Every encryption key needs protecting. And the key that protects your encryption key needs protecting too. Eventually, this chain leads to a root key that sits at the top of the hierarchy—the one that, if compromised, exposes everything. Key Management Service (KMS) secures that root key, and every key below it, so you can focus on building instead of managing cryptographic infrastructure.
Compared with self-managed key management infrastructure (KMI), KMS offers deep cloud integration, simplified encryption workflows, high reliability, and lower total cost of ownership.
Cloud service integration
KMS is built into the Alibaba Cloud ecosystem, not bolted on.
Authentication and access control
KMS authenticates requests using AccessKey pairs and integrates with Resource Access Management (RAM). Configure RAM policies to define exactly who can access which keys under which conditions. Requests from authenticated users that pass RAM's attribute-based access control (ABAC) checks are accepted by KMS. For details, see Use RAM to control access to KMS resources allows you to use Resource Access Management \(RAM\) to control access to KMS resources. This topic describes the KMS resource types, actions, and conditions that can be defined in RAM policies.").
Key usage auditing
KMS integrates with ActionTrail, giving you a full record of recent key usage. Store this audit data in Object Storage Service (OSS) for long-term compliance requirements. For details, see Use ActionTrail to query KMS event logs.
Encryption for Alibaba Cloud services
KMS integrates with Elastic Compute Service (ECS), ApsaraDB for RDS, OSS, and other Alibaba Cloud services. Use customer master keys (CMKs) in KMS to encrypt and control data stored in these services without implementing your own encryption stack. KMS also protects native data of these services. For the full list of supported services, see Integration with KMS. Alibaba Cloud supports the Advanced Encryption Standard \(AES\) 256-bit algorithm for encryption, which meets the encryption requirements of sensitive data.") and Alibaba Cloud services that can be integrated with KMS. These Alibaba Cloud services can use service-managed keys or user-managed keys, including the keys imported by using the Bring Your Own Key \(BYOK\) feature, to encrypt data of different types in different scenarios.").
Ease of use
Simple encryption API
KMS abstracts complex cryptographic operations into straightforward API calls. For applications that need a key hierarchy, use envelope encryption: KMS generates a data key (DK) and uses a CMK as the key encryption key (KEK) to protect it. For a walkthrough, see Use envelope encryption to encrypt and decrypt local data to generate a data key online and then use the data key to encrypt the local data offline. This encryption mechanism is known as envelope encryption.").
Centralized key management
All keys live in one place. You can:
Create a CMK and control access with RAM
Audit key usage with ActionTrail
Import keys from your on-premises KMI or from hardware security modules (HSMs) in Data Encryption Service
Bring Your Own Key (BYOK)
Import existing keys into KMS to encrypt data on the cloud. This facilitates key management. Supported sources:
Keys from your on-premises KMI
Keys from user-managed HSMs in Alibaba Cloud Data Encryption Service
Keys imported into managed HSMs in KMS cannot be exported. KMS uses secure key exchange algorithms that prevent operators and third parties from accessing key plaintext. For details, see Import key material, Key Management Service \(KMS\) does not create key material. In this case, you must import external key material to the CMK. This topic describes how to import external key material.") and Key control.
Automatic key rotation
KMS supports automatic rotation of symmetric encryption keys. Set a custom rotation cycle on a CMK, and KMS generates new key versions automatically. Each CMK can hold multiple versions—the latest (primary) version encrypts new data, while older versions remain available to decrypt existing ciphertext. For details, see Automatic key rotation in Key Management Service \(KMS\).").
High reliability, availability, and scalability
KMS is a fully managed distributed service. In each region, KMS runs multi-zone redundant cryptographic computing infrastructure, keeping latency low for Alibaba Cloud services and custom applications alike. Create keys across multiple regions based on your requirements—no capacity planning or infrastructure scaling required.
Security and compliance
KMS is designed and verified to meet strict security requirements. All access is TLS-only, using secure cipher suites. It complies with security standards such as PCI DSS.
KMS provides cryptographic facilities verified and certified by regulatory agencies. It offers HSMs that are tested and certified by State Cryptography Administration (SCA) or have passed FIPS 140-2 Level 3 validation. For details, see Compliance and Overview to enable easy access to certified hardware security modules \(HSMs\) provided by Alibaba Cloud.").
Keys are hosted in HSMs, adding a hardware-backed layer of protection.
Low costs
With KMS, you pay for what you use—no upfront hardware investment. Specifically, KMS eliminates:
The purchase, operation, maintenance, repair, and replacement costs of dedicated HSM hardware
The engineering cost of building and maintaining highly available cryptographic device clusters
The development overhead of integrating a data encryption system into each cloud service
Manage your keys in KMS and get controllable, auditable data encryption across Alibaba Cloud services without building it yourself.