All Products
Search
Document Center

Key Management Service:Getting started with keys

Last Updated:Apr 16, 2024

Key Management Service allows you to create keys and use keys to perform data encryption and decryption. This helps ensure the security of your data. This topic describes how to create and use a key.

Overview

KMS provides software-protected keys, hardware-protected keys, and default keys to meet your business, security, and compliance requirements. For more information, see Overview of Key Management and Key types and specifications.

Default key

Service keys are created and managed by Alibaba Cloud services. Customer master keys (CMKs) are created and managed by yourself. In this example, a CMK is created and used.

Step 1: Create a CMK

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Default Key tab.

  3. Find the required key, click Enable in the Actions column, configure the parameters, and then click OK.

    Parameter

    Description

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Description

    The description of the key.

    Advanced Settings

    Key Material Source

    • Key Management Service: KMS generates key material.

    • External: KMS does not generate key material. You must import key material. For more information, see Import key material into a symmetric key.

      Note

      If you select External, you must read and select I understand the implications of using the external key materials.

Step 2: Use the CMK

You can use default keys in Alibaba Cloud services that are integrated with KMS. For more information about how to integrate Alibaba Cloud services with KMS, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS.

For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

Software-protected key

Prerequisites

A KMS instance of the software key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.

Step 1: Create a software-protected key

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list, and then click Create Key.

  3. In the Create Key panel, configure the parameters and click OK.

    Parameter

    Description

    Key Type

    The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.

    Important

    If you want to create a key to encrypt secret values, select Symmetric Key.

    Key Specifications

    The specification of the key.

      • Symmetric key specifications: Aliyun_AES_256

      • Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K

    Key Usage

    The usage of the key. Valid values:

    • ENCRYPT/DECRYPT: encrypts or decrypts data.

    • SIGN/VERIFY: signs data or verifies a digital signature.

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Tag

    The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.

    Note
    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each key.

    Automatic Rotation

    Specifies whether to enable automatic key rotation. Automatic key rotation is supported only for symmetric keys and is enabled by default. For more information, see Configure key rotation.

    Rotation Period

    The rotation period. Valid values: 7 to 365. Units: days.

    Description

    The description of the key.

    Advanced Settings

    The policy settings of the key.

    • Default Policy: If the key is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.

      • If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the key.

      • If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.

        • Keys created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the keys.

        • Keys created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the keys.

    • Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the key, select Custom Policy.

      Important

      Administrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.

      • An administrator can manage the key. Cryptographic operations are not supported. You can select RAM users and RAM roles within the current Alibaba Cloud account.

        Permissions supported by administrators

        {
        	"Statement": [
        		{
        			"Action": [
        				"kms:List*",
        				"kms:Describe*",
        				"kms:Create*",
        				"kms:Enable*",
        				"kms:Disable*",
        				"kms:Get*",
        				"kms:Set*",
        				"kms:Update*",
        				"kms:Delete*",
        				"kms:Cancel*",
        				"kms:TagResource",   
        				"kms:UntagResource", 
        				"kms:ImportKeyMaterial",
        				"kms:ScheduleKeyDeletion"
        			]
        		}
        	]
        }
      • A user can use the key to perform cryptographic operations. You can select RAM users and RAM roles within the current Alibaba Cloud account.

        Permissions supported by users

         {
            "Statement": [
                {
                    "Action": [
                        "kms:Encrypt",
                        "kms:Decrypt",
        								"kms:GenerateDataKey",
        								"kms:GenerateAndExportDataKey",
                        "kms:AsymmetricEncrypt",
                        "kms:AsymmetricDecrypt",
                        "kms:DescribeKey",
                        "kms:DescribeKeyVersion",
                        "kms:ListKeyVersions",
                        "kms:ListAliasesByKeyId",
        							  "kms:TagResource"
                    ]
                }
            ]
        }
      • A cross-account user can use the key for encryption and decryption. You can select RAM users and RAM roles within other Alibaba Cloud accounts.

        • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: acs:ram::119285303511****:user/testpolicyuser.

        • RAM role: The name of the RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

          Note

          After you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the key in RAM. Then, the RAM user or RAM role can use the key.

          For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

        Permissions supported by cross-account users

         {
            "Statement": [
                {
                    "Action": [
                        "kms:Encrypt",
                        "kms:Decrypt",
        								"kms:GenerateDataKey",
        								"kms:GenerateAndExportDataKey",
                        "kms:AsymmetricEncrypt",
                        "kms:AsymmetricDecrypt",
                        "kms:DescribeKey",
                        "kms:DescribeKeyVersion",
                        "kms:ListKeyVersions",
                        "kms:ListAliasesByKeyId",
        							  "kms:TagResource"
                    ]
                }
            ]
        }

Step 2: Use the software-protected key

You can integrate software-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.

