The key service is a core component of Key Management Service (KMS). It provides fully managed keys and key protection features, with cloud-native API operations for data encryption and digital signature management.
What you can do with the key service:
Manage the full key lifecycle — Create, rotate, disable, and delete CMKs.
Protect keys with dedicated hardware — Store key material exclusively in HSMs to meet GM/T and FIPS 140-2 Level 3 compliance requirements.
Import your own keys — Bring keys from offline sources, other clouds, or Alibaba Cloud Data Encryption Service.
Encrypt data without writing cryptographic code — Integrate KMS with Alibaba Cloud services through configuration, or use KMS SDK and Encryption SDK in your application.
Sign and verify data — Use asymmetric CMKs for digital signature operations.
Key hosting and protection
| Feature | Description | Related topics |
|---|---|---|
| Manage the key lifecycle | Create, disable, and schedule deletion for CMKs. | Create a CMK, Disable a CMK, Schedule a key deletion task |
| Rotate keys | Rotate keys manually or on a schedule to limit the exposure of any single key version. | Key rotation overview, Automatic key rotation |
| Use aliases and API operations | Set an alias for a CMK to reference it by name instead of ID. Manage keys programmatically through KMS API operations. | Alias overview, Key service API operations |
| Protect keys with HSM | Set the protection level of a CMK to hardware security module (HSM) to store key material exclusively inside dedicated hardware. When HSM protection is enabled, no one can access or export the plaintext of the key material. HSM-protected keys meet GM/T and FIPS 140-2 Level 3 compliance requirements. | HSM overview, Use managed HSMs |
| Bring your own key (BYOK) | Import your own keys into KMS to meet specific security or compliance requirements. Supported key sources include keys managed offline, keys hosted in other clouds, and keys from Alibaba Cloud Data Encryption Service. | Import key material, Key control |
Data encryption
KMS provides cloud-native cryptographic API operations that are simpler to use than traditional cryptographic modules or software libraries. Multiple SDKs are available to accelerate development. For an overview of available tools, see Overview of development tools.
| Approach | Description | Related topics |
|---|---|---|
| Encrypt data in Alibaba Cloud services — no code required | KMS integrates with a variety of Alibaba Cloud services. With a few configuration steps, KMS automatically encrypts your data in those services. | Integration with KMS, Alibaba Cloud services that integrate with KMS |
| Encrypt data using KMS SDK | KMS SDK wraps KMS API operations. Use the sample code to call the Encrypt operation directly in your application. | Sample code for data encryption |
| Encrypt data using Encryption SDK | Encryption SDK is a client-side encryption library built on KMS API operations. It supports envelope encryption, which lets you encrypt large volumes of data efficiently without sending data to KMS directly. | Quick start of Encryption SDK for Java, Use envelope encryption to encrypt and decrypt local data |
Supported algorithms
KMS supports the following symmetric and asymmetric algorithms.
| Algorithm class | Algorithm | Encryption and decryption | Signature generation and verification |
|---|---|---|---|
| Symmetric | AES | Supported | Not supported |
| Symmetric | SM4 ¹ | Supported | Not supported |
| Asymmetric | RSA | Supported | Supported |
| Asymmetric | ECC | Not supported | Supported |
| Asymmetric | SM2 ¹ | Supported | Supported |
¹ Only managed HSMs in the Chinese mainland support the SM4 and SM2 algorithms. For details, see Supported regions.
Symmetric keys
Symmetric keys encrypt and decrypt data. If you do not specify the KeySpec parameter when creating a key, KMS creates a symmetric key by default. For more information, see Symmetric key overview.
Asymmetric keys
An asymmetric CMK consists of a public key and a private key. The public key can be distributed freely; the private key must be kept secure. KMS does not provide an API operation to export the private key — you can only call API operations to use it for signature generation or decryption. For more information, see Asymmetric key overview.