Key types,Understanding KMS keys,KMS keys - Key Management Service

Key Management Service (KMS) offers comprehensive key management as its core functionality. It enables secure creation, storage, and lifecycle management of cryptographic keys. KMS keys are logical representations of cryptographic keys. This topic helps you understand KMS keys.

Key components (Key ID, metadata and key material)

A key comprises the following components:

Key ID: A unique identifier for each key within KMS. Key identifiers are like names for your keys. They help you easily spot your keys in the console, and refer to specific keys in policies. KMS supports the ID, Alibaba Cloud Resource Name (ARN), and alias as key identifiers.
- ID: A unique string that acts as the primary identifier for a key.
- ARN: A comprehensive resource name that includes the region ID, Alibaba Cloud account ID, and key ID. The format is acs:kms:<REGION_ID>:<ALIBABA_CLOUD_ACCOUNT_ID>:key/<KEY_ID>. It provides a globally unique identifier for the key across all of Alibaba Cloud.
- Key alias: A user-defined name that can point to a specific key. The format is alias/<ALIAS_NAME>.
Metadata: Information about the key, including its status (such as enabled, disabled, scheduled for deletion) and other attributes.
Key material: The cryptographic material used for encryption and decryption operations. Key materials are the core of cryptographic operations and must be kept confidential to maintain security. These materials can be encrypted using either asymmetric cryptographic algorithms (with private keys) or symmetric cryptographic algorithms.

Key types

You can select Customer Master Keys (CMKs) or default keys to encrypt your data.

For a quick overview of keys:

Key type	Scenario	Pricing	Can view key metadata	Can manage keys	Can share with other users
CMKs	Cryptographic solution for self-managed applications Server-side encryption and decryption within Alibaba Cloud services integrated with KMS	Paid	Yes	Yes	Yes
Default keys	Server-side encryption and decryption within Alibaba Cloud services integrated with KMS	Free	Yes	Service Keys: No. The default CMK: Yes, but creation not allowed.	No

When creating CMKs or using the default CMK, you have two options for the key material:

Import external key material: You can provide your own cryptographic material. These keys are known as Bring Your Own Key (BYOK) or external keys.
Use KMS-generated material: KMS can generate the key material automatically.

CMKs

The CMKs are the keys that you create and have full control over in KMS. When creating a CMK, you must select one purchased KMS instance to store it. You can use them for both self-managed applications and server-side encryption and decryption within Alibaba Cloud services integrated with KMS.

The keys can be further categorized based on the following aspects:

Protection level:
- Software: Software-protected keys, created in software key management instances.
- Hardware: Hardware-protected keys, created in hardware key management instances.
Algorithm:
- Symmetric encryption: Symmetric keys, used for data encryption scenarios.
- Asymmetric encryption: Asymmetric keys, used for both data encryption and digital signatures.

Note

Key rotation is supported only for software-protected, symmetric keys whose key materials are generated by KMS.

Lifecycle:
- CMKs: Keys that you create and have full control over in KMS.
- Data keys: Secondary encryption keys generated and protected by CMKs, commonly used to encrypt and decrypt actual business data. For example, many cloud products typically employ envelope encryption mechanisms to encrypt data. This involves using CMKs to encrypt and protect data keys, which in turn are used to encrypt and protect business data.

Default keys

The Default keys are keys that are created by Alibaba Cloud services (KMS or other services) and are free. They are used only for server-side encryption and decryption within Alibaba Cloud services integrated with KMS. You can use these keys without storing them in purchased KMS instances, but do not have full control over their lifecycle and usage. These keys do not support rotation. Rotation must be purchased separately, and only automatic rotation is supported.

The default keys include:

Default CMK
A default CMK is provided by KMS for each region each Alibaba Cloud account by default. To use this key, simply enable it. You can manage its lifecycle.
Service keys
A Service key is automatically created by your Alibaba Cloud service when you use your Alibaba Cloud service to encrypt your data using default KMS key encryption for your Alibaba Cloud service. It uses the fixed format alias/acs/<cloud product code>. Its lifecycle is managed by the associated service, and you cannot create, modify, or delete one through KMS.

Important

For KMS 1.0 key users, KMS 1.0 keys are also viewable under the Default Keys tab in the KMS 3.0 console.

References

KMS supports various cryptographic operations through cloud-native APIs, including signing, verification, and data encryption.
- (Recommended) Use Alibaba Cloud SDK to call OpenAPI operations over the Internet or a VPC network to perform cryptographic operations.
- (Not recommended) Use KMS Instance SDK to call instance API operations over a KMS private network to perform cryptographic operations.
The mapping of key terms for Alibaba Cloud KMS and AWS KMS is as follows:
Alibaba Cloud KMS
AWS Cloud KMS
Customer Master Keys (CMKs)
Customer managed keys
Service keys
AWS managed keys

Alibaba Cloud KMS	AWS Cloud KMS
Customer Master Keys (CMKs)	Customer managed keys
Service keys	AWS managed keys