  • Integrate a software-protected key into an Alibaba Cloud service for server-side encryption

    For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

  • Integrate a software-protected key into an application for data encryption and decryption

    KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.

    KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.

Hardware-protected key

Prerequisites

A KMS instance of the hardware key management type is purchased and enabled. For more information, see Purchase and enable a KMS instance.

Step 1: Create a hardware-protected key

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys page, click the Keys tab, select a KMS instance of the hardware key management type from the Instance ID drop-down list, and then click Create Key.

  3. In the Create Key panel, configure the parameters and click OK.

    Parameter

    Description

    Key Type

    The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.

    Important

    If you want to create a key to encrypt secret values, select Symmetric Key.

    Key Specifications

    The specification of the key.

      • Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128

      • Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K

    Key Usage

    The usage of the key. Valid values:

    • ENCRYPT/DECRYPT: encrypts or decrypts data.

    • SIGN/VERIFY: signs data or verifies a digital signature.

    Key Alias

    The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).

    Tag

    The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.

    Note
    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each key.

    Description

    The description of the key.

    Advanced Settings

    Policy Settings

    • Default Policy: If the key is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.

      • If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the key.

      • If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.

        • Keys created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the keys.

        • Keys created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the keys.

    • Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the key, select Custom Policy.

      Important

      Administrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.

      • An administrator can manage the key. Cryptographic operations are not supported. You can select RAM users and RAM roles within the current Alibaba Cloud account.

        Permissions supported by administrators

        {
        	"Statement": [
        		{
        			"Action": [
        				"kms:List*",
        				"kms:Describe*",
        				"kms:Create*",
        				"kms:Enable*",
        				"kms:Disable*",
        				"kms:Get*",
        				"kms:Set*",
        				"kms:Update*",
        				"kms:Delete*",
        				"kms:Cancel*",
        				"kms:TagResource",   
        				"kms:UntagResource", 
        				"kms:ImportKeyMaterial",
        				"kms:ScheduleKeyDeletion"
        			]
        		}
        	]
        }
      • A user can use the key to perform cryptographic operations. You can select RAM users and RAM roles within the current Alibaba Cloud account.

        Permissions supported by users

         {
            "Statement": [
                {
                    "Action": [
                        "kms:Encrypt",
                        "kms:Decrypt",
        								"kms:GenerateDataKey",
        								"kms:GenerateAndExportDataKey",
                        "kms:AsymmetricEncrypt",
                        "kms:AsymmetricDecrypt",
                        "kms:DescribeKey",
                        "kms:DescribeKeyVersion",
                        "kms:ListKeyVersions",
                        "kms:ListAliasesByKeyId",
        							  "kms:TagResource"
                    ]
                }
            ]
        }
      • A cross-account user can use the key for encryption and decryption. You can select RAM users and RAM roles within other Alibaba Cloud accounts.

        • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: acs:ram::119285303511****:user/testpolicyuser.

        • RAM role: The name of the RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

          Note

          After you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the key in RAM. Then, the RAM user or RAM role can use the key.

          For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

        Permissions supported by cross-account users

         {
            "Statement": [
                {
                    "Action": [
                        "kms:Encrypt",
                        "kms:Decrypt",
        								"kms:GenerateDataKey",
        								"kms:GenerateAndExportDataKey",
                        "kms:AsymmetricEncrypt",
                        "kms:AsymmetricDecrypt",
                        "kms:DescribeKey",
                        "kms:DescribeKeyVersion",
                        "kms:ListKeyVersions",
                        "kms:ListAliasesByKeyId",
        							  "kms:TagResource"
                    ]
                }
            ]
        }

    Key Material Source

Step 2: Use the hardware-protected key

You can integrate hardware-protected keys into cloud services for server-side encryption or into your applications for building application-layer cryptography solutions.

  • Integrate a software-protected key into an Alibaba Cloud service for server-side encryption

    For more information, see Integration with KMS and Alibaba Cloud services that can be integrated with KMS. For more information about the key types that are supported by Alibaba Cloud services for server-side encryption, see the documentations of the cloud services.

  • Integrate a software-protected key into an application for data encryption and decryption

    KMS provides KMS Instance SDK to help you easily perform cryptographic operations to encrypt, decrypt, and sign data and verify signatures by using keys. For more information, see KMS Instance SDK.

    KMS also provides scenario-specific user guides to help you use keys. For more information about how to use KMS keys to encrypt and decrypt data, see Use a KMS CMK to encrypt and decrypt data online. For more information about how to use KMS keys for envelope encryption, see Use envelope encryption.

References