Key Management Service (KMS) offers three tiers: free default keys, paid software key management instances, and paid hardware key management instances. Default keys come in two forms — service keys and customer master keys (CMKs).
Use the following sections to identify the right tier for your needs.
Choose your instance type
Answer these questions to narrow down your options:
| Question | Software instance | Hardware instance |
|---|---|---|
| Do you need to encrypt data in self-managed applications? |  | |
| Do you need secret lifecycle management? | | |
| Do you need FIPS 140-2 Level 3 compliance? |  | |
| Do you need higher QPS (up to 8,000) via a dedicated gateway? | | |
| Do you need key backup management? | | |
Common recommendations:
Server-side encryption for Alibaba Cloud services only — Default keys (service key or CMK) are free and sufficient.
Custom application encryption or secret management — Use a software key management instance. It supports asymmetric keys, bring your own key (BYOK), secret lifecycle management, and multi-account sharing.
Strict compliance or high-throughput requirements — Use a hardware key management instance for Federal Information Processing Standard (FIPS) 140-2 Level 3 validation and dedicated gateway queries per second (QPS) up to 8,000. Hardware instances require purchasing two hardware security modules (HSMs).
Full comparison
Supported. Not supported.
| Category | Item | Default key | Software key management instance | Hardware key management instance | References | |
|---|---|---|---|---|---|---|
| Service key | CMK | |||||
| Billing | Billing method | Free | Free | Subscription or pay-as-you-go | Subscription or pay-as-you-go. Requires purchasing two HSMs. For more information, see Billing of KMS. | Overview |
| Scenarios | Server-side encryption in Alibaba Cloud services | | | | | Scenarios |
| Data encryption in self-managed applications | | | | | ||
| Secret lifecycle management | | | | | ||
| FIPS 140-2 Level 3 compliance | | | | | ||
| Quota | Computing performance (symmetric encryption and decryption) | 1,000 QPS. Upgrade not supported. | 1,000 QPS. Upgrade not supported. | Shared gateway: 1,000 QPS, upgrade not supported. Dedicated gateway: 1,000, 2,000, or 4,000 QPS; upgrades supported. | Shared gateway: 1,000 QPS, upgrade not supported. Dedicated gateway: 2,000, 4,000, 6,000, or 8,000 QPS; upgrades supported. | Performance quotas |
| Number of keys | One service key per Alibaba Cloud service per region (per account) | One CMK per region per account | 1,000–100,000 | 1,000–100,000 | ||
| Number of secrets | Not supported | Not supported | 0–100,000 | 0–100,000 | ||
| Network endpoint type | Public network and virtual private cloud (VPC) network | Public network and VPC network | Public network and VPC network | Public network and VPC network | Regions and endpoints | |
| Management | Multi-account resource sharing | | | | | Share a KMS instance across multiple Alibaba Cloud accounts |
| Backup management | | | | | Backups | |
| Security audit | | | | | Use ActionTrail to query KMS events | |
| Key management | Key specifications | Aliyun_AES_256 | Aliyun_AES_256 | Symmetric: Aliyun_AES_256. Asymmetric: RSA_2048, RSA_3072, EC_P256, EC_P256K. | Symmetric: Aliyun_AES_256, Aliyun_AES_192, Aliyun_AES_128. Asymmetric: RSA_2048, RSA_3072, RSA_4096, EC_P256, EC_P256K. | Overview of key management |
| Import of external key material (BYOK) | | | | | Import key material into a symmetric key and import key material into an asymmetric key | |
| Key rotation | Requires a value-added plan. | Requires a value-added plan. | Symmetric keys only. Asymmetric keys not supported. | | Configure key rotation | |
| Scheduled key deletion | | | | | Schedule a key deletion task | |
| Key deletion protection | | | | | Enable key deletion protection | |
| Key alias | | | | | Manage key aliases | |
| Key tag | | | | | Tag management | |
| Cryptographic operations | Data encryption and decryption | | | | | Alibaba Cloud SDK |
| Signature generation and verification | | | | | Alibaba Cloud SDK | |
| Secret management | Secret creation | | | | | Secret management |
| Secret deletion | | | | | ||
| Secret rotation | | | | | ||
| Secret tag | | | | | ||
| Secret value retrieval | | | | | Secret client, Secret JDBC client, and RAM secret plug-in |