Key Management Service (KMS) is integrated with cloud services such as Elastic Compute Service (ECS), Object Storage Service (OSS), Container Service for Kubernetes (ACK), and ApsaraDB RDS. You can use KMS to encrypt the resources of these cloud services to ensure data security in the cloud.
Encrypt ECS resources
You can use KMS to encrypt ECS resources such as system disks, data disks, and relevant images and snapshots.
The following example describes how to encrypt a data disk when you create an ECS instance. For more information about other methods to encrypt ECS resources, see Use KMS to protect ECS workloads with a few clicks.
Encrypt OSS resources
After you upload objects to an OSS bucket, KMS automatically encrypts the objects.
- Enable encryption when you create an OSS bucket
- Log on to the OSS console.
- In the Bucket Management section of the Overview page, click Create Bucket.
- In the Create Bucket panel, set the Encryption Method parameter to KMS.
- Configure the Encryption Algorithm parameter. Valid values:
- AES256
- SM4Note KMS provides the SM4 algorithm by using Managed HSM. For more information, see Overview.
- Configure the CMK parameter.
You can select a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you select a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.
- Configure other parameters by following the on-screen instructions.
For more information, see Create buckets.
- Encrypt data in an existing bucket
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets.
- Click the name of the bucket whose data you want to encrypt.
- In the left-side navigation pane, choose .
- In the Server-side Encryption section, click Configure.
- Set the Encryption Method parameter to KMS.
- Configure the Encryption Algorithm parameter. Valid values:
- AES256
- SM4Note KMS provides the SM4 algorithm by using Managed HSM. For more information, see Overview.
- Configure the CMK parameter.
You can select a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects. The objects are automatically decrypted when they are downloaded by the users who have decryption permissions. Before you select a CMK ID, you must create a regular CMK or an external CMK in the same region as the bucket in the KMS console. For more information, see Create a CMK.
- Click Save.
Notice The modification of the default encryption method for a bucket do not affect the encryption configurations of the existing objects in the bucket.
Encrypt ACK resources
Professional managed Kubernetes clusters in ACK allow you to use a CMK that you created in KMS to encrypt Kubernetes secrets.
Encrypt ApsaraDB RDS resources
ApsaraDB RDS supports disk encryption and transparent data encryption (TDE). The following example describes how to encrypt an standard or enhanced SSD when you create an ApsaraDB RDS for MySQL instance.
Encrypt resources of other cloud services
For information about how to encrypt resources of other cloud services, see Alibaba Cloud services that can be integrated with KMS.