All Products
Search
Document Center

Key Management Service:Instance selection

Last Updated:Jul 08, 2024

Key Management Service (KMS) provides free default keys, paid instances of the software key management type, and paid instances of the hardware key management type. The free default keys can be one of the following types of keys: service keys and customer master keys (CMK). You can refer to this topic to select a suitable instance type.

对 indicates that the item is supported. 错 indicates that the item is not supported.

Category

Item

Default key

Instance of the software key management type

Instance of the hardware key management type

References

Service key

CMK

Billing method

Free.

Free.

Subscription.

Subscription.

To use this instance, you must purchase two hardware security modules (HSMs). For more information, see Billing of KMS.

Overview

Scenario

Server-side encryption in Alibaba Cloud services

对

对

对

对

Scenarios

Data encryption in self-managed applications

错

错

对

对

Secret lifecycle management

错

错

对

对

Compliance with Federal Information Processing Standard (FIPS) 140-2 Level 3 validation requirements

错

错

错

对

Quota

Computing performance (symmetric encryption and decryption)

750 queries per second (QPS). The specification cannot be upgraded.

750 QPS. The specification cannot be upgraded.

1,000 QPS, 2,000 QPS, or 4,000 QPS. The specification can be upgraded.

2,000 QPS, 4,000 QPS, 8,000 QPS, or 6,000 QPS. The specification can be upgraded.

Performance quotas

Number of keys

Within an Alibaba Cloud account, each Alibaba Cloud service can create one service key in each region.

Within an Alibaba Cloud account, you can create one CMK in each region.

1,000 to 100,000

1,000 to 100,000

None

Number of secrets

Secrets are not supported.

Secrets are not supported.

0 to 100,000

0 to 100,000

None

Network type of the endpoint

Internet and virtual private cloud (VPC) managed by KMS.

Internet and VPC managed by KMS.

User-managed VPC.

User-managed VPC.

Regions and endpoints

Cross-account resource sharing

错

错

对

对

Share a KMS instance across multiple Alibaba Cloud accounts

Backup management

错

错

对

错

Backups

Security audit

对

对

对

对

Key management

Key specifications

Aliyun_AES_256

Aliyun_AES_256

  • Symmetric key specifications: Aliyun_AES_256

  • Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K

  • Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128

  • Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K

Overview of Key Management

Import of external key material (BYOK mode)

错

对

对

对

Key rotation

对

You must purchase a value-added plan.

对

You must purchase a value-added plan.

对

Only symmetric keys are supported. Asymmetric keys are not supported.

错

Configure key rotation

Scheduled key deletion

错

对

对

对

Schedule a key deletion task

Key deletion protection

错

对

对

对

Enable key deletion protection

Key alias

对

对

对

对

Manage key aliases

Key tag

对

对

对

对

None

Cryptographic operation

Data encryption and decryption

对

对

对

对

KMS Instance SDK

Signature generation and verification

错

错

对

对

KMS Instance SDK

Secret management

Secret creation

错

错

对

对

Secret deletion

错

错

对

对

Secret rotation

错

错

对

对

Secret tag

错

错

对

对

Secret value retrieval

错

错

对

对