Key Management Service (KMS) helps you solve four categories of security problems: encrypting sensitive application data, securing cloud infrastructure, meeting cryptographic compliance requirements, and enabling third-party encryption for independent software vendors (ISVs). Find your role below to jump to the right solution.
| Role | Problem to solve | Scenario |
|---|---|---|
| Application developer | Protect sensitive data in applications | Encrypt and protect sensitive data |
| IT O&M engineer | Secure cloud computing and storage resources | Manage the cloud computing and storage environment |
| Chief Security Officer (CSO) | Meet cryptographic compliance requirements | Meet compliance requirements |
| Independent software vendor (ISV) | Provide third-party encryption to customers | Provide a third-party encryption solution |
Encrypt and protect sensitive data
Alibaba Cloud provides four encryption methods. Choose based on your data size, throughput requirements, and how you want to manage secrets.
| Method | When to use | How it works | References |
|---|---|---|---|
| Envelope encryption | High queries per second (QPS) workloads, or data too large to encrypt directly — for example, mobile phone numbers and ID card numbers | KMS stores your customer master keys (CMKs) and never exposes them. Deploy only the enveloped data keys (EDKs). KMS decrypts an EDK to return a plaintext data key (DK); use the DK to encrypt or decrypt data locally. Alternatively, use the Encryption SDK, which wraps this pattern for you. | Use envelope encryption to encrypt and decrypt local data and Quick start of Encryption SDK for Java |
| Direct encryption | Low-QPS workloads with data no larger than 6 KB — for example, AccessKey pairs and database credentials | Call the KMS encryption API to encrypt data directly with a CMK. | Use a KMS CMK to encrypt and decrypt data |
| Server-side encryption (SSE) | Data stored in Alibaba Cloud services — for example, Object Storage Service (OSS) buckets with sensitive content or ApsaraDB RDS tables with transparent data encryption (TDE) | Enable the SSE feature of the target Alibaba Cloud service. The service encrypts data before writing it to storage and decrypts it on read, using KMS to manage the underlying keys. | Alibaba Cloud services that can be integrated with KMS |
| Secrets Manager | Secrets with a lifecycle — passwords, tokens, SSH keys, and AccessKey pairs | Host secrets in Secrets Manager and access them through application-level security controls. Configure dynamic rotation to limit exposure if a secret leaks. | Rotate generic secrets and Overview of dynamic ApsaraDB RDS secrets |
Envelope encryption vs. direct encryption
Use envelope encryption when throughput or data size is a concern. Envelope encryption generates a local data key and encrypts data in your application — only the small EDK travels to KMS. Use direct encryption when your data is no larger than 6 KB and your QPS is below the KMS throttling threshold; KMS encrypts the data directly and returns the ciphertext.
Manage the cloud computing and storage environment
Cloud infrastructure is shared across tenants, so physical security boundaries are not available. Use KMS to establish a cryptographic boundary instead: integrate KMS with Alibaba Cloud services via SSE, manage CMK lifecycles and access control policies centrally, and audit key usage through ActionTrail.
| Scenario | When to use | How it works | References |
|---|---|---|---|
| Elastic Compute Service (ECS) | Protect system disks, data disks, snapshots, and images | Authorize ECS to use KMS keys. ECS encrypts disks and snapshots automatically. Starting an ECS instance requires decrypting both the system disk and the data disk. Snapshots of encrypted disks are also encrypted. | Overview |
| Persistent storage | Protect data in ApsaraDB RDS, OSS, and File Storage NAS | Integrate KMS with persistent storage services using client-side encryption or SSE. Supported algorithms include Advanced Encryption Standard (AES) and SM. Any read request requires KMS to decrypt data first, keeping redundant copies in distributed storage confidential. | — |
| Other Alibaba Cloud services | Protect data across multiple cloud services | Multiple Alibaba Cloud services support KMS integration. | Alibaba Cloud services that can be integrated with KMS |
Meet compliance requirements
Compliance frameworks typically require one of two things: cryptographic protection as a hard requirement, or cryptographic protection as a scoring factor that strengthens your compliance posture. KMS addresses both with the following features.
| Feature | Description | References |
|---|---|---|
| Cryptographic compliance | KMS supports managed hardware security modules (HSMs) — third-party hardware devices certified by regulatory agencies and validated by State Cryptography Administration (SCA) and FIPS 140-2 Level 3. HSMs run in an approved security mode. | Overview and Use managed HSMs |
| Key rotation | KMS supports automatic rotation of encryption keys. Configure custom rotation policies to align with your data security specifications. | Overview and Automatic key rotation |
| Secrets rotation | Use Secrets Manager to rotate passwords, AccessKey pairs, and other secrets on a schedule. Rotation limits the blast radius of a credential leak. | Rotate generic secrets |
| Data confidentiality | Encrypt personal data to prevent exposure if your system is compromised, and to satisfy data protection regulations. | — |
| Data integrity | KMS integrates with Log Service and ActionTrail. Encrypting service logs prevents tampering and ensures both confidentiality and integrity of log data. | — |
| Authentication and access control | KMS integrates with Resource Access Management (RAM) for centralized authentication and authorization. | Use RAM to control access to KMS resources |
| Key usage auditing | KMS stores all API call records in ActionTrail for compliance auditing. | Use ActionTrail to query KMS event logs |
Provide a third-party encryption solution
As an ISV, integrate KMS so that your customers — not you — own and control the encryption keys protecting their data. KMS acts as the security boundary between you and your customers: customers generate and manage their own keys, authorize your service to use specific keys, and audit every key operation independently.
| Role | Responsibilities | References |
|---|---|---|
| Customer administrator | Generate keys in KMS and manage their lifecycle. Use RAM to control key permissions. Grant the ISV access to specific keys through cross-account resource authorization. | Use a RAM role to grant permissions across Alibaba Cloud accounts |
| ISV | Integrate KMS and use the keys authorized by the customer to encrypt and protect customer data. | List of operations by function |
| Customer auditor | Use ActionTrail to audit key usage records in KMS. | Use ActionTrail to query KMS event logs |