Overview - Key Management Service - Alibaba Cloud Documentation Center

Key Service is a core component of Key Management Service (KMS). Key Service allows you to manage and store software-protected keys, hardware-protected keys, and default keys throughout their lifecycles. Key Service also allows you to encrypt and sign data based on cloud-native operations. This topic describes the key types and cryptographic operations that are provided by KMS.

Key types

You can manage software-protected keys, hardware-protected keys, and default keys that are provided by KMS based on your business, security, and compliance requirements. The following table describes the types of keys.


Key type	Scenario	Functionality	Algorithm	Key specification	Description
Default key	A default key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Only data encryption and data decryption are supported.	AES	Aliyun_AES_256	A default key can be one of the following types of keys: Service key: A service key is created and managed by an Alibaba Cloud service for you in KMS. CMK: A customer master key (CMK) is a key that is created and managed by yourself in KMS. You can create only one CMK in each region. You can import key material or use key material that is generated by KMS to create a CMK.
Software-protected key	A software-protected key is used for cryptographic solutions of your self-managed applications. For example, you can create a CMK that uses the Advanced Encryption Standard (AES) algorithm to perform custom data encryption and data decryption or create a CMK that uses the Rivest-Shamir-Adleman (RSA) algorithm to calculate and verify digital signatures. A software-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Cryptographic operations such as signing and verification, data encryption, and data decryption are supported.	AES, RSA, and Elliptic Curve Cryptography (ECC)	Symmetric key specification: Aliyun_AES_256 Asymmetric key specification: RSA_2048 RSA_3072 EC_P256 EC_P256K For more information, see Key types and specifications.	You can use only key material that is generated by KMS to create a software-protected key and manage the key throughout its lifecycle. Note You cannot import key material to create a software-protected key.
Hardware-protected key	A hardware-protected key is used for cryptographic solutions of your self-managed applications. For example, you can create a CMK that uses the AES algorithm to perform custom data encryption and data decryption or create a CMK that uses the RSA and ECC algorithms to calculate and verify digital signatures. A hardware-protected key is used for server-side encryption in Alibaba Cloud services that are integrated with KMS. For more information, see Integration with KMS.	Cryptographic operations such as signing and verification, data encryption, and data decryption are supported.	AES, RSA, and ECC, triple Data Encryption Standard (DES)	Symmetric key specification: Aliyun_AES_256 Aliyun_AES_192 Aliyun_AES_128 Aliyun_DES3_192 Asymmetric key specification: RSA_2048 RSA_3072 RSA_4096 EC_P256 EC_P256K For more information, see Key types and specifications.	You can use key material that is generated by KMS or import key material to create a hardware-protected key. Important Before you can use a hardware-protected key, you must purchase hardware security modules (HSMs) and configure HSM clusters in Data Encryption Service. HSMs need to comply with Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. .

Cryptographic operations

KMS provides cloud-native cryptographic operations that are simpler than those for traditional HSMs or in cryptographic software libraries.

The following table describes the cryptographic operations in KMS.


Operation	Description
Encrypt	Encrypts plaintext to ciphertext.
Decrypt	Decrypts ciphertext into plaintext.
Sign	Generates a signature by using an asymmetric key.
Verify	Verifies a signature by using an asymmetric key.
GenerateDataKey	Generates a data key and returns both the plaintext and ciphertext of the data key. You can use the plaintext data key to symmetrically encrypt data.