All Products
Search

This Product

    Key Management Service:Terms

    Document Center

    Key Management Service:Terms

    Last Updated:Mar 31, 2026

    Key Management Service (KMS) uses the following terms throughout its documentation and APIs.

    Jump to: Key Service · customer master key (CMK) · key material · envelope encryption · data key · encrypted data key (EDK) · hardware security module (HSM) · encryption context · Secrets Manager · application access point (AAP) · Certificates Manager · Dedicated KMS · Secrets

    Key Service

    Key Service is the core component of KMS that fully manages and protects your keys. It supports data encryption and digital signature operations through cloud-native API calls, without requiring you to manage underlying infrastructure.

    For details, see Overview.

    Customer master key (CMK)

    A customer master key (CMK) is used to:

    • Encrypt data keys and generate encrypted data keys (EDKs)

    • Directly encrypt small volumes of data

    To create a CMK, call the CreateKey operation.

    Key material

    Key material is the cryptographic raw material used in all KMS encryption and decryption operations. Keep it confidential — exposing key material compromises all data protected by the corresponding CMK.

    A CMK consists of three components: a key ID, basic metadata, and key material. By default, KMS generates key material when you create a CMK (Origin: Aliyun_KMS). To use your own key material, set Origin: EXTERNAL when creating the CMK, then import the external key material.

    Key material can be encrypted by using private keys of asymmetric cryptographic algorithms or by using symmetric cryptographic algorithms.

    For details, see Import key material.

    Envelope encryption

    Envelope encryption protects large volumes of data by combining a CMK with a short-lived data key:

    1. Call GenerateDataKey or GenerateDataKeyWithoutPlaintext to generate a symmetric data key. KMS uses the specified CMK to encrypt the data key, producing an encrypted data key (EDK).

    2. Use the plaintext data key locally to encrypt your data, then discard the plaintext.

    3. Store the EDK alongside the encrypted data. The EDK is safe to store and transmit over unsecured channels.

    4. To decrypt, call the Decrypt operation to recover the plaintext data key from the EDK, then decrypt your data locally.

    For details, see Use envelope encryption to encrypt and decrypt local data.

    Data key

    A data key is a plaintext symmetric key used to encrypt your data locally. Call GenerateDataKey to generate a data key — KMS returns both the plaintext and the CMK-encrypted ciphertext of the key. Use the plaintext to encrypt data, then discard it. Store only the ciphertext (the EDK).

    Encrypted data key (EDK)

    An encrypted data key (EDK), also called an enveloped data key, is the ciphertext version of a data key. It is produced when a CMK encrypts a data key during envelope encryption.

    If you do not require the plaintext of a data key, call GenerateDataKeyWithoutPlaintext to get only the EDK.

    Hardware security module (HSM)

    A hardware security module (HSM) is a dedicated hardware device that performs cryptographic operations and securely stores keys. KMS provides the Managed HSM feature, which gives you access to certified HSMs that meet regulatory testing and validation requirements, ensuring high security for keys managed in KMS.

    For details, see Overview.

    Encryption context

    An encryption context is a set of key-value pairs that KMS uses as additional authenticated data (AAD) in symmetric encryption operations. It implements authenticated encryption with associated data (AEAD), as defined in RFC 5116.

    The encryption context is not encrypted itself, but it is cryptographically bound to the ciphertext — decryption fails if the context does not match. Use it to improve the integrity and authenticity of your encrypted data.

    For details, see EncryptionContext.

    Secrets Manager

    Secrets Manager is the KMS component for managing secrets throughout their lifecycle. Applications retrieve secrets through secure API calls, eliminating the need to hardcode sensitive values in configuration files or source code.

    For details, see Overview.

    Application access point (AAP)

    An application access point (AAP) is a method that is originally used by KMS to authenticate the identity of the user that accesses KMS resources.

    For details, see Manage AAPs.

    Certificates Manager

    Certificates Manager provides a highly available system for managing keys and certificates. Use it to generate and verify digital signatures, and to obtain certificates for your applications.

    For details, see Overview.

    Dedicated KMS

    Dedicated KMS is a fully customizable key management deployment. With Dedicated KMS, you can:

    • Specify the virtual private cloud (VPC) where KMS is deployed

    • Configure the cryptographic resource pool

    • Define role-based access control (RBAC) policies for application access

    For details, see Overview.

    Secrets

    Secrets are sensitive credentials that applications use to authenticate to external services. Examples include database usernames and passwords, SSH keys, sensitive endpoint addresses, and Alibaba Cloud AccessKey pairs.

    Store secrets in Secrets Manager to manage their access and lifecycle centrally.