KMS API Operations Organized by Function - Key Management Service - Alibaba Cloud - Key Management Service

The following tables list all API operations available in Key Management Service (KMS), organized by function.

Key service operations

Customer master key (CMK) management operations create and modify CMKs and manage their lifecycles.

Operation	Description
CreateKey	Creates a CMK using key material generated by KMS, or imports external key material (Bring Your Own Key, BYOK). This is the first step of BYOK.
GetParametersForImport	Returns the parameters required to import key material. This is the second step of BYOK.
ImportKeyMaterial	Imports key material into a CMK. This is the final step of BYOK.
EnableKey	Sets a CMK to the Enabled state.
DisableKey	Sets a CMK to the Disabled state.
SetDeletionProtection	Enables or disables deletion protection for a CMK.
ScheduleKeyDeletion	Schedules a CMK for deletion. The CMK enters the Pending Deletion state and is deleted automatically after the waiting period elapses.
CancelKeyDeletion	Cancels a scheduled CMK deletion before the waiting period elapses. The CMK returns to the Enabled state.
DeleteKeyMaterial	Deletes key material that is imported from an external source. The CMK enters the Pending Import state.
DescribeKey	Returns the details of a CMK.
ListKeys	Lists all CMKs in the current region for the current Alibaba Cloud account.
UpdateKeyDescription	Updates the description of a CMK.

Key version management operations rotate CMKs by creating and querying key versions.

Operation	Description
DescribeKeyVersion	Returns the details of a key version.
ListKeyVersions	Lists all versions of a CMK.
UpdateRotationPolicy	Updates the rotation policy of a symmetric CMK. When automatic rotation is enabled, KMS generates a new key version on a regular basis.
CreateKeyVersion	Creates a key version for an asymmetric CMK.

Use these operations to encrypt, decrypt, and sign data with CMKs.

Operation	Description
Encrypt	Encrypts up to 6 KB of data using a symmetric CMK.
GenerateDataKey	Generates a data key and returns both the plaintext and the ciphertext encrypted by a specified CMK. Use the data key to encrypt large amounts of local data.
GenerateDataKeyWithoutPlaintext	Generates a data key and returns only the ciphertext encrypted by a specified CMK, without returning the plaintext.
ExportDataKey	Encrypts a data key with a specified public key and exports it.
GenerateAndExportDataKey	Generates a data key and returns two ciphertext copies: one encrypted by a specified CMK and one encrypted by a specified public key.
Decrypt	Decrypts ciphertext produced by Encrypt or GenerateDataKey. No CMK ID is required for decryption.
ReEncrypt	Re-encrypts ciphertext under a different CMK. KMS decrypts the specified ciphertext and then uses a different CMK to encrypt the generated plaintext or data key.
AsymmetricSign	Generates a digital signature using the private key of an asymmetric CMK.
AsymmetricVerify	Verifies a digital signature using the public key of an asymmetric CMK.
AsymmetricDecrypt	Decrypts data using the private key of an asymmetric CMK.
AsymmetricEncrypt	Encrypts data using the public key of an asymmetric CMK.
GetPublicKey	Returns the public key of an asymmetric CMK for offline encryption or signature verification.

An alias is a human-readable name bound to a single CMK. Pass an alias as the KeyId parameter value in place of a key ID.

Operation	Description
CreateAlias	Creates an alias and binds it to a CMK.
UpdateAlias	Binds an existing alias to a different CMK.
DeleteAlias	Deletes an alias.
ListAliases	Lists all aliases in the current region for the current Alibaba Cloud account.
ListAliasesByKeyId	Lists all aliases bound to a specified CMK.

Secrets Manager operations manage, protect, distribute, and rotate secrets.

Operation	Description
CreateSecret	Creates a secret and stores the initial secret value.
ListSecrets	Lists all secrets in the current region for the current Alibaba Cloud account.
DeleteSecret	Deletes a secret.
DescribeSecret	Returns the metadata of a secret.
GetSecretValue	Returns the value of a secret.
PutSecretValue	Stores a new secret value as a new version.
UpdateSecret	Updates the metadata of a secret.
UpdateSecretVersionStage	Updates the stage label that marks a secret version.
RestoreSecret	Restores a deleted secret.
ListSecretVersionIds	Lists all versions of a secret.
GetRandomPassword	Returns a randomly generated password string.

Certificate operations create, manage, and use certificates stored in Certificates Manager.

Operation	Description
CreateCertificate	Creates a certificate.
UploadCertificate	Imports a certificate and certificate chain issued by a certificate authority (CA) into Certificates Manager.
GetCertificate	Returns a certificate managed by Certificates Manager.
DescribeCertificate	Returns the details of a certificate.
UpdateCertificateStatus	Updates the status of a certificate.
DeleteCertificate	Deletes a certificate along with its private key and certificate chain.

Operation	Description
CertificatePrivateKeySign	Generates a digital signature using a specified certificate.
CertificatePublicKeyVerify	Verifies a digital signature using a specified certificate.
CertificatePublicKeyEncrypt	Encrypts data using a specified certificate.
CertificatePrivateKeyDecrypt	Decrypts data using a specified certificate.

Tags are key-value pairs (TagKey and TagValue) that you can attach to CMKs, secrets, and certificates.

Operation	Description
TagResource	Adds tags to or updates existing tags on a CMK, secret, or certificate.
UntagResource	Removes a tag from a CMK, secret, or certificate.
ListResourceTags	Lists all tags on a CMK, secret, or certificate.

Operation	Description
DescribeRegions	Lists regions available to the current Alibaba Cloud account.
OpenKmsService	Activates KMS for the current Alibaba Cloud account.
DescribeAccountKmsStatus	Returns the status of KMS for the current Alibaba Cloud account.