This topic introduces the terms that are used in Key Management Service (KMS).

Term Description
Key Service Key Service fully manages and protects your keys. Key Service supports data encryption and digital signature in simple mode based on cloud-native API operations.

For more information about Key Service, see Overview.

customer master key (CMK) A CMK is used to encrypt data keys and generate enveloped data keys (EDKs). A CMK can also be used to encrypt a small volume of data. You can call the CreateKey operation to create a CMK.
key material Key material is required when you perform cryptographic operations. To make sure that you can perform cryptographic operations based on the key material, we recommend that you keep the key material confidential. Key material can be encrypted by using private keys of asymmetric cryptographic algorithms or by using symmetric cryptographic algorithms.

CMKs are basic resources of KMS. A CMK is composed of a key ID, basic metadata, and key material. By default, key material is generated by KMS when you create a CMK. In this case, the value of the Origin parameter is Aliyun_KMS. You can also set the Origin parameter to EXTERNAL when you create a CMK. In this case, KMS does not generate key material, and you must import external key material for the CMK.

For more information about key material, see Import key material.

envelope encryption To encrypt business data, you can call the GenerateDataKey or GenerateDataKeyWithoutPlaintext operation to generate a symmetric key and use a specified CMK to encrypt the symmetric key. An EDK is generated. The EDK is secure even if it is stored and transferred over unsecured communication channels. If you want to use the symmetric key, you need only to call the Decrypt operation to decrypt the EDK.

For more information about envelope encryption, see What is envelope encryption?.

data key A data key is a plaintext key that is used to encrypt data.

You can call the GenerateDataKey operation to generate a data key, use a specified CMK to encrypt the data key, and then obtain the plaintext and ciphertext of the data key.

enveloped data key or encrypted data key An EDK is a ciphertext data key that is generated by using envelope encryption.

If the plaintext of a data key is not needed, you can call the GenerateDataKeyWithoutPlaintext operation to obtain only the ciphertext of the data key.

hardware security module (HSM) An HSM is a hardware device that performs cryptographic operations and securely generates and stores keys. KMS provides the Managed HSM feature. This feature meets both the testing and validation requirements of regulatory agencies. This feature provides you with high security for your keys that are managed in KMS.

For more information about HSMs, see Overview.

encryption context An encryption context refers to the encapsulation of authenticated encryption with associated data (AEAD) in KMS. For more information about AEAD, see An Interface and Algorithms for Authenticated Encryption. KMS uses the imported encryption context as the additional authenticated data (AAD) to support cryptographic operations in which symmetric encryption algorithms are used. The encryption context helps improve the integrity and authenticity of data that needs to be encrypted.

For more information about encryption contexts, see EncryptionContext.

Secrets Manager Secrets Manager allows you to manage your secrets throughout their lifecycle and allows applications to use secrets in a secure and efficient manner. This prevents sensitive data leaks that are caused by hardcoded secrets.

For more information about Secrets Manager, see Overview.

application access point An application access point (AAP) is a method that is originally used by KMS to authenticate the identity of the user that accesses KMS resources.

For more information, see Manage AAPs.

Certificates Manager Certificates Manager provides highly available and secure capabilities to manage keys and certificates. Certificates Manager also allows you to obtain certificates to generate and verify signatures.

For more information about Certificates Manager, see Overview.

Dedicated KMS Dedicated KMS is a key management service that you can fully manage. For example, you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed and configure the cryptographic resource pool used by Dedicated KMS. You can also define role-based access control (RBAC) policies to allow access from applications.

For more information about Dedicated KMS, see Overview.