Alibaba Cloud services can use service-managed keys or user-managed keys — including keys imported through Bring Your Own Key (BYOK) — to encrypt data. This page lists all services that support Key Management Service (KMS) integration, organized by encryption scenario.
If you use a KMS-integrated Alibaba Cloud service and want to apply service-managed or user-managed keys, you do not need to purchase Dedicated KMS separately.
Workload data encryption
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| Elastic Compute Service (ECS) | Encrypts disk data using envelope encryption. Each disk has its own customer master key (CMK) and data key. Encryption and decryption run on the host, so disk performance is not affected. Encrypted disks protect: static data stored on the disk, data transmitted between the disk and the instance, and all snapshots created from the disk. Data in the instance operating system is not encrypted. | Service-managed keys; user-managed keys | Overview |
| Container Service for Kubernetes (ACK) | Supports server-side encryption (SSE) via KMS for two data types: Kubernetes Secrets (sensitive data stored in etcd, such as passwords, Transport Layer Security (TLS) certificates, and Docker credentials) and volumes (disks, Object Storage Service (OSS) buckets, or File Storage NAS file systems, each encrypted using the SSE method for that volume type). | Service-managed keys; user-managed keys | Use KMS to encrypt Kubernetes Secrets |
| Web App Service | Encrypts sensitive configuration data, such as ApsaraDB RDS access credentials. | — | None |
Persistent storage encryption
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| Object Storage Service (OSS) | Encrypts data on upload and decrypts on download. OSS declares server-side encryption in the HTTP response header. Two modes are available: SSE-OSS uses an encryption system dedicated to OSS (keys are not managed by OSS and are not auditable via ActionTrail); SSE-KMS uses KMS keys and supports audit. Configure a default CMK per bucket or specify a CMK per object at upload time. | Service-managed keys (SSE-KMS); user-managed keys (SSE-KMS) | Server-side encryption; SDK reference |
| File Storage NAS | Encrypts data using envelope encryption by default. Each volume has its own CMK and data key. | Service-managed keys | Server-side encryption |
| Tablestore | Encrypts data using envelope encryption by default. Each table has its own CMK and data key. | Service-managed keys; user-managed keys | None |
| Cloud Storage Gateway (CSG) | Encrypts data using OSS-based encryption. | — | Manage shares |
Database encryption
ApsaraDB RDS supports two encryption methods. The other database services listed below follow the same model.
Disk encryption — Provided free of charge. Encrypts disks at the block storage level. Keys are encrypted and stored in KMS; ApsaraDB RDS reads them only when starting or migrating an instance.
Transparent data encryption (TDE) — Supported for ApsaraDB RDS for MySQL and ApsaraDB RDS for SQL Server. Keys are encrypted and stored in KMS; ApsaraDB RDS reads them only when starting or migrating an instance. After you enable TDE, you can specify the database or table to be encrypted. Data is encrypted before being written to the target device (disk, solid-state drive (SSD), or Peripheral Component Interconnect Express (PCIe) card) or service (such as OSS). All data files and backups are stored in ciphertext.
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| ApsaraDB RDS | Supports disk encryption (free) and TDE (MySQL and SQL Server). | Service-managed keys; user-managed keys | ApsaraDB RDS for MySQL: Use the cloud disk encryption feature and Configure TDE; ApsaraDB RDS for SQL Server: Configure the cloud disk encryption feature and Configure TDE; ApsaraDB RDS for PostgreSQL: Use the cloud disk encryption feature |
| ApsaraDB for MongoDB | Supports the same encryption methods as ApsaraDB RDS. | Service-managed keys; user-managed keys | Configure TDE for an instance |
| PolarDB | Supports the same encryption methods as ApsaraDB RDS. | Service-managed keys; user-managed keys | PolarDB for MySQL: Configure TDE for a PolarDB cluster; PolarDB for Oracle: Configure TDE; PolarDB for PostgreSQL: Configure TDE |
| ApsaraDB for OceanBase | Supports the same encryption methods as ApsaraDB RDS. | Service-managed keys; user-managed keys | Enable TDE |
| Tair (Redis OSS-compatible) | Supports the same encryption methods as ApsaraDB RDS. | Service-managed keys; user-managed keys | Enable TDE |
Log data encryption
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| ActionTrail | Encrypts trail events delivered to OSS. Enable encryption when creating a single-account or multi-account trail in the ActionTrail console. | — | Create a single-account trail; Create a multi-account trail |
| Log Service | Encrypts data for secure storage. | — | Data encryption |
Big data and AI
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| MaxCompute | Encrypts stored data. | Service-managed keys; user-managed keys | Storage encryption |
| Machine Learning Platform for AI (PAI) | Apply SSE to each service in the PAI data pipeline — computing engines, ACK, and data storage services — to protect data throughout the pipeline. | Depends on the underlying service | None |
Other scenarios
| Service | Encryption details | Key types supported | References |
|---|---|---|---|
| Alibaba Cloud CDN (CDN) | When an OSS bucket is the origin server, protects distributed content using OSS-based SSE. For details on granting CDN access to an encrypted OSS bucket, see the CDN documentation. | Depends on OSS encryption mode | Configure access to private OSS buckets |
| ApsaraVideo for Media Processing (MTS) | Supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. Both can integrate with KMS to protect video content. | — | None |
| ApsaraVideo VOD | Supports Alibaba Cloud proprietary cryptography and HLS encryption. Both can integrate with KMS to protect video content. | — | Alibaba Cloud proprietary cryptography; HLS encryption None |