decrypt||Decrypts ciphertext into plaintext.|
|Sign||Generates a signature by using an asymmetric key.|
|Verify||Verifies a signature by using an asymmetric key.|
|GenerateDataKey||Generates a data key and returns both the plaintext and ciphertext of the data key. You can use the plaintext data key to symmetrically encrypt data.|