Starting March 31, 2022, Key Management Service (KMS) is evolving into a cloud-native encryption backbone for Alibaba Cloud services. Dedicated KMS is now available as a standalone cloud service that provides tenant-specific storage and cryptographic resources.
-
Existing KMS users: Your current usage is not affected. If your account has an overdue payment, you must purchase Dedicated KMS.
-
New users: To manage keys, purchase Dedicated KMS.
Why Dedicated KMS
Dedicated KMS is designed for workloads that require strict isolation of cryptographic resources. Compared to KMS, which shares storage and cryptographic resources across tenants, Dedicated KMS provides:
-
VPC-native deployment: Each Dedicated KMS instance is deployed inside your VPC, enabling private network access without routing through shared gateways.
-
Cryptographic isolation: Dedicated KMS allocates tenant-specific cryptographic resource pools, so your keys and cryptographic operations are isolated from other tenants at both the resource and compute level.
-
Application access point (AAP) authentication: Dedicated KMS uses AAP authentication instead of RAM authentication, which allows users to complete key authentication configurations in a more efficient manner.
Impact on your account
The upgrade does not affect existing KMS users. New users must purchase Dedicated KMS to access certain features.
Existing users with an overdue payment can no longer use KMS after the upgrade. They must purchase Dedicated KMS.
| Feature | Scenario | Impact |
|---|---|---|
| Customer master key | Service-managed keys used by cloud services to encrypt cloud resources | None |
| Service-managed keys used by clients to encrypt or decrypt data | Not supported | |
| User-managed keys used by cloud services to encrypt cloud resources | New users must purchase Dedicated KMS Standard edition | |
| User data encryption | New users must purchase Dedicated KMS Standard edition | |
| Secret | Retrieving sensitive information |
Not supported |
| Secret rotation | Not supported | |
| Certificate | Certificate hosting | New users must purchase SSL certificates |
| Signature generation and verification | Not supported |