Keys are the core component of Key Management Service (KMS). KMS allows you to manage customer master keys (CMKs) and default keys, providing full lifecycle management and secure storage. It also supports streamlined data encryption and digital signatures through cloud-native API calls. This document introduces the keys available in KMS.
Use cases
KMS keys have two primary use cases: direct use in your self-managed applications via API calls and native integration with Alibaba Cloud services for server-side encryption.
Use in self-managed applications via API: Call the KMS OpenAPI or SDK to perform cryptographic functions—such as data encryption, decryption, digital signing, and signature verification—directly within your applications. For more information, see Integrate KMS with self-managed applications.
Server-side encryption with Alibaba Cloud services: Integrate keys with Alibaba Cloud services integrated with KMS, such as Object Storage Service (OSS), Elastic Block Storage (EBS), and ApsaraDB RDS, to enable transparent encryption for data at rest and protect your assets on the cloud. For more information, see Overview of KMS integration for server-side encryption.
Key types
KMS offers two main key types, distinguished by management responsibility and level of control: customer master keys (CMKs) and default keys.
Key type | Use cases | Sub-type | Algorithm | Management permissions | Shareability | Cost |
CMK |
|
|
| Users have full lifecycle management permissions, including creating, enabling, disabling, rotating, and deleting keys. | Shareable. | Paid |
Default key | Server-side encryption with Alibaba Cloud services |
| Symmetric | Management is limited. Only some properties can be modified. Creation is not supported. For more information, see Key management feature comparison below. | Limited to the current account. | Free |
CMK
CMKs are keys that you create and fully control throughout their lifecycle. You can create, enable, disable, rotate, and delete CMKs. They are primarily used for cryptographic integration with self-managed applications or as custom keys for server-side encryption in Alibaba Cloud services to meet specific security requirements.
Type comparison
Based on the level of protection, CMKs are divided into the following three types:
CMK type | Billing | Protection method and security level | Use cases | Key material source |
Software-protected key | Requires a software key management instance. Subscription and and pay-as-you-g billing are supported. | Software-level protection: Stored in a dedicated encrypted database within KMS. | General use cases: Balances cost and security. |
|
Hardware-protected key | Requires a hardware key management instance, available through subscription or pay-as-you-go. Important To use this instance, you must also purchase two Hardware Security Module (HSM) instances. For pricing details, see Cloud Hardware Security Module billing. |
| High-compliance scenarios: Suitable for finance, government, and use cases with specific cryptographic hardware requirements. Protects core sensitive data and helps you meet compliance standards such as GM/T or FIPS. |
|
External key (XKI) | Requires an external key management instance. |
| Hybrid or multi-cloud unified management: This lets you retain control of your keys in your own EKM. | Your own EKM only |
Supported algorithms
CMKs support both symmetric keys and asymmetric keys For more information, see Key management types and key specifications.
Default keys
Default keys are automatically created by Alibaba Cloud services (KMS or other services) and are free. These keys offer limited management capabilities but provide a free and convenient way to use integrated encryption services.
Default keys can be used only for server-side encryption for Alibaba Cloud services. They do not support standalone cryptographic operations, such as calling APIs for encryption and decryption.
Keys migrated from KMS 1.0 are in a read-only state and do not support any operations.
Type comparison
Default key type | Key source | Operation details | Uniqueness |
Default CMK | Created by default in KMS 3.0. |
| Each Alibaba Cloud account has only one default CMK per region. |
Service key | Created and used by a cloud service, such as Object Storage Service (OSS) or ApsaraDB RDS. |
| Each Alibaba Cloud account is limited to one service key per cloud service per region. |
Supported algorithms
Default keys only support symmetric keys. For more information, see Key management types and key specifications.
Feature comparison and selection guide
Integration and application comparison
Different key types have different capabilities for service integration and application development. The following table compares the capabilities of each key type for cloud service integration and self-managed application development. For more information, see Overview of KMS integration for server-side encryption, Integrate KMS with self-managed applications, and Alibaba Cloud SDKs.
Key type | Key sub-type | Cryptographic operations for self-managed applications | Server-side encryption for Alibaba Cloud services | |
Data encryption/decryption | Signing/verification | |||
Default key | Default CMK | |||
Service key | ||||
CMK | Software-protected key | |||
Hardware-protected key | ||||
External key | ||||
Key management feature comparison
Different keys offer different lifecycle management capabilities. The following table outlines the management functions for each key type to aid in compliance and administrative decisions. For details on how to perform these operations, see the following documentation:
Key rotation: Key rotation
Key deletion: Schedule key deletion and Enable deletion protection.
Key identifier management: Manage key aliases and Tag management.
Import external key material: Import symmetric key material and Import asymmetric key material.
Backup management: Backup management
Key type | Key sub-type | Key rotation | Schedule Key Deletion | Deletion protection | Import external key material (BYOK) | Backup management |
Default key | Default CMK | Note Requires purchasing a value-added service for keys. | ||||
Service key | ||||||
CMK | Software-protected key | Note Only supported for symmetric keys. | ||||
Hardware-protected key | ||||||
External key | ||||||
Both default keys and CMKs support the management of key identifiers (aliases and tags).
Security and performance comparison
For performance-sensitive or high-compliance workloads, performance specifications and audit capabilities are critical factors. The table below details the performance metrics and audit support for each key type. For more performance data, see Performance metrics and Use ActionTrail to query management events for Key Management Service.
Key type | Key sub-type | Performance reference (symmetric encryption/decryption) | Security auditing |
Default key | Default CMK | 1,000 requests per second. Upgrades are not supported. | All key types support security auditing. |
Service key | |||
CMK | Software-protected key |
| |
Hardware-protected key |
| ||
External key | 1,000 requests per second. Upgrades are not supported. |
FAQ
What is BYOK?
BYOK is a feature that lets you generate key material externally and import it into KMS. BYOK is a feature, not a standalone key type. The following table shows which key types support BYOK:
Key type | Key sub-type | BYOK support | Details and operations |
CMK | Software-protected key | Yes | After creating the key, you must manually import the key material. For more information, see Import symmetric key material and Import asymmetric key material. |
Hardware-protected key | |||
External key | No | External import is not supported. | |
Default key | Default CMK | Yes | You can import external key material only when you first enable the key. |
Service key | No | External import is not supported. |
How do Alibaba Cloud key types correspond to Amazon Web Services (AWS) key types?
Alibaba Cloud | Amazon Web Services (AWS) |
CMK | Customer managed keys |
Service key | AWS managed keys |
Appendix: Components of a key
A complete key consists of three parts: a key identifier, metadata, and key material.
Key identifier: A unique reference for a key, used in the console, an API, or a policy. KMS supports three types of identifiers:
ID: A unique string that serves as the primary identifier for the key.
Alibaba Cloud Resource Name (ARN): A comprehensive resource name that includes the region ID, Alibaba Cloud account ID, and key ID. The format is
acs:kms:<REGION_ID>:<ALIBABA_CLOUD_ACCOUNT_ID>:key/<KEY_ID>.Key alias: A user-defined name that can point to a specific key. The format is
alias/<ALIAS_NAME>.
Metadata: Information describing the key's properties, such as its ID, creation date, status (such as enabled or disabled), and purpose (encryption/decryption or signing/verification).
Key material: The binary data used to perform cryptographic operations such as encryption, decryption, and signing. KMS supports two sources for key material:
Key Management Service: KMS generates the key material.
External (Import Key Material): You generate the key material locally and then import it into KMS